Administer certificate authority clients using the wsadmin tool


Overview

Use this topic to modify CA client objects. The client object contains all of the configuration information necessary to connect to the third-party CA server.


View existing CA client objects and configuration data

Use the listCAClients and getCAClient commands to query the environment for the existing CA clients.

  1. Launch wsadmin using Jython.

  2. List all CA client objects in the configuration.

    Use the listCAClients command to list all certificate authority clients in the configuration. If we do not provide a value for the -scopeName parameter, then the command queries the cell if we use a dmgr profile or queries the node if we use an application server profile. Use the -all parameter to query the environment without using a specific scope...

    print AdminTask.listCAClients('-all true')

    The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:

    '[ [backupCAs ] 
       [managementScope (cells/myCell01|security.xml#ManagementScope_1) ] 
       [scopeName (cell):myCell01] 
       [name jenCAClient] 
       [baseDn ] 
       [_Websphere_Config_Da ta_Id cells/myCell01|security.xml#CAClient_1181834566881] 
       [port 2950] 
       [CACertifi cate ] 
       [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] 
       [userId ] 
       [_Webspher e_Config_Data_Type CAClient] 
       [retryCheck 0] 
       [properties ] 
       [frequencyCheck 0] 
       [pa ssword ] 
       [host ] 
    ]' 
    '[ 
       [backupCAs ] 
       [managementScope (cells/myCell01|security.xml#ManagementScope_1) ] 
       [scopeName (cell):myCell01] 
       [name myCAClient] 
       [baseDn ] 
       [_Websphere_Config_Dat a_Id cells/myCell01|security.xml#CAClient_1181834566882] 
       [port 2951] 
       [CACertific ate ] 
       [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] 
       [userId ] 
       [_Websphere_Config_Data_Type CAClient] 
       [retryCheck 0] 
       [properties ] 
       [frequencyCheck 0] 
       [pas sword ] 
       [host ] ]'
    

  3. List the configuration attributes for a specific CA client.

    Use the getCAClient command to view the list of attributes for a specific CA client...

    print AdminTask.getCAClient('-caClientName myCAClient')

    The command returns an attribute list that contains the attribute and value pairs for the specific CA client...

    '[ 
       [backupCAs ] 
       [managementScope (cells/myCell01|security.xml#ManagementSc ope_1)] 
       [scopeName (cell):myCell01] 
       [name myCAClient] 
       [baseDn ] 
       [_Websphere_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] 
       [port 2951] 
       [CACertificate ] 
       [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] 
       [userId ] 
       [_Websphere_Config_Data_Type CAClient] 
       [retryCheck 0] 
       [properties ] 
       [frequencyCheck 0] 
       [password ] 
       [host ] 
    ]'
    


Modify the existing CA client object configuration data

Use the modifyCAClient command to change one or more configuration attributes for a specific CA client.

  1. Launch wsadmin using Jython.

  2. Determine which configuration attributes to edit.

    The modifyCAClient modifies all attributes specified with the command parameters. If we do not specify a parameter, then its corresponding attribute does not change. We can edit the following configuration data with the modifyCAClient command:


    Table 1. Command parameters

    Parameter Description Data Type
    -scopeName Specify the management scope of the CA client. For a dmgr profile, the system uses the cell scope as the default. For an appserver profile, the system uses the node scope as the default. String
    -pkiClientImplClass Specify the class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. String
    -host Specify the host name in the system where the CA resides. String
    -port Specify the port on the server where the CA listens. String
    -userName Specify the user name to use to authenticate to the CA. String
    -password Specify the password for the user name that authenticates to the CA. String
    -frequencyCheck Specify how often, in minutes, the system should check with the CA to determine if a certificate has been created. String
    -retryCheck Specify the number of times to check with the CA to determine if a certificate has been created. String
    -customProperties comma separated list of attribute and value (attribute=value) custom property pairs to modify on the CA Client object. We can create, modify, or remove properties. To remove a property specify attribute= attribute as equal to no value. String

  3. Modify specific configuration attributes for a CA client object. Use the following example command to modify the port number of the CA, the user name, and password attributes for the myCAClient CA client object:

    AdminTask.modifyCAClient('[-caClientName myCAClient -port 4060 -userName admin -password password4admin -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient]')

  4. Save the configuration changes...

    AdminConfig.save()


Remove a CA client object from the configuration

Use the deleteCAClient command to delete a CA client object from the configuration. The command does not delete the CA client object if the CA client to delete is referenced by a certificate object.

  1. Launch wsadmin using Jython.

  2. Determine the CA client object to delete.

    Use the listCAClients command to list all certificate authority clients in the configuration. If we do not provide a value for the -scopeName parameter, then the command queries the cell if we use a deployment manager profile or queries the node if we use an appserver profile. Use the -all parameter to query the environment without using a specific scope...

    print AdminTask.listCAClients('-all true')

  3. Delete the CA client object of interest.

    Use the deleteCAClient command to delete the CA client object from the configuration. Use the -caClientName parameter to specify the CA client to delete. We can optionally specify the management scope of the CA client object with the scopeName parameter.

    The following example command removes the myCAClient CA client object:

    AdminTask.deleteCAClient('[-caClientName myCAClient]')

    If we receive an error message, then verify that the CA client object of interest exists in the configuration and that it is not referenced by a certificate object in the security configuration.

  4. Save the configuration changes...

    AdminConfig.save()

 

Related tasks


Set certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin

 

Related

CAClientCommands
PersonalCertificateCommands