CAClientCommands


Use Jython to manage the certificate authority (CA) client configurations with wsadmin. Use the commands and parameters in the CAClientCommands group to create, modify, query, and remove connections to a third-party CA server.

Use the following commands to manage the CA client configurations:

 

createCAClient

The createCAClient command creates a new CA client object in the configuration. The appserver connects to a CA server through the WSPKIClient() implementation, which handles all connections and communications with the CA server.

Target object

None.

Required parameters

-caClientName

Specifies a name to uniquely identify the CA client object. (String, required)

-pkiClientImplClass

Class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. (String, required)

Optional parameters

-scopeName

Management scope of the CA client. For a dmgr profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. (String, optional)

-host

Host name in the system where the CA resides. (String, optional)

-port

Port on the server where the CA listens. (String, optional)

-userName

User name to use to authenticate to the CA. (String, optional)

-password

Password for the user name that authenticates to the CA. (String, optional)

-frequencyCheck

How often, in minutes, the system communicates with the CA to determine if a certificate has been created. (String, optional)

-retryCheck

Number of times to communicate with the CA to determine if a certificate has been created. (String, optional)

-customProperties

comma-separated list of attribute and value custom property pairs to add to the CA client object, using the following format: attribute=value,attribute=value. (String, optional)

Return value

The command returns the object name of the CA client that the system creates.

Batch mode example usage

Interactive mode example usage

 

modifyCAClient

The modifyCAClient command modifies the existing CA client object configuration data. We can modify one or multiple configuration attributes for a specific CA client.

Target object

None.

Required parameters

-caClientName

Name of the CA client of interest. (String, required)

Optional parameters

-scopeName

Management scope of the CA client. For a dmgr profile, the system uses the cell scope as the default. For an application server profile, the system uses the node scope as the default. (String, optional)

-pkiClientImplClass

Class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. (String, optional)

-host

Host name in the system where the CA resides. (String, optional)

-port

Port on the server where the CA listens. (String, optional)

-userName

User name to use to authenticate to the CA. (String, optional)

-password

Password for the user name that authenticates to the CA. (String, optional)

-frequencyCheck

How often, in minutes, the system should check with the CA to determine if a certificate has been created. (String, optional)

-retryCheck

Number of times to check with the CA to determine if a certificate has been created. (String, optional)

-customProperties

comma separated list of attribute and value (attribute=value) custom property pairs to modify on the CA Client object. We can create, modify, or remove properties. To remove a property specify the attribute and value as attribute=. (String, optional)

Return value

Batch mode example usage

Interactive mode example usage

 

getCAClient

The getCAClient command displays a list of attributes for a specific CA client.

Target object

None.

Required parameters

-caClientName

Specifies the CA client name of interest. (String, required)

Optional parameters

-scopeName

Management scope of CA client of interest. (String, optional)

Return value The command returns an attribute list that contains the attribute and value pairs for the specific CA client, as the following example displays:

'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementSc ope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphe re_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [por t 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [fre
quencyCheck 0] [password ] [host ] ]'

Batch mode example usage

Interactive mode example usage

 

deleteCAClient

The deleteCAClient command removes the CA client object of interest from the configuration. Use the -caClientName parameter to specify the CA client to delete. We can optionally specify the management scope of the CA client object with the scopeName parameter.

Target object

None.

Required parameters

-caClientName

Name of the CA client of interest. (String, required)

Optional parameters

-scopeName

Management scope of the CA client of interest. (String, optional)

Return value

The command does not return output if the system successfully removes the CA client of interest. If we receive an error message, verify that the CA client object of interest exists in the configuration and that it is not referenced by a certificate object in the security configuration.

Batch mode example usage

Interactive mode example usage

 

listCAClients

The listCAClients command lists all CA clients in the configuration or within a specific scope. If we do not provide a value for the -scopeName parameter, the command queries the cell if we use a dmgr profile or queries the node if we use an appserver profile. Use the -all parameter to query the environment without using a specific scope.

Target object

None.

Optional parameters

-scopeName

Management scope to search for CA clients. (String, optional)

-all

Specifies whether the system queries for CA clients without a specific scope. (Boolean, optional)

Return value The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:

'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Da ta_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertifi cate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Webspher e_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pa ssword ] [host ] ]'
'[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Dat a_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertific ate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere
_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pas sword ] [host ] ]'

Batch mode example usage

Interactive mode example usage





 

Related tasks


Administer certificate authority clients using wsadmin
Set certificate authority client objects using wsadmin
Set a certificate authority certificate as the default certificate using wsadmin