KeyStoreCommands (AdminTask)
A keystore is created by the application server during install and can contain cryptographic keys or certificates. KeyStoreCommands commands can be used to create, delete, and manage keystores.
changeKeyStorePassword
Modify the password of a keystore. The command automatically saves the new password to the configuration.
Required parameters
- -keyStoreName
- Name of the password to change. (String, required)
- -keyStorePassword
- Name of the password to change. (String, required)
- -newKeyStorePassword
- New password that to use to access the keystore. (String, required)
- -newKeyStorePasswordVerify
- New password to confirm the new keystore password. (String, required)
Optional parameters
- -scopeName
- Management scope of the keystore. (String, optional)
Examples
Batch mode example:
Jacl:
$AdminTask changeKeyStorePassword {-keystoreName myKeystore -keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd}
Jython string...
AdminTask.changeKeyStorePassword('[-keystoreName myKeystore -keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd]')
Jython list:
AdminTask.changeKeyStorePassword(['-keystoreName', 'myKeystore', '-keyStorePassword', 'WebAS', '-newKeyStorePassword', 'newpwd', '-newKeyStorePasswordVerify', 'newpwd'])
Interactive mode:
Jacl:
$AdminTask changeKeyStorePassword {-interactive}
Jython:
AdminTask.changeKeyStorePassword('-interactive')
changeMultipleKeyStorePasswords
Update the passwords for each keystores in the configuration that has a specific password. This is useful because when creating keystore files on the system, they will have WebAS as a password by default.
Required parameters
- -keyStorePassword
- Name of the password to change. (String, required)
- -newKeyStorePassword
- New password that you will use to access the keystore. (String, required)
- -newKeyStorePasswordVerify
- Confirms the new keystore password. (String, required)
Optional parameters None.
Examples
Batch mode example:
Jacl:
$AdminTask changeMultipleKeyStorePasswords {-keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd}
Jython string...
AdminTask.changeMultipleKeyStorePasswords('[-keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd]')
Jython list:
AdminTask.changeMultipleKeyStorePasswords(['-keyStorePassword', 'WebAS', '-newKeyStorePassword', 'newpwd', '-newKeyStorePasswordVerify', 'newpwd'])
Interactive mode:
Jacl:
$AdminTask changeMultipleKeyStorePasswords {-interactive}
Jython:
AdminTask.changeMultipleKeyStorePasswords('-interactive')
createKeyStore
Create the keystore settings in the configuration and the keystore database.
Required parameters
- -keyStoreName
- The name that uniquely identifies the keystore configuration object. (String, required)
- -keyStoreType
- The implementation of the keystore management. (String, required)
- -keyStoreLocation
- The location of the keystore. For file based, the location is the files system path to the keystore database. For hardware keystore, the location is the path to the token library. (String, required)
(iseries) If we create the IBMi5OSKeyStore keystore, the keystore location must include the .kdb file extension.
- -keyStorePassword
- The password that protects the keystore. (String, required)
- -keyStorePasswordVerify
- The password that protects the keystore. (String, required)
Optional parameters
- -keyStoreProvider
- The provider used to implement the keystore. (String, optional)
- -keyStoreIsFileBased
- Set to true if the keystore is file based. Set false for hardware crypto keystores. (Boolean, optional)
- -keyStoreHostList
- A list of host names that indicate from where the keystore is remotely managed, separated by commas. (String, optional)
- -keyStoreInitAtStartup
- Set to true if the keystore is initialized at startup. Otherwise, set the value of this parameter to false. (Boolean, optional)
- -keyStoreReadOnly
- Set to true if we cannot write to the keystore. Otherwise, set the value of this parameter to false. (Boolean, optional)
- -keyStoreStashFile
- Set to true to create stash files for CMS type keystore. Otherwise, set the value of this parameter to false. (Boolean, optional)
- -enableCryptoOperations
- Specifies if the keystore object will be used for hardware cryptographic operations or not. The default value is false. (Boolean, optional)
- -keyStoreDescription
- Specifies user defined text to describe the keystore of interest. (String, optional)
- -keyStoreUsage
- Keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)
- -scopeName
- The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
- -controlRegionUser
- Control region user to create a writable keystore object for the control regions key ring. Specify this option for SAF key rings when SAF writable key rings is enabled. (String, optional)
- -servantRegionUser
- Servant region user to create a writable keystore object for the servant regions key ring. Specify this option for SAF key rings when SAF writable key rings is enabled. (String, optional)
Examples
Batch mode example:
Jacl:
$AdminTask createKeyStore {-keyStoreName testKS -keyStoreType JCEKS -keyStoreLocation c:/temp/testKeyFile.p12 -keyStorePassword testpwd -keyStorePasswordVerify testpwd -keyStoreIsFileBased true -keyStoreInitAtStartup true -keyStoreReadOnly false}
Jython string...
AdminTask.createKeyStore('[-keyStoreName testKS -keyStoreType JCEKS -keyStoreLocation c:/temp/testKeyFile.p12 -keyStorePassword testpwd -keyStorePasswordVerify testpwd -keyStoreIsFileBased true -keyStoreInitAtStartup true -keyStoreReadOnly false]')
Jython list:
AdminTask.createKeyStore(['-keyStoreName', 'testKS', '-keyStoreLocation', '-keyStoreType', 'JCEKS', 'c:/temp/testKeyFile.p12', '-keyStorePassword', 'testpwd', '-keyStorePasswordVerify', 'testpwd', '-keyStoreIsFileBased', 'true', '-keyStoreInitAtStartup', 'true', '-keyStoreReadOnly', 'false'])
Interactive mode:
Jacl:
$AdminTask createKeyStore {-interactive}
Jython:
AdminTask.createKeyStore('-interactive')
createCMSKeyStore
Create a CMS keystore database and the keystore settings in the configuration.
Required parameters
- -cmsKeyStoreURI
- The URI of the CMS keystore. (String, required)
- -pluginHostName
- The host name of the plug-in. (String, required)
Optional parameters None.
Examples
Batch mode example:
Jacl:
$AdminTask createCMSKeyStore {-cmsKeyStoreURI CMSKeystoreURI -pluginHostName myHostName}
Jython string...
AdminTask.createCMSKeyStore('-cmsKeyStoreURI CMSKeystoreURI -pluginHostName myHostName')
Jython list:
AdminTask.createCMSKeyStore(['-cmsKeyStoreURI', 'CMSKeystoreURI', '-pluginHostName', 'myHostName'])
Interactive mode:
Jacl:
$AdminTask createCMSKeyStore {-interactive}
Jython:
AdminTask.createCMSKeyStore('-interactive')
deleteKeyStore
Delete the settings of a keystore from the configuration and the keystore file.
Required parameters
- -keyStoreName
- The name that uniquely identifies the keystore to delete. (String, required)
Optional parameters
- -scopeName
- The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
- -removeKeyStoreFile
- Whether to remove the keystore file. Specify true to remove the keystore file or false to keep the keystore file in the configuration. (Boolean, optional)
Examples
Batch mode example:
Jacl:
$AdminTask deleteKeyStore {-keyStoreName testKS}
Jython string...
AdminTask.deleteKeyStore('[-keyStoreName testKS]')
Jython list:
AdminTask.deleteKeyStore(['-keyStoreName', 'testKS'])
Interactive mode:
Jacl:
$AdminTask deleteKeyStore {-interactive}
Jython:
AdminTask.deleteKeyStore('-interactive')
exchangeSigners
Exchange signer certificate between keystores.
Required parameters
- -keyStoreName1
- The name that uniquely identifies a keystore. Specify a second keystore name using the keyStoreName2 parameter. (String, required)
- -keyStoreName2
- The name that uniquely identifies a keystore. Specify a second keystore name using the keyStoreName1 parameter. (String, required)
Optional parameters
- -keyStoreScope1
- The scope name of the keystore that specified with the keyStoreName1 parameter. (String, optional)
- -keyStoreScope2
- The scope name of the keystore that specified with the keyStoreName2 parameter. (String, optional)
- -certificateAlaisList1
- A list of aliases separated by a comma. (String, optional)
- -certificateAliasList2
- A list of aliases separated by a comma. (String, optional)
Examples
Batch mode example:
Jacl:
$AdminTask exchangeSigners {-keyStoreName1 testKS -certificateAliasList1 testCert1 -keyStoreName2 secondKS -certificateAlaisList2 certAlis}
Jython string...
AdminTask.exchangeSigners('[-keyStoreName1 testKS -certificateAliasList1 testCert1 -keyStoreName2 secondKS -certificateAlaisList2 certAlis]')
Jython list:
AdminTask.exchangeSigners(['-keyStoreName1', 'testKS', '-certificateAliasList1', 'testCert1', '-keyStoreName2', 'secondKS', '-certificateAlaisList2', 'certAlis'])
Interactive mode:
Jacl:
$AdminTask exchangeSigners {-interactive}
Jython:
AdminTask.exchangeSigners('-interactive')
getKeyStoreInfo
Display the settings of a particular keystore.
Required parameters
- -keyStoreName
- The name that uniquely identifies the keystore. (String, required)
Optional parameters
- -scopeName
- The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
Examples
Batch mode example:
Jacl:
$AdminTask getKeyStoreInfo {-name testKS}
Jython string...
AdminTask.getKeyStoreInfo('[-name testKS]')
Jython list:
AdminTask.getKeyStoreInfo(['-name', 'testKS'])
Interactive mode:
Jacl:
$AdminTask getKeyStoreInfo {-interactive}
Jython:
AdminTask.getKeyStoreInfo('-interactive')
listKeyFileAliases
List the certificates in a keystore file.
Required parameters
- -keyFilePath
- The path of the key file. (String, required)
- -keyFilePassword
- The password for the key file. (String, required)
- -keyFileType
- The key file type. (String, required)
Optional parameters None.
Examples
Batch mode example:
- Jacl:
$AdminTask listKeyFileAliases {-keyFilePath c:/temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12}
$AdminTask listKeyFileAliases {-keyFilePath /temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12}
- Jython string...
AdminTask.listKeyFileAliases('[-keyFilePaht c:/temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12]')
AdminTask.listKeyFileAliases('[-keyFilePaht /temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12]')
- Jython list:
AdminTask.listKeyFileAliases(['-keyFilePaht', 'c:/temp/testKeyFile.p12', '-keyFilePassword', 'testPwd', '-keyFileType', 'PKCS12'])
AdminTask.listKeyFileAliases(['-keyFilePaht', '/temp/testKeyFile.p12', '-keyFilePassword', 'testPwd', '-keyFileType', 'PKCS12'])
Interactive mode:
Jacl:
$AdminTask listKeyFileAliases {-interactive}
Jython:
AdminTask.listKeyFileAliases('-interactive')
listKeyStores
List the keystore for a particular scope.
Required parameters None.
Optional parameters
- -scopeName
- Name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
- -all
- Specify the value of this parameter as true to list all keystores. This parameter overrides the scopeName parameter. The default value is false. (Boolean, optional)
- -keyStoreUsage
- Keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)
Examples
Batch mode example:
Jacl:
$AdminTask listKeyStores
Jython:
AdminTask.listKeyStores()
Interactive mode:
Jacl:
$AdminTask listKeyStores {-interactive}
Jython:
AdminTask.listKeyStores('-interactive')
listKeyStoreTypes
List all valid keystore types.
Required parameters None.
Optional parameters None.
Examples
Batch mode example:
Jacl:
$AdminTask listKeyStoreTypes
Jython:
AdminTask.listKeyStoreTypes()
Interactive mode:
Jacl:
$AdminTask listKeyStoreTypes {-interactive}
Jython string...
AdminTask.listKeyStoreTypes('-interactive')
listSignatureAlgorithms
List the signature algorithms that are valid for the current security level configured. If a security standard is not enabled, all signature algorithms are returned; otherwise, the valid signature algorithms for the configured security level is returned.
Required parameters None.
Optional parameters None.
Security mode Available signature algorithms Fips not enabled SHA1withRSA
SHA1withDSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
Note: SHA512withECDSA requires Java unrestricted policy installed.FIPS140-2 SHA1withRSA
SHA1withDSA
SHA256withRSA
SHA384withRSA
SHA512withRSASP800-131 - Transition SHA1withRSA
SHA1withDSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
Note: SHA512withECDSA requires Java unrestricted policy installed.SP800-131 - Strict SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
Note: SHA512withECDSA requires Java unrestricted policy installed.Suite B 128 SHA256withECDSA
Suite B 192 SHA256withECDSA
SHA384withECDSA
modifyKeyStore
Modify attributes for an existing keystore. Only some keystore attributes are modifiable, depending on what you are modifying. Use the following guidelines to use the command:
- To use this command to change the keystore file that the keystore object references, specify the keyStoreName, keyStoreLocation, keyStoreType, and keyStorePassword parameters.
Required parameters
- -keyStoreName
- Unique name identifying keystore. (String, required)
Optional parameters
- -scopeName
- Management scope of the keystore. (String, optional)
- -keyStoreProvider
- Provider for the keystore. (String, optional)
- -keyStoreType
- Specifies one of the predefined keystore types. Valid values are JCEKS, CMSKS, PKCS12, PKCS11, and JKS. (String, optional)
- -keyStoreLocation
- Fully qualified location of the keystore file. To modify the location of the keystore file, specify the keyStoreLocation, keyStoreType, keyStorePassword, and keyStoreName parameters. (String, optional)
- -keyStorePassword
- Password to open the keystore. Use the changeKeystorePassword command to change the password of the keystore. (String, optional)
- -keyStoreIsFileBased
- Whether the keystore is file based. To modify whether the keystore is file-based, specify the keyStoreIsFileBased and keyStoreName parameters. (Boolean, optional)
- -keyStoreInitAtStartup
- Whether the keystore initiates at server startup. To modify whether the keystore initiates at server startup, specify the keyStoreInitAtStartup and keyStoreName parameters. (Boolean, optional)
- -keyStoreReadOnly
- Whether the keystore is writable. To modify whether the keystore is read-only, specify the keyStoreReadOnly and keyStoreName parameters. (Boolean, optional)
- -keyStoreDescription
- Specifies a statement that describes the keystore. To modify the keystore description, specify the keyStoreDescription and keyStoreName parameters. (String, optional)
- -keyStoreUsage
- Keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)
Examples
Batch mode example:
Jacl:
(dist)(iseries)
$AdminTask modifyKeyStore {-keyStoreName CellDefaultKeyStore -keyStoreLocation c:/temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password}
(zos)
$AdminTask modifyKeyStore {-keyStoreName CellDefaultKeyStore -keyStoreLocation /temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password}
Jython:
(dist)(iseries)
AdminTask.modifyKeyStore('-keyStoreName CellDefaultKeyStore -keyStoreLocation c:/temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password')
(zos)
AdminTask.modifyKeyStore('keyStoreName CellDefaultKeyStore -keyStoreLocation /temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password')
Interactive mode:
Jacl:
$AdminTask modifyKeyStore {-interactive}
Jython:
AdminTask.modifyKeyStore('-interactive')
Related concepts
Key management for cryptographic uses Use the wsadmin scripting AdminTask object for scripted administration Automating SSL configurations Create an SSL configuration at the node scope Use wsadmin scripting with Jython