To use SSL, both the client (the IMS™ TM
resource adapter) and
the server (IMS Connect) must
be configured for SSL handshake.
At run time, when the Java™ client
application executes an interaction with IMS,
the interaction flows on a secure (SSL) connection between the SSL
client, the
IMS TM
resource adapter,
and the SSL server, IMS Connect.
To open an SSL connection between the client and the server, an SSL
handshake process occurs. This SSL handshake, which is transparent
to the Java client application,
occurs as follows:
- The SSL client, the IMS TM
resource adapter, initiates
a connection by sending a client hello message. The server, IMS Connect, replies with a server
hello message and its certificate that contains its public key.
- If this certificate is authenticated successfully by the server,
a session key is established at both ends and a cipher specification
is negotiated that determines the type of encryption to be used on
the connection. The cipher can be STRONG, WEAK, or ENULL. The SSL
handshake is then completed if the server does not require client
authentication.
- If the server requires client authentication, the client authenticates
the server's certificate by using the server's public key from its
certificate. If this authentication is successful, a client certificate
is sent from the client's keystore. If this certificate is authenticated
successfully by the server, a session key is established at both ends,
and a cipher specification is negotiated that determines the type
of encryption to be used on the connection. The SSL handshake is then
completed.
- The client and server are ready to send and receive encrypted
data.
Important: When the client applications run in a managed
environment, which is particularly preferred with SSL connections,
the IMS TM
resource adapter must
use persistent socket connections to communicate with IMS Connect. However, in a non-managed environment,
these persistent connections are disconnected by the application after
each use rather than being made available for reuse by another application.
When the WebSphere® Application
Server Connection
Manager is used, connections can be serially reused by other client
applications. The connection manager creates connections if necessary,
and provides them to the applications as needed. When an application
is finished using a connection, the connection manager returns that
connection to the free pool, making it available for reuse by any
other application that requires that type of connection. However,
client and server authentication only occurs one time for each socket
during the handshake that occurs when that socket is first created
and initialized as an SSL socket. When a socket is reused, the SSL
client, the IMS TM
resource adapter,
and the server, IMS Connect,
do not change. Consequently, it is not necessary to re-authenticate
the client and the server (go through the handshake process again)
when a socket is reused. The client ID that identifies a socket remains
the same each time a socket is reused.
If the SSLEncryption value is set to ENULL, performance is faster
than SSL connections that use Strong or Weak encryption. The level
of performance improvement depends on several factors, including whether
hardware or software encryption is used. In general, hardware encryption
is faster than software encryption.