WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin

Configure certificate authority client objects using wsadmin

Use this topic to create a certificate authority (CA) client object. The client object contains all of the configuration information necessary to connect to your third-party CA server. A CA client must exist in your configuration before we can issue a request to the CA to create personal certificates with the requestCACertificate command.

A CA client object contains information the system uses to connect to a certificate authority. Implement the com.ibm.ws.WSPKIClient interface to connect to the certificate authority and provide the com.ibm.ws.WSPKIClient class when creating the CA client object. If a CA client does not exist in your configuration, use the steps in this topic to create a new CA client.

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.

  2. Determine if a CA client exists in your configuration.

    Use the following listCAClients command to list all certificate authority clients in your configuration:

      print AdminTask.listCAClients()

  3. If no CA clients exist, then create a new CA client.

    Use the createCAClient command to create a new CA client object. The application server connects to a CA server through the WSPKIClient() implementation, which handles all connections and communications with the CA server.

    Required parameter. Specify the following configuration information for a new CA client object:

    Parameter Description Data Type
    -CAClientName Specify a name to uniquely identify the CA client object. String

    Additional parameters. We can specify additional configuration information using the following parameters:

    Parameter Description Data Type
    -scopeName Specify the management scope of the CA client. For a deployment manager profile, the system uses the cell scope as the default value. For an application server profile, the system uses the node scope as the default value. String
    -pkiClientImplClass Specify the class path that implements the WSPKIClient interface. The system uses this path to connect to the CA and to issue requests to the CA. Default is com.ibm.wsspi.ssl.WSPKIClient. String
    -host Specify the host name in the system where the CA resides. String
    -port Specify the port on the server where the CA listens. String
    -userName Specify the user name to use to authenticate to the CA. String
    -password Specify the password for the user name that authenticates to the CA. String
    -frequencyCheck Specify how often, in minutes, the system checks with the CA to determine if a certificate has been created. String
    -retryCheck Specify the number of times to check with the CA to determine if a certificate has been created. String
    -customProperties Comma separated list of attribute and value (attribute=value) custom property pairs to add to the CA client object. String

    Use the following example command to create a new CA client object:

    AdminTask.createCAClient('[-caClientName clientObj01 -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient 
    -host machine011 -port 9022 -userName admin -password pw4admin]')

    The command returns the object name of the CA client that has been created.

  4. Save your configuration changes.

    Use the following command example to save your configuration changes:

If the CA client object was successfully created, then we can configure the application server to use a personal certificate created by an external CA.


Related


Set a certificate authority certificate as the default certificate using wsadmin
Start the wsadmin scripting client using wsadmin.sh


Reference:

PersonalCertificateCommands command group for AdminTask
CAClientCommands command group for AdminTask


+

Search Tips   |   Advanced Search