WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Secure communications using wsadmin

Set a certificate authority certificate as the default certificate using wsadmin

Use this topic to make a request to an external certificate authority (CA) to create a personal certificate. After the CA returns the certificate and the certificate is saved in the keystore, then we can use it as the server default personal certificate.

You must configure a CA client object in the environment. The client object contains all of the configuration information necessary to connect to your third-party CA server. After profile creation, the system is assigned a default chained personal certificate. Use the following steps to modify the application server to use a default personal certificate created by an external CA.

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
  2. Verify that a certificate authority client exists in your configuration. Use the listCAClients command to query the environment for all existing certificate authority clients and configuration attributes, or the getCAClient command to return the configuration attributes for a specific certificate authority client. If the listCAClients or getCAClient commands do not return any attributes, then create a certificate authority client object before we can complete the remaining steps.

    • List all certificate authority client objects in your configuration.

      Use the listCAClients command to list all certificate authority clients in your configuration. If we do not provide a value for the -scopeName parameter, then the command queries the cell if we use a deployment manager profile or queries the node if we use an application server profile. Use the -all parameter to query the environment without using a specific scope, as the following example demonstrates:

        print AdminTask.listCAClients('-all true')

      The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:

      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
      ] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Da
      ta_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertifi
      cate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Webspher
      e_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pa
      ssword ] [host ] ]'
      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
      ] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Dat
      a_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertific
      ate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere
      _Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pas
      sword ] [host ] ]'
    • List the configuration attributes for a specific certificate authority client.

      Use the getCAClient command to view the list of attributes for a specific certificate authority client, as the following example demonstrates:

        print AdminTask.getCAClient('-caClientName myCAClient')

      The command returns an attribute list containing the attribute and value pairs for the specific certificate authority client, as the following example demonstrates:

      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementSc
      ope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphe
      re_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [por
      t 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u
      serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [fre
      quencyCheck 0] [password ] [host ] ]'

  3. Optional: If a certificate authority client does not exist in the environment, then configure a CA client object.

  4. Optional: View the current default personal certificate.

    Use the following listPersonalCertificates command to display the current default personal certificate to replace:

      AdminTask.listPersonalCertificates('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):myCell01]')
  5. Request a certificate from a certificate authority.

    Before the current default personal certificate can be replaced, you must request a certificate from a certificate authority. We can create a new certificate request or use the createCertificateRequest command to use a predefined certificate request. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, then the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.

    Required parameters. Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority:

    Parameter Description Data Type
    -certificateAlias Alias of the certificate. We can specify a predefined certificate request. String
    -keyStoreName Name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String
    -caClientName Name of the CA client that was used to create the CA certificate. String
    -revocationPassword Password to use to revoke the certificate at a later date. String

    Optional parameters. We can also use the following parameters to specify additional certificate request options. If we do not specify an optional parameter, then the command uses the default value.

    Parameter Description Data Type
    -keyStoreScope Specifies the management scope of the keystore. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -caClientScope Specifies the management scope of the CA client. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -certificateCommonName Common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For websites, the common name is frequently the DNS host name where the server resides. String
    -certificateSize Size of the certificate key. The valid values are 512, 1024, 2048, 4096 and 8192. Default is 2048. String
    -certificateOrganization Organization portion of the distinguished name. String
    -certificateOrganizationalUnit Organizational unit portion of the distinguished name. String
    -certificateLocality Locality portion of the distinguished name. String
    -certificateState State portion of the distinguished name. String
    -certificateZip Specifies the zip code portion of the distinguished name. String
    -certificateCountry Country portion of the distinguished name. String

    Use the following example command syntax to request a certificate from a certificate authority:

    AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName 
    CellDefaultKeyStore -caClientName myCAClient -revocationPassword revokeCApw 
    -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')

    The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request, as the following example demonstrates:

    AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName 
    CellDefaultKeyStore -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
  6. Replace the server default personal certificate.

    Use the following replaceCertificate command example to replace the existing default personal certificate with the newly created CA personal certificate:

    AdminTask.replaceCertificate('-keyStoreName CellDefaultKeyStore -certificateAlias
    defaultPersonalCertificate -replacementCertificateAlias newCertificate')

  7. Save your configuration changes.

    Use the following command example to save your configuration changes:


Results

The default personal certificate for the server is a certificate that is created by an external CA.

If the CA client object was successfully created, then we can configure the application server to use a personal certificate created by an external CA.


Related


Configure certificate authority client objects using wsadmin
Create certificate authority (CA) personal certificates using wsadmin
Start the wsadmin scripting client using wsadmin.sh


Reference:

CAClientCommands command group for AdminTask
PersonalCertificateCommands command group for AdminTask


+

Search Tips   |   Advanced Search