Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin
Configure certificate authority client objects using the wsadmin tool
Use this topic to create a certificate authority (CA) client object. The client object contains all of the configuration information necessary to connect to your third-party CA server. A CA client must exist in the configuration before you can issue a request to the CA to create personal certificates with the requestCACertificate command.
A CA client object contains information that the system uses to connect to a certificate authority. Implement the com.ibm.ws.WSPKIClient interface to connect to the certificate authority and provide the com.ibm.ws.WSPKIClient class when creating the CA client object.
If a CA client does not exist in the configuration, use the steps in this topic to create a new CA client.
Procedure
- Launch wsadmin.sh using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Determine if a CA client exists in the configuration.
Use the following listCAClients command to list all certificate authority clients in the configuration:
print AdminTask.listCAClients()
- If no CA clients exist, then create a new CA client.
Use the createCAClient command to create a new CA client object. The application server connects to a CA server through the WSPKIClient() implementation, which handles all connections and communications with the CA server.
Required parameter. We must specify the following configuration information for a new CA client object:
Parameter Description Data Type -CAClientName Specify a name to uniquely identify the CA client object. String
Additional parameters. We can specify additional configuration information using the following parameters:
Parameter Description Data Type -scopeName Specify the management scope of the CA client. For a dmgr profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. String -pkiClientImplClass Specify the class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. The default value is com.ibm.wsspi.ssl.WSPKIClient. String -host Specify the host name in the system where the CA resides. String -port Specify the port on the server where the CA listens. String -userName User name to use to authenticate to the CA. String -password Specify the password for the user name that authenticates to the CA. String -frequencyCheck Specify how often, in minutes, the system checks with the CA to determine if a certificate has been created. String -retryCheck Specify the number of times to check with the CA to determine if a certificate has been created. String -customProperties Specifies a comma separated list of attribute and value (attribute=value) custom property pairs to add to the CA client object. String Use the following example command to create a new CA client object:
AdminTask.createCAClient('[-caClientName clientObj01 -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient -host machine011 -port 9022 -userName admin -password pw4admin]')The command returns the object name of the CA client that has been created.
- Save the configuration changes.
Save the configuration changes:
AdminConfig.save()
What to do next
If the CA client object was successfully created, then you can configure the application server to use a personal certificate created by an external CA.
Set a certificate authority certificate as the default certificate using wsadmin
Start the wsadmin scripting client using wsadmin.sh
Related
PersonalCertificateCommands command group
CAClientCommands command group