SSLConfigCommands (AdminTask)

SSLConfigCommands (AdminTask)

SSLConfigCommands commands manage SSL configurations and properties.

createSSLConfig

Create an SSL configuration based on key store and trust store settings. We can use the SSL configuration settings to make the SSL connections.
Target: None
Required parameters

-alias The name of the alias.
-trustStoreNames The key store that holds trust information used to validate the trust from remote connections.
-keyStoreName The key store that holds the personal certificates that provide identity for the connection.

Optional parameters

-scopeName The name of the scope.
-clientKeyAlias The certificate alias name for the client.
-serverKeyAlias The certificate alias name for the server.
-type The type of SSL configuration.
-clientAuthentication Set to true to request client authentication. Otherwise, set the value of this parameter to false.
-securityLevel The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM.
-enabledCiphers A list of ciphers used during SSL handshake.
-jsseProvider One of the JSSE providers.
-clientAuthenticationSupported Set to true to support client authentication. Otherwise, set the value of this parameter to false.
-sslProtocol The protocol type for the SSL handshake. Valid values include: SSL_TLS, SSL, SSLv2, SSLv3, TLS, TLSv1.
-trustManagerObjectNames A list of trust managers separated by commas.
-trustStoreScopeName The management scope name of the trust store.
-keyStoreScopeName The management scope name of the key store.
-keyManagerName - Name of the Key Manager.
-keyManagerScopeName Scope of the key manager.
-ssslKeyRingName Specifies a system SSL (SSSL) key ring name. The value for this parameter has no affect unless the SSL configuration type is SSSL.
-v3timeout - Time out in seconds for System SSL configuration types. Values range from 1 to 86400.

Example output
The command returns the configuration object name of the new SSL configuration object.
Examples:
Batch mode example:
Jacl:
$AdminTask createSSLConfig {-alias testSSLCfg  
                            -clientKeyAlias key1  
                            -serverKeyAlias key2 
                            -trustStoreNames trustKS 
                            -keyStoreName   testKS 
                            -keyManagerName testKeyMgr}
Jython string...
AdminTask.createSSLConfig('[-alias testSSLCfg  
                            -clientKeyAlias key1  
                            -serverKeyAlias key2 
                            -trustStoreNames trustKS 
                            -keyStoreName  testKS 
                            -keyManagerName testKeyMgr]')
Jython list:
AdminTask.createSSLConfig(['-alias', 'testSSLCfg', 
                           '-clientKeyAlias',  'key1', 
                           '-serverKeyAlias', 'key2', 
                           '-trustStoreNames', 'trustKS',  
                           '-keyStoreName', 'testKS', 
                           '-keyManagerName', 'testKeyMgr'])
Interactive mode:

Jacl:
$AdminTask createSSLConfig {-interactive}

Jython:
AdminTask.createSSLConfig('-interactive')

createSSLConfigProperty

Create a property for an SSL configuration. Use this command to set SSL configuration settings that are different than the settings in the SSL configuration object.
Target: None
Required parameters

-sslConfigAliasName The alias name of the SSL configuration.
-propertyName The name of the property.
-propertyValue The value of the property.

Optional parameters

-scopeName The name of the scope.

Example output
The command does not return output.
Examples:
Batch mode example:
Jacl:
$AdminTask createSSLConfigProperty {-sslConfigAliasName NodeDefaultSSLSettings  
                                    -scopeName (cell):localhostNode01Cell:(node):localhostNode01 
                                    -propertyName  test.property 
                                    -propertyValue testValue}
Jython string...
AdminTask.createSSLConfigProperty('[-sslConfigAliasName NodeDefaultSSLSettings  
                                    -scopeName (cell):localhostNode01Cell:(node):localhostNode01 
                                    -propertyName  test.property 
                                    -propertyValue testValue]')
Jython list:
AdminTask.createSSLConfigProperty(['-sslConfigAliasName', 'NodeDefaultSSLSettings',  
                                  '-scopeName', 
                                  '(cell):localhostNode01Cell:(node):localhostNode01', 
                                  '-propertyName',  
                                  'test.property', 
                                  '-propertyValue', 
                                  'testValue'])
Interactive mode:

Jacl:
$AdminTask createSSLConfigProperty {-interactive}

Jython:
AdminTask.createSSLConfigProperty('-interactive')

deleteSSLConfig

Delete the SSL configuration object specified from the configuration.
Target: None
Required parameters and return values

-alias The name of the alias.

Optional parameters

-scopeName The name of the scope.

Example output
The command does not return output.
Examples:
Batch mode example:

Jacl:
$AdminTask deleteSSLConfig {-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01}

Jython string...
AdminTask.deleteSSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01]')

Jython list:
AdminTask.deleteSSLConfig(['-alias', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01'])

Interactive mode:

Jacl:
$AdminTask deleteSSLConfig {-interactive}

Jython:
AdminTask.deleteSSLConfig('-interactive')

getInheritedSSLConfig

Return the SSL configuration alias and certificate alias from which a given management scope and direction inherits its SSL configuration information. This command only returns inheritance information; it does not return information about an SSL configuration that is effective for a give scope.
For example, by default in a Network Deployment environment, there are different SSL configuration effective at the cell and node levels. If we issue the getInheritedSSLConfig command, specifying the nodes management scope, you get the name of the SSL configuration for the cell, not the effective SSL configuration of the node, because the node inherits its configuration information from the cell.
Target object: None.
Required parameters and return values

-scopeName The name of the management scope.

Optional parameters
None.
Example output
The command returns the SSL configuration alias and certificate alias from which the specified management scope and direction inherits its SSL configuration information.
Examples:

Jacl:
$AdminTask getInheritedSSLConfig {-scopeName (cell):localhostNode01Cell:(node):localhostNode01 -direction inbound} CellDefaultSSLSettings,null

Jython string...
AdminTask.getInheritedSSLConfig('[-scopeName (cell):localhostNode01Cell:(node):localhostNode01 -direction inbound]') CellDefaultSSLSettings,null

getSSLConfig

Obtain information about an SSL configuration and displays the settings.
Required parameters...

-alias The name of the alias.

Optional parameters...

-scopeName The name of the scope.

Examples:
Batch mode example:

Jacl:
$AdminTask getSSLConfig {-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01}

Jython string...
AdminTask.getSSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01]')

Jython list:
AdminTask.getSSLConfig(['-alias', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01'])

Interactive mode:

Jacl:
$AdminTask getSSLConfig {-interactive}

Jython:
AdminTask.getSSLConfig('-interactive')

Example output
wsadmin>$AdminTask getSSLConfig {-alias NodeDefaultSSLSettings}
{alias NodeDefaultSSLSettings} 
{type JSSE} 
{setting 
    {{keyFileName {}} 
     {keyFilePassword {}} 
     {keyFileFormat JKS} 
     {clientKeyAlias {}} 
     {serverKeyAlias {}} 
     {trustFileName {}}
     {trustFilePassword {}} 
     {trustFileFormat JKS} 
     {clientAuthentication false} 
     {securityLevel HIGH} 
     {enableCryptoHardwareSupport false} 
     {enabledCiphers {}} 
     {jsseProvider IBMJS SE2} 
     {clientAuthenticationSupported false} 
     {sslProtocol SSL_TLS} 
     {cryptoHardware {}} 
     {properties 
        {{name com.ibm.ssl.changed} 
         {value 11} 
         {description {}} 
         {required false}
         {validationExpression {}} 
         {_Websphere_Config_Data_Id cells/MyCell|security.xml#Property_1467056567837} 
         {_Websphere_Config_Data_Type Property} 
        }
    } 
    {keyStore NodeDefaultKeyStore(cells/MyCell|security.xml#KeyStore_MyNode_1)} 
    {trustStore NodeDefaultTrustStore(cells/MyCell|security.xml#KeyStore_MyNode_2)} 
    {trustManager IbmPKIX(cells/MyCell|security.xml#TrustManager_MyNode_2)} 
    {keyManager IbmX509(cells/MyCell|security.xml#KeyManager_MyNode_1)} 
    {_Websphere_Config_Data_Id cells/MyCell|security.xml#SecureSocketLayer_MyNode_1} 
    {_Websphere_Config_Data_Type SecureSocketLayer} }
} 
{managementScope (cells/MyCell|security.xml#ManagementScope_MyNode_1)} 
{_Websphere_Config_Data_Id cells/MyCell|security.xml#SSLConfig_MyNode_1} 
{_Websphere_Config_Data_Type SSLConfig} 
{_Websphere_Config_Data_Version {} }
getSSLConfigProperties

Obtain information about SSL configuration properties.
Target: None
Required parameters and return values

-alias The name of the alias.

Optional parameters

-scopeName The name of the scope.

Example output
The command returns additional information about the SSL configuration properties.
Examples:
Batch mode example:

Jacl:
$AdminTask getSSLConfigProperties {-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01}

Jython string...
AdminTask.getSSLConfigProperties('[-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01]')

Jython list:
AdminTask.getSSLConfigProperties(['-sslConfigAliasName', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01'])

Interactive mode:

Jacl:
$AdminTask getSSLConfigProperties {-interactive}

Jython:
AdminTask.getSSLConfigProperties('-interactive')

listSSLCiphers

List the SSL ciphers.
Target: None
Required parameters

-securityLevel The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM.

Optional parameters

-sslConfigAliasName The alias name of the SSL configuration.
-scopeName The name of the scope.

Example output
The command returns a list of SSL ciphers.
Examples:
Batch mode example:

Jacl: $AdminTask listSSLCiphers {-sslConfigAliasName testSSLCfg -securityLevel HIGH}

Jython string: AdminTask.listSSLCiphers('[-sslConfigAliasName testSSLCfg -securityLevel HIGH]')

Jython list: AdminTask.listSSLCiphers(['-sslConfigAliasName', 'testSSLCfg', '-securityLevel', 'HIGH'])

Interactive mode:

Jacl:
$AdminTask listSSLCiphers {-interactive}

Jython:
AdminTask.listSSLCiphers('-interactive')

listSSLConfigs

List the defined SSL configurations within a management scope.
Target: None
Optional parameters

-scopeName The name of the scope.
-displayObjectName Set to true to list the SSL configuration objects within the scope. Set false to list the strings containing the SSL configuration alias and management scope.
-all Specify the value of this parameter as true to list all SSL configurations. This parameter overrides the scopeName parameter. The default value is false.

Example output
The command returns a list of defined SSL configurations.
Examples:
Batch mode example:

Jacl:
$AdminTask listSSLConfigs {-scopeName (cell): localhostNode01Cell:(node):localhostNode01 -displayObjectName true}

Jython string...
AdminTask.listSSLConfigs('[-scopeName (cell):localhostNode01Cell:(node):localhostNode01 -displayObjectName true]')

Jython list:
AdminTask.listSSLConfigs(['-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01', '-displayObjectName', 'true'])

Interactive mode:

Jacl:
$AdminTask listSSLConfigs {-interactive}

Jython:
AdminTask.listSSLConfigs('-interactive')

listSSLConfigProperties

List the properties for an SSL configuration.
Target: None
Required parameters

-alias The alias name of the SSL configuration.

Optional parameters

-scopeName The name of the scope.
-displayObjectName Set to true to list the SSL configuration objects within the scope. Set false to list the strings containing the SSL configuration alias and management scope.

Example output
The command returns SSL configuration properties.
Examples:
Batch mode example:

Jacl:
$AdminTask listSSLConfigProperty {-alias SSL123 -scopeName (cell):localhostNode01Cell:(node):localhostNode01 -displayObjectName true}

Jython string...
AdminTask.listSSLConfigProperty('[-alias SSL123 -scopeName (cell):localhostNode01Cell:(node):localhostNode01 -displayObjectName true]')

Jython list:
AdminTask.listSSLConfigProperty(['-alias', 'SSL123', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01', '-displayObjectName', 'true'])

Interactive mode:

Jacl:
$AdminTask listSSLConfigProperties {-interactive}

Jython:
AdminTask.listSSLConfigProperties('-interactive')

listSSLProtocolTypes

List the SSL protocols valid for the current configured security level. If a security standard is not enabled, the full list of valid protocols are returned. Otherwise, the list of appropriate protocols for the configured security level is returned.
Target: None
Required parameters None.
Returns
This command lists all available protocols for the current FIPS level.

Security mode Available protocol types
FIPS not enabled
SSL_TLS
SSL
SSLv2
SSLv3
TLS
TLSv1
SSL_TLSv2
TLSv1.1
TLSv1.2
FIPS140-2
TLS
TLSv1
TLSv1.1
TLSv1.2
SP800-131 - Transition
TLS
TLSv1
TLSv1.1
TLSv1.2
SP800-131 - Strict
TLSv1.2
Suite B 128
TLSv1.2
SP800-131 - Suite B 192
TLSv1.2

Examples:
Batch mode example:

Jacl:
$AdminTask listSSLProtocolTypes TLSv1.2

listSSLRepertoires

List all of the SSL configuration instances that we can associate with an SSL inbound channel.If we create a new SSL alias using the console, the alias name is automatically created in the node/alias_name format. However, if we create a new SSL alias , create the SSL alias and specify both the node name and alias name in the node/alias_name format.
Target object SSLInboundChannel instance for which the SSLConfig candidates are listed.
Required parameters None.
Optional parameters None.
Sample output The command returns a list of eligible SSL configuration object names.
Examples:
Batch mode example:

Jacl:
$AdminTask listSSLRepertoires SSL_3(cells/mybuildCell01/nodes/mybuildNode01/servers/ server2|server.xml#SSLInboundChannel_1093445762330)

Jython string...
print AdminTask.listSSLRepertoires('SSL_3(cells/mybuildCell01/nodes/mybuildNode01/ servers/server2|server.xml#SSLInboundChannel_1093445762330)')

Jython list:
print AdminTask.listSSLRepertoires('SSL_3(cells/mybuildCell01/nodes/mybuildNode01/ servers/server2|server.xml#SSLInboundChannel_1093445762330)')

Interactive mode:

Jacl:
$AdminTask listSSLRepertoires {-interactive}

Jython:
print AdminTask.listSSLRepertoires('-interactive')

modifySSLConfig

Modify the settings of an existing SSL configuration.
Target: None
Required parameters

-alias The name of the alias.

Optional parameters

-scopeName The name of the scope.
-clientKeyAlias The certificate alias name for the client.
-serverKeyAlias The certificate alias name for the server.
-clientAuthentication Set to true to request client authentication. Otherwise, set the value of this parameter to false. (Boolean, optional)
-securityLevel The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM.
-enabledCiphers A list of ciphers used during SSL handshake.
-jsseProvider One of the JSSE providers.
-clientAuthenticationSupported Set to true to support client authentication. Otherwise, set the value of this parameter to false.
-sslProtocol The protocol type for the SSL handshake. Valid values include: SSL_TLS, SSL, SSLv2, SSLv3, TLS, TLSv1.
-trustManagerObjectNames A list of trust managers separated by commas.
-trustStoreName The key store that holds trust information used to validate the trust from remote connections.
-trustStoreScopeName The management scope name of the trust store.
-keyStoreName The key store that holds the personal certificates that provide identity for the connection.
-keyStoreScopeName The management scope name of the key store.
-keyManagerName - Name of the Key Manager.
-keyManagerScopeName Scope of the key manager.
-ssslKeyRingName Specifies a system SSL (SSSL) key ring name. The value for this parameter has no affect unless the SSL configuration type is SSSL.
-v3timeout Time out in seconds for System SSL configuration types. Values range from 1 to 86400.

Example output
The command does not return output.
Examples:
Batch mode example:
Jacl:
$AdminTask modifySSLConfig {-alias testSSLCfg 
                            -clientKeyAlias tstKey1  
                            -serverKeyAlias tstKey2 
                            -securityLevel LOW}
Jython string...
AdminTask.modifySSLConfig('[-alias testSSLCfg 
                            -clientKeyAlias tstKey1  
                            -serverKeyAlias tstKey2 
                            -securityLevel LOW]')
Jython list:
AdminTask.modifySSLConfig(['-alias', 'testSSLCfg', 
                           '-clientKeyAlias', 'tstKey1',  
                           '-serverKeyAlias', 
                           'tstKey2', 
                           '-securityLevel', 
                           'LOW'])
Interactive mode:

Jacl:
$AdminTask modifySSLConfig {-interactive}

Jython:
AdminTask.modifySSLConfig('-interactive')

Related concepts

Key management for cryptographic uses
Use the wsadmin scripting AdminTask object for scripted administration
Automating SSL configurations
Create an SSL configuration at the node scope

-alias	The name of the alias.
-trustStoreNames	The key store that holds trust information used to validate the trust from remote connections.
-keyStoreName	The key store that holds the personal certificates that provide identity for the connection.

-scopeName	The name of the scope.
-clientKeyAlias	The certificate alias name for the client.
-serverKeyAlias	The certificate alias name for the server.
-type	The type of SSL configuration.
-clientAuthentication	Set to true to request client authentication. Otherwise, set the value of this parameter to false.
-securityLevel	The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM.
-enabledCiphers	A list of ciphers used during SSL handshake.
-jsseProvider	One of the JSSE providers.
-clientAuthenticationSupported	Set to true to support client authentication. Otherwise, set the value of this parameter to false.
-sslProtocol	The protocol type for the SSL handshake. Valid values include: SSL_TLS, SSL, SSLv2, SSLv3, TLS, TLSv1.
-trustManagerObjectNames	A list of trust managers separated by commas.
-trustStoreScopeName	The management scope name of the trust store.
-keyStoreScopeName	The management scope name of the key store.
-keyManagerName	- Name of the Key Manager.
-keyManagerScopeName	Scope of the key manager.
-ssslKeyRingName	Specifies a system SSL (SSSL) key ring name. The value for this parameter has no affect unless the SSL configuration type is SSSL.
-v3timeout	- Time out in seconds for System SSL configuration types. Values range from 1 to 86400.

-sslConfigAliasName	The alias name of the SSL configuration.
-propertyName	The name of the property.
-propertyValue	The value of the property.

-scopeName	The name of the scope.
-displayObjectName	Set to true to list the SSL configuration objects within the scope. Set false to list the strings containing the SSL configuration alias and management scope.
-all	Specify the value of this parameter as true to list all SSL configurations. This parameter overrides the scopeName parameter. The default value is false.

Security mode	Available protocol types
FIPS not enabled	SSL_TLS SSL SSLv2 SSLv3 TLS TLSv1 SSL_TLSv2 TLSv1.1 TLSv1.2
FIPS140-2	TLS TLSv1 TLSv1.1 TLSv1.2
SP800-131 - Transition	TLS TLSv1 TLSv1.1 TLSv1.2
SP800-131 - Strict	TLSv1.2
Suite B 128	TLSv1.2
SP800-131 - Suite B 192	TLSv1.2