Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin


Set a certificate authority certificate as the default certificate using wsadmin

Use this topic to make a request to an external certificate authority (CA) to create a personal certificate. After the CA returns the certificate and the certificate is saved in the keystore, then you can use it as the server default personal certificate.

Configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to your third-party CA server.

After profile creation, the system is assigned a default chained personal certificate. Use the following steps to modify the application server to use a default personal certificate created by an external CA.


Procedure

  1. Launch wsadmin.sh using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.

  2. Verify that a certificate authority client exists in your configuration. Use the listCAClients command to query your environment for all existing certificate authority clients and configuration attributes, or the getCAClient command to return the configuration attributes for a specific certificate authority client. If the listCAClients or getCAClient commands do not return any attributes, then create a certificate authority client object before you can complete the remaining steps.

    • List all certificate authority client objects in the configuration.

      Use the listCAClients command to list all certificate authority clients in the configuration. If you do not provide a value for the -scopeName parameter, then the command queries the cell if you use a dmgr profile or queries the node if you use an application server profile. Use the -all parameter to query the environment without using a specific scope:

      print AdminTask.listCAClients('-all true')
      

      The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:

      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
      ] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Da
      ta_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertifi
      cate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Webspher
      e_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pa
      ssword ] [host ] ]'
      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
      ] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Dat
      a_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertific
      ate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere
      _Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pas
      sword ] [host ] ]'
      
    • List the configuration attributes for a specific certificate authority client.

      Use the getCAClient command to view the list of attributes for a specific certificate authority client, as the following example demonstrates:

      print AdminTask.getCAClient('-caClientName myCAClient')
      

      The command returns an attribute list that contains the attribute and value pairs for the specific certificate authority client, as the following example demonstrates:

      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementSc
      ope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphe
      re_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [por
      t 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u
      serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [fre
      quencyCheck 0] [password ] [host ] ]'
      

    Optional. If a certificate authority client does not exist in the environment, then configure a CA client object.

  3. Optional: View the current default personal certificate.

    Use the following listPersonalCertificates command to display the current default personal certificate to replace:

    AdminTask.listPersonalCertificates('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):myCell01]')
    
  4. Request a certificate from a certificate authority.

    Before the current default personal certificate can be replaced, request a certificate from a certificate authority. We can create a new certificate request or use the createCertificateRequest command to use a predefined certificate request. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, then the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.


    Required parameters. Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority:

    Parameter Description Data Type
    -certificateAlias Alias of the certificate. You can specify a predefined certificate request. String
    -keyStoreName Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String
    -caClientName Name of the CA client that was used to create the CA certificate. String
    -revocationPassword Password to use to revoke the certificate at a later date. String


    Optional parameters. We can also use the following parameters to specify additional certificate request options. If you do not specify an optional parameter, then the command uses the default value.

    Parameter Description Data Type
    -keyStoreScope Management scope of the keystore. For a dmgr profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -caClientScope Management scope of the CA client. For a dmgr profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. String
    -certificateSize Size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. The default value is 2048. String
    -certificateOrganization Organization portion of the distinguished name. String
    -certificateOrganizationalUnit Organizational unit portion of the distinguished name. String
    -certificateLocality Locality portion of the distinguished name. String
    -certificateState State portion of the distinguished name. String
    -certificateZip Zip code portion of the distinguished name. String
    -certificateCountry Country portion of the distinguished name. String

    Use the following example command syntax to request a certificate from a certificate authority:

    AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName
    CellDefaultKeyStore -caClientName myCAClient -revocationPassword revokeCApw
    -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
    

    The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request:

    AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName
    CellDefaultKeyStore -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
    
  5. Replace the server default personal certificate.

    Use the following replaceCertificate command example to replace the existing default personal certificate with the newly created CA personal certificate:

    AdminTask.replaceCertificate('-keyStoreName CellDefaultKeyStore -certificateAlias
    defaultPersonalCertificate -replacementCertificateAlias newCertificate')
    

  6. Save the configuration changes.

    Save the configuration changes:

    AdminConfig.save()
    


Results

The default personal certificate for the server is a certificate that is created by an external CA.


What to do next

If the CA client object was successfully created, then you can configure the application server to use a personal certificate created by an external CA.
Configure certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin
Start the wsadmin scripting client using wsadmin.sh


Related


CAClientCommands command group
PersonalCertificateCommands command group

+

Search Tips   |   Advanced Search