Configure certificate authority client objects
Use this topic to create a certificate authority (CA) client object. The client object contains all of the configuration information necessary to connect to the third-party CA server. A CA client must exist in the configuration before we can issue a request to the CA to create personal certificates with the requestCACertificate command.
A CA client object contains information that the system uses to connect to a certificate authority. Implement the com.ibm.ws.WSPKIClient interface to connect to the certificate authority and provide the com.ibm.ws.WSPKIClient class when creating the CA client object.
If a CA client does not exist in the configuration, use the steps in this topic to create a new CA client.
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Determine if a CA client exists in the configuration.
Use the following listCAClients command to list all certificate authority clients in the configuration:
print AdminTask.listCAClients()
- If no CA clients exist, then create a new CA client.
Use the createCAClient command to create a new CA client object. The application server connects to a CA server through the WSPKIClient() implementation, which handles all connections and communications with the CA server.
Parameter Description Data Type -CAClientName Specify a name to uniquely identify the CA client object. String
Parameter Description Data Type -scopeName Specify the management scope of the CA client. For a dmgr profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. String -pkiClientImplClass Specify the class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. The default value is com.ibm.wsspi.ssl.WSPKIClient. String -host Specify the host name in the system where the CA resides. String -port Specify the port on the server where the CA listens. String -userName Specify the user name to use to authenticate to the CA. String -password Specify the password for the user name that authenticates to the CA. String -frequencyCheck Specify how often, in minutes, the system checks with the CA to determine if a certificate has been created. String -retryCheck Specify the number of times to check with the CA to determine if a certificate has been created. String -customProperties Specifies a comma separated list of attribute and value (attribute=value) custom property pairs to add to the CA client object. String Use the following example command to create a new CA client object:
AdminTask.createCAClient('[-caClientName clientObj01 -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient -host machine011 -port 9022 -userName admin -password pw4admin]')
The command returns the object name of the CA client that has been created.
- Save the configuration changes.
Use the following command example to save the configuration changes:
AdminConfig.save()
What to do next
If the CA client object was successfully created, then we can configure the application server to use a personal certificate created by an external CA.
Related tasks
Set a certificate authority certificate as the default certificate Start the wsadmin scripting client
PersonalCertificateCommands (AdminTask) CAClientCommands (AdminTask)