Automating SSL configurations
SSL configuration is needed for WebSphere to perform SSL connections with other servers. An SSL configuration can be configured through the Admin Console. But if an automated way to create an SSL configuration is desired then AdminTask should be used.
Before starting this task, wsadmin.sh must be running. See the Starting the wsadmin scripting client article for more information.
AdminTask can be used in a interactive mode and batch mode. For automation the batch mode options should be used. AdminTask batch mode can be called in a JACL or Python script. Interactive mode will step through all the parameter the task needs, requires ones are marked with a '*'. Before the interactive task executes the task it echoes the batch mode syntax of the task to the screen. This can be helpful when writing batch mode scripts. There attributes needed to create an ssl configurations:
- A key store
- Default client certificate alias
- Default server certificate alias
- Trust store
- The handshake protocol
- The ciphers needed during handshake
- Support client authentication or not
If automating the creation of an SSL Configuration it may be needed to create some of the attribute values needed like the key store, truststore, key manager, and trust managers.
- To create an SSL configuration the createSSLConfig AdminTask can be used. To make changes to the SSL configurations use the modifySSLConfig AdminTask.
- Interactive mode:
Interactive mode steps you through all attributes and tell you the default value of the attribute if there is one. The default value is in '[]' on the prompt line. The actual flag used in batch mode is in '()' on each prompt line. For the default value then the flag will not show up on the batch command line.
Jacl:
$AdminTask createSSLConfig -interactive
Jython:
AdminTask.createSSLConfig ('[interactive]')
Example output:
*SSL Configuration Alias (alias): testSSLConfig Management Scope Name (scopeName): (cell):HOSTNode01Cell:(node):HOSTNode01 Client Key Alias (clientKeyAlias): clientCert Server Key Alias (serverKeyAlias): serverCert SSL Type (type): [JSSE] Client Authentication (clientAuthentication): [false] Security Level of the SSL Configuration (securityLevel): [HIGH] HIGH Enabled Ciphers SSL Configuration (enabledCiphers): JSSE Provider (jsseProvider): [IBMJSSE2] Client Authentication Support (clientAuthenticationSupported): [false] SSL Protocol (sslProtocol): [SSL_TLS] SSL_TLS Trust Manager Object Names (trustManagerObjectNames): *Trust Store Name (trustStoreName): testTrustStore Trust Store Scope (trustStoreScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01 *Key Store Name (keyStoreName): testKeyStore Key Store Scope Name (keyStoreScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01 Key Manager Name (keyManagerName): IbmX509 Key Manager Scope Name (keyManagerScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01 Create SSL Configuration F (Finish) C (Cancel) Select [F, C]: [F] WASX7278I: Generated command line: $AdminTask createSSLConfig {-alias testSSLConfig -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert -serverKeyAlias serverCert -trustStoreName testTrustStore -trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 } (cells/HOSTNode01Cell|security.xml#SSLConfig_1137687301834)At the end of the output, the batch mode parameters are provided.
- Batch mode:
Jacl:
$AdminTask createSSLConfig {-alias testSSLConfig -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert -serverKeyAlias serverCert -trustStoreName testTrustStore -trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01}
Jython:
AdminTask.createSSLConfig ('[-alias testSSLConfig -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert -serverKeyAlias serverCert -trustStoreName testTrustStore -trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01]')
Example output:
(cells/HOSTNode01Cell|security.xml#SSLConfig_1137687301834)
- Key Stores and Trust Stores The key store and truststore may already exist or a new one may need to be created. To create a new key store or truststore use the createKeyStore AdminTask. It will create a key store file and store the configuration object in the system configuration. A truststore is just a key store that usually only has signer certificates in it. To create a key store enter:
Jacl:
$AdminTask createKeyStore {-keyStoreName testKeyStore -keyStoreType PKCS12 -keyStoreLocation $(USER_INSTALL_ROOT)\testKeyStore.p12 -keyStorePassword abcd -keyStorePasswordVerify abcd -keyStoreIsFileBased true -keyStoreReadOnly false}
Jython:
AdminTask.createKeyStore ('[-keyStoreName testKeyStore -keyStoreType PKCS12 -keyStoreLocation $(USER_INSTALL_ROOT)\testKeyStore.p12 -keyStorePassword abcd -keyStorePasswordVerify abcd -keyStoreIsFileBased true -keyStoreReadOnly false]')
To populate the key store with certificates see "Managing Certificates using AdminConsole and Admin Task" The key store and truststore are required to create an SSL configuration. Use the '-keyStoreName' and '-trustStoreName' flags on the createSSLConfig. There scopes can be added with the '-keyStoreScope' flag and '-trustStoreScope' flags.
- Key Manager Key manager are used to determine how a certificate is selected. The IbmX509 key manager is in the security configuration by default. If a different key manager is needed then use createKeyManager AdminTask to create it. To create a key manager enter:
Jacl:
$AdminTask createKeyManager {-name testKeyManager -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -provider IBMJSSE2 -algorithm specialAlgorithm }
Jython:
AdminTask.createKeyManager ('[-name testKeyManager -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -provider IBMJSSE2 -algorithm specialAlgorithm]')
To supply a key manager on the createSSLConfig AdminTask use the '-keyManagerName' along with the '-keyManagerScope' flag.
- Trust Manager Trust managers are use to determine how trust is established during ssl communication. The IbmX509 and IbmPKIX are trust managers are in the security configuration by default. If a different or additional trust manager is needed use the createTrustManger AdminTask to create it. To create a trust manager enter:
Jacl:
$AdminTask createTrustManager {-name testTrustManager -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -provider IBMJSSE2 -algorithm specialAlgorithm }
Jython:
AdminTask.createTrustManager ('[-name testTrustManager -scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -provider IBMJSSE2 -algorithm specialAlgorithm]')
The SSL Configuration can have multiple trust managers. To supply multiple trust managers give a comma separated list of the trust managers configuration IDs with the -trustManagerObjectNames flag. When creating a trust manager the configuration object ID is returned. To get a list of trust managers object IDs use the listTrustManagers command of the AdminTask object with the -displayObjectName true flag. For example:
wsadmin>$AdminTask listTrustManagers -interactive List Trust Managers List trust managers. Management Scope Name (scopeName): Display list in ObjectName Format (displayObjectName): [false] true List Trust Managers F (Finish) C (Cancel) Select [F, C]: [F] Inside generate script command WASX7278I: Generated command line: $AdminTask listTrustManagers {-displayObjectName true } IbmX509(cells/IBM-0AF8DABCF16Node01Cell|security.xml#TrustManager_IBM-0AF8DABCF16Node01_1) IbmPKIX(cells/IBM-0AF8DABCF16Node01Cell|security.xml#TrustManager_IBM-0AF8DABCF16Node01_2)
Related tasks
Start the wsadmin scripting client
Related information:
Commands for the AdminTask object