Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure communications > Secure communications using SSL


Dynamic configuration updates in SSL

During the SSL runtime, dynamic configuration updates affect both inbound and outbound SSL endpoints. For inbound SSL endpoints, the changes that are implemented by the SSL channel are only affected by dynamic changes. For outbound SSL endpoints, all outbound connections inherit the new configuration changes.

In this release, dynamic update functionality provides you with greater flexibility and efficiency. We can change SSL configurations without restarting WAS for the changes to take effect.

To make dynamic changes, in the admin console click Security > SSL certificates and key management, then select the Dynamically update the runtime when SSL configuration changes occur check box. We must save changes and then synchronize the security.xml file with remote systems. A remote system must be able to confirm that dynamicallyUpdateSSLConfig=true is in the security.xml file.

The SSL runtime reloads the modified SSL configuration and creates a new SSLEngine for the modified connections that are associated with inbound endpoints. New outbound connections use the new configuration while existing connections continue to use the old SSLEngine object and are not affected.

Tip: Make dynamic changes to the SSL configuration during off-peak hours. Synchronization delays can negatively affect connections when you update SSL configurations during peak hours.

We can turn on and off the dynamicallyUpdateSSLConfig attribute in the security.xml file to ensure successful updates by doing the following actions:

  1. Set dynamicallyUpdateSSLConfig=On.

  2. Save the updated configuration.
  3. Synchronize the security.xml file with remote systems.

  4. Set the dynamicallyUpdateSSLConfig attribute to Off.

We must verify that all of the nodes receive the changes before turning off the dynamicallyUpdateSSLConfig attribute. Test the changes in a test environment before updating the production environment.

Tip: Some SSL changes, especially administrative SSL changes, can cause server outages if you fail to test them first. When a change prevents trust between two endpoints, the endpoints cannot communicate with each other. Additionally, if administrative SSL connection updates cause system outages, you might need to disable the nodes after you make corrective changes using the dmgr. From the command line, you can manually synchronize the server to retrieve the new SSL changes, then restart the nodes.
Secure communications using SSL

+

Search Tips   |   Advanced Search