WAS v8.0 > Migration and coexistence > Distributed operating systems > Migrate administrative scripts


Update SSL configurations to v8.0 configuration definitions after migration


Overview

When migrating to v8.0, you can...

If you encounter errors with existing administration scripts for SSL configurations, use this task to manually convert the SSL configuration to the v8.0 format.

When migrating to v8.0, you can...

  1. Use WASPreUpgrade to save the configuration of the previously installed version into a migration-specific backup directory.

  2. When migration is complete, use WASPostUpgrade to retrieve the saved configuration

The -scriptCompatibility parameter for WASPostUpgrade specifies whether to maintain the v6.x configuration definitions, or to upgrade the format to v8.0 configuration definitions. If you used the default value, or...

...when migrating, you do not need to perform this task.

If scriptCompatibility is set to false during migration, administration scripts for SSL configurations may not not work correctly. If this is the case, use this task to convert 6.x SSL configuration definitions to v8.0. This process creates a new SSL configuration based on the existing configuration.

To modify the existing SSL configuration:

<repertoire xmi:id="SSLConfig_1"
            alias="Node02/DefaultSSLSettings">

    <setting xmi:id="SecureSocketLayer_1"
             keyFileName="$install_root/etc/MyServerKeyFile.jks"
             keyFilePassword="password"
             keyFileFormat="JKS"
             trustFileName="$install_root/etc/MyServerTrustFile.jks"
             trustFilePassword="password"
             trustFileFormat="JKS"
             clientAuthentication="false"
             securityLevel="HIGH"
             enableCryptoHardwareSupport="false">

        <cryptoHardware xmi:id="CryptoHardwareToken_1"
                        tokenType=""
                        libraryFile=""
                        password="{custom}"/>
 
        <properties xmi:id="Property_6"
                    name="com.ibm.ssl.protocol"
                    value="SSL"/>
 
        <properties xmi:id="Property_7"
                    name="com.ibm.ssl.contextProvider"
                    value="IBMJSSE2"/>

    </setting>

</repertoire>


Procedure

  1. Create a key store that references the key store attributes in the old configuration.

    1. In the existing configuration, find the keyFileName, keyFilePassword, and keyFileFormat attributes.

        keyFileName="${install_root}/etc/MyServerKeyFile.jks" keyFilePassword="password" keyFileFormat="JKS"

    2. Use the keyFileName, keyFilePassword, and keyFileFormat attributes to create a new KeyStore object. For this example, set the name as "DefaultSSLSettings_KeyStore".

      Deprecated feature: Using Jacl:

      $AdminTask createKeyStore
      {
          -keyStoreName DefaultSSLSettings_KeyStore
          -keyStoreLocation ${install_root}/etc/MyServerKeyFile.jks
          -keyStoreType JKS
          -keyStorePassword password
          -keyStorePasswordVerify password
      }
      
      depfeat

      The resulting configuration object in the security.xml file is:

      <keyStores xmi:id="KeyStore_1"
                   name="DefaultSSLSettings_KeyStore"
                   password="password"
                   provider="IBMJCE"
                   location="$install_root/etc/MyServerKeyFile.jks"
                   type="JKS" fileBased="true"
                   managementScope="ManagementScope_1"/>
      

      If you specify the cryptoHardware values in the configuration, create the KeyStore object using these values instead. Associate the -keyStoreLocation parameter with the libraryFile attribute, the -keyStoreType parameter with the tokenType attribute, and the -keyStorePassword parameter with the password attribute.

        <cryptoHardware xmi:id="CryptoHardwareToken_1"
                        tokenType=""
                        libraryFile=""
                        password=""/>
        

  2. Create a trust store that references the trust store attributes from the existing configuration.

    1. Find the trustFileName, trustFilePassword, and trustFileFormat attributes in the existing configuration.

        trustFileName="$install_root/etc/MyServerTrustFile.jks"
        trustFilePassword="password"
        trustFileFormat="JKS"

    2. Use the trustFileName, trustFilePassword, and trustFileFormat attributes to create a new KeyStore object. For this example, set the name as "DefaultSSLSettings_TrustStore".

      Deprecated feature: Using Jacl:

        $AdminTask createKeyStore
        {
            -keyStoreName DefaultSSLSettings_TrustStore
            -keyStoreLocation $install_root/etc/MyServerTrustFile.jks
            -keyStoreType JKS
        
            -keyStorePassword password
            -keyStorePasswordVerify password }
        

      The resulting configuration object in the security.xml file is:

        <keyStores xmi:id="KeyStore_2"
                      name="DefaultSSLSettings_TrustStore"
                      password="password"
                      provider="IBMJCE"
                      location="$install_root/etc/MyServerTrustFile.jks"
                      type="JKS" fileBased="true"
                      managementScope="ManagementScope_1"/>
        

  3. Create a new SSL configuration using the new key store and trust store. Include any other attributes from the existing configuration which are still valid.

    Use a new alias for your updated SSL configuration. We can not create an SSL configuration with the same name as your existing configuration.

    Deprecated feature: Using Jacl:

      $AdminTask createSSLConfig
      {
          -alias DefaultSSLSettings
          -trustStoreName DefaultSSLSettings_TrustStore
          -keyStoreName DefaultSSLSettings_KeyStore
          -keyManagerName IbmX509
          -trustManagerName IbmX509
          -clientAuthentication true
          -securityLevel HIGH
          -jsseProvider IBMJSSE2
          -sslProtocol SSL }
      


Results

The new SSL configuration is:

<repertoire xmi:id="SSLConfig_1"
            alias="DefaultSSLSettings"
            managementScope="ManagementScope_1">

   <setting xmi:id="SecureSocketLayer_1"
            clientAuthentication="true"
            securityLevel="HIGH"
            enabledCiphers=""
            jsseProvider="IBMJSSE2"
            sslProtocol="SSL"
            keyStore="KeyStore_1"
            trustStore="KeyStore_2"
            trustManager="TrustManager_1"
            keyManager="KeyManager_1"/>

</repertoire>

The default management scope is used if it is not specified. WASPostUpgrade command
Migrate administrative scripts
Migrate administrative scripts from a previously v5.1.x application server
Migrate administrative scripts from v6.x or 7.x to v8.0

+

Search Tips   |   Advanced Search