KeyStoreCommands

Use the Jython or Jacl scripting languages to configure keystores with the wsadmin tool. A keystore is created by the application server during installation and can contain cryptographic keys or certificates. The commands in the KeyStoreCommands group can be used to create, delete, and manage keystores.

The KeyStoreCommandscommands include:

• changeKeyStorePassword
• changeMultipleKeyStorePasswords
• createKeyStore
• createCMSKeyStore
• deleteKeyStore
• exchangeSigners
• getKeyStoreInfo
• listKeyFileAliases
• listKeyStores
• listKeyStoreTypes
• listSignatureAlgorithms
• modifyKeyStore

changeKeyStorePassword

Modify the password of a keystore. The command automatically saves the new password to the configuration.

Required parameters:

-keyStoreName

Name of the keystore that needs a password change. (String, required)

-keyStorePassword

Name of the password to change. (String, required)

-newKeyStorePassword

New password that to use to access the keystore. (String, required)

-newKeyStorePasswordVerify

New password to confirm the new keystore password. (String, required)

Optional parameters:

-scopeName

Management scope of the keystore. (String, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask changeKeyStorePassword {-keystoreName myKeystore -keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd}

• Jython string:
  AdminTask.changeKeyStorePassword('[-keystoreName myKeystore -keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd]')

• Jython list:
  AdminTask.changeKeyStorePassword(['-keystoreName', 'myKeystore', '-keyStorePassword', 'WebAS', '-newKeyStorePassword', 'newpwd', '-newKeyStorePasswordVerify', 'newpwd'])

Interactive mode example usage:

• Jacl:
  $AdminTask changeKeyStorePassword {-interactive}

• Jython:
  AdminTask.changeKeyStorePassword('-interactive')

changeMultipleKeyStorePasswords

Update the passwords for each keystores in the configuration that has a specific password. This is useful because when we create keystore files on the system, they will have WebAS as a password by default.

Required parameters:

-keyStorePassword

Name of the password to change. (String, required)

-newKeyStorePassword

New password that we will use to access the keystore. (String, required)

-newKeyStorePasswordVerify

Confirms the new keystore password. (String, required)

Optional parameters: None.

Examples

Batch mode example usage:

• Jacl:
  $AdminTask changeMultipleKeyStorePasswords {-keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd}

• Jython string:
  AdminTask.changeMultipleKeyStorePasswords('[-keyStorePassword WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd]')

• Jython list:
  AdminTask.changeMultipleKeyStorePasswords(['-keyStorePassword', 'WebAS', '-newKeyStorePassword', 'newpwd', '-newKeyStorePasswordVerify', 'newpwd'])

Interactive mode example usage:

• Jacl:
  $AdminTask changeMultipleKeyStorePasswords {-interactive}

• Jython:
  AdminTask.changeMultipleKeyStorePasswords('-interactive')

createKeyStore

Create the keystore settings in the configuration and the keystore database.

Required parameters:

-keyStoreName

The name that uniquely identifies the keystore configuration object. (String, required)

-keyStoreType

The implementation of the keystore management. (String, required)

-keyStoreLocation

The location of the keystore. For file based, the location is the files system path to the keystore database. For hardware keystore, the location is the path to the token library. (String, required)

(iSeries) If we create the IBMi5OSKeyStore keystore, the keystore location must include the .kdb file extension.

-keyStorePassword

The password that protects the keystore. (String, required)

-keyStorePasswordVerify

The password that protects the keystore. (String, required)

Optional parameters:

-keyStoreProvider

The provider used to implement the keystore. (String, optional)

-keyStoreIsFileBased

Set value to true if the keystore is file based. Set the value of this parameter to false for hardware crypto keystores. (Boolean, optional)

-keyStoreHostList

A list of host names that indicate from where the keystore is remotely managed, separated by commas. (String, optional)

-keyStoreInitAtStartup

Set value to true if the keystore is initialized at startup. Otherwise, set value to false. (Boolean, optional)

-keyStoreReadOnly

Set value to true if we cannot write to the keystore. Otherwise, set value to false. (Boolean, optional)

-keyStoreStashFile

Set value to true to create stash files for CMS type keystore. Otherwise, set value to false. (Boolean, optional)

-enableCryptoOperations

Specifies if the keystore object will be used for hardware cryptographic operations or not. The default is false. (Boolean, optional)

-keyStoreDescription

Specifies user-defined text to describe the keystore of interest. (String, optional)

-keyStoreUsage

Keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)

-scopeName

The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)

-controlRegionUser

Control region user to create a writable keystore object for the control regions key ring. Specify this option for SAF key rings when SAF writable key rings is enabled. (String, optional)

-servantRegionUser

Servant region user to create a writable keystore object for the servant regions key ring. Specify this option for SAF key rings when SAF writable key rings is enabled. (String, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask createKeyStore {-keyStoreName testKS -keyStoreType JCEKS -keyStoreLocation c:/temp/testKeyFile.p12 -keyStorePassword testpwd -keyStorePasswordVerify testpwd -keyStoreIsFileBased true -keyStoreInitAtStartup true -keyStoreReadOnly false}

• Jython string:
  AdminTask.createKeyStore('[-keyStoreName testKS -keyStoreType JCEKS -keyStoreLocation c:/temp/testKeyFile.p12 -keyStorePassword testpwd -keyStorePasswordVerify testpwd -keyStoreIsFileBased true -keyStoreInitAtStartup true -keyStoreReadOnly false]')

• Jython list:
  AdminTask.createKeyStore(['-keyStoreName', 'testKS', '-keyStoreLocation', '-keyStoreType', 'JCEKS', 'c:/temp/testKeyFile.p12', '-keyStorePassword', 'testpwd', '-keyStorePasswordVerify', 'testpwd', '-keyStoreIsFileBased', 'true', '-keyStoreInitAtStartup', 'true', '-keyStoreReadOnly', 'false'])

Interactive mode example usage:

• Jacl:
  $AdminTask createKeyStore {-interactive}

• Jython:
  AdminTask.createKeyStore('-interactive')

createCMSKeyStore

Create a CMS keystore database and the keystore settings in the configuration.

Required parameters:

-cmsKeyStoreURI

The URI of the CMS keystore. (String, required)

-pluginHostName

The host name of the plug-in. (String, required)

Optional parameters: None.

Examples

Batch mode example usage:

• Jacl:
  $AdminTask createCMSKeyStore {-cmsKeyStoreURI CMSKeystoreURI -pluginHostName myHostName}

• Jython string:
  AdminTask.createCMSKeyStore('-cmsKeyStoreURI CMSKeystoreURI -pluginHostName myHostName')

• Jython list:
  AdminTask.createCMSKeyStore(['-cmsKeyStoreURI', 'CMSKeystoreURI', '-pluginHostName', 'myHostName'])

Interactive mode example usage:

• Jacl:
  $AdminTask createCMSKeyStore {-interactive}

• Jython:
  AdminTask.createCMSKeyStore('-interactive')

deleteKeyStore

Delete the settings of a keystore from the configuration and the keystore file.

Required parameters:

-keyStoreName

The name that uniquely identifies the keystore to delete. (String, required)

Optional parameters:

-scopeName

The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)

-removeKeyStoreFile

Remove the keystore file. Specify true to remove the keystore file or false to keep the keystore file in the configuration. (Boolean, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask deleteKeyStore {-keyStoreName testKS}

• Jython string:
  AdminTask.deleteKeyStore('[-keyStoreName testKS]')

• Jython list:
  AdminTask.deleteKeyStore(['-keyStoreName', 'testKS'])

Interactive mode example usage:

• Jacl:
  $AdminTask deleteKeyStore {-interactive}

• Jython:
  AdminTask.deleteKeyStore('-interactive')

exchangeSigners

Exchange signer certificate between keystores.

Required parameters:

-keyStoreName1

The name that uniquely identifies a keystore. Specify a second keystore name using the keyStoreName2 parameter. (String, required)

-keyStoreName2

The name that uniquely identifies a keystore. Specify a second keystore name using the keyStoreName1 parameter. (String, required)

Optional parameters:

-keyStoreScope1

The scope name of the keystore specified with the keyStoreName1 parameter. (String, optional)

-keyStoreScope2

The scope name of the keystore specified with the keyStoreName2 parameter. (String, optional)

-certificateAlaisList1

A list of aliases separated by a comma. (String, optional)

-certificateAliasList2

A list of aliases separated by a comma. (String, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask exchangeSigners {-keyStoreName1 testKS -certificateAliasList1 testCert1 -keyStoreName2 secondKS -certificateAlaisList2 certAlis}

• Jython string:
  AdminTask.exchangeSigners('[-keyStoreName1 testKS -certificateAliasList1 testCert1 -keyStoreName2 secondKS -certificateAlaisList2 certAlis]')

• Jython list:
  AdminTask.exchangeSigners(['-keyStoreName1', 'testKS', '-certificateAliasList1', 'testCert1', '-keyStoreName2', 'secondKS', '-certificateAlaisList2', 'certAlis'])

Interactive mode example usage:

• Jacl:
  $AdminTask exchangeSigners {-interactive}

• Jython:
  AdminTask.exchangeSigners('-interactive')

getKeyStoreInfo

Display the settings of a particular keystore.

Required parameters:

-keyStoreName

The name that uniquely identifies the keystore. (String, required)

Optional parameters:

-scopeName

The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask getKeyStoreInfo {-name testKS}

• Jython string:
  AdminTask.getKeyStoreInfo('[-name testKS]')

• Jython list:
  AdminTask.getKeyStoreInfo(['-name', 'testKS'])

Interactive mode example usage:

• Jacl:
  $AdminTask getKeyStoreInfo {-interactive}

• Jython:
  AdminTask.getKeyStoreInfo('-interactive')

listKeyFileAliases

List the certificates in a keystore file.

Required parameters:

-keyFilePath

The path of the key file. (String, required)

-keyFilePassword

The password for the key file. (String, required)

-keyFileType

The key file type. (String, required)

Optional parameters: None.

Examples

Batch mode example usage:

• Use Jacl:

  (Windows)

  $AdminTask listKeyFileAliases {-keyFilePath c:/temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12}

  (iSeries) (ZOS) (HPUX) (Solaris) (AIX) (Linux)

  $AdminTask listKeyFileAliases {-keyFilePath /temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12}

• Use Jython string:

  (Windows)

  AdminTask.listKeyFileAliases('[-keyFilePaht c:/temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12]')

  (iSeries) (ZOS) (HPUX) (Solaris) (AIX) (Linux)

  AdminTask.listKeyFileAliases('[-keyFilePaht /temp/testKeyFile.p12 -keyFilePassword testPwd -keyFileType PKCS12]')

• Use Jython list:

  (Windows)

  AdminTask.listKeyFileAliases(['-keyFilePaht', 'c:/temp/testKeyFile.p12', '-keyFilePassword', 'testPwd', '-keyFileType', 'PKCS12'])

  (iSeries) (ZOS) (HPUX) (Solaris) (AIX) (Linux)

  AdminTask.listKeyFileAliases(['-keyFilePaht', '/temp/testKeyFile.p12', '-keyFilePassword', 'testPwd', '-keyFileType', 'PKCS12'])

Interactive mode example usage:

• Jacl:
  $AdminTask listKeyFileAliases {-interactive}

• Jython:
  AdminTask.listKeyFileAliases('-interactive')

listKeyStores

List the keystore for a particular scope.

Required parameters: None.

Optional parameters

-scopeName

Name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)

-all

Specify the value of this parameter as true to list all keystores. This parameter overrides the scopeName parameter. The default is false. (Boolean, optional)

-keyStoreUsage

Keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listKeyStores

• Jython:
  AdminTask.listKeyStores()

Interactive mode example usage:

• Jacl:
  $AdminTask listKeyStores {-interactive}

• Jython:
  AdminTask.listKeyStores('-interactive')

listKeyStoreTypes

List all valid keystore types.

Required parameters: None.

Optional parameters: None.

Examples

Batch mode example usage:

• Jacl:
  $AdminTask listKeyStoreTypes

• Jython:
  AdminTask.listKeyStoreTypes()

Interactive mode example usage:

• Jacl:
  $AdminTask listKeyStoreTypes {-interactive}

• Jython string:
  AdminTask.listKeyStoreTypes('-interactive')

listSignatureAlgorithms

List the signature algorithms that are valid for the current security level configured. If a security standard is not enabled, all signature algorithms are returned; otherwise, the valid signature algorithms for the configured security level are returned.

Required parameters: None.

Optional parameters: None.

Security mode	Available signature algorithms
Fips not enabled	SHA1withRSA SHA1withDSA SHA256withRSA SHA384withRSA SHA512withRSA SHA256withECDSA SHA384withECDSA SHA512withECDSA Note: SHA512withECDSA requires Java unrestricted policy installed.
FIPS140-2	SHA1withRSA SHA1withDSA SHA256withRSA SHA384withRSA SHA512withRSA
SP800-131 - Transition	SHA1withRSA SHA1withDSA SHA256withRSA SHA384withRSA SHA512withRSA SHA256withECDSA SHA384withECDSA SHA512withECDSA Note: SHA512withECDSA requires Java unrestricted policy installed.
SP800-131 - Strict	SHA256withRSA SHA384withRSA SHA512withRSA SHA256withECDSA SHA384withECDSA SHA512withECDSA Note: SHA512withECDSA requires Java unrestricted policy installed.
Suite B 128	SHA256withECDSA
Suite B 192	SHA256withECDSA SHA384withECDSA

modifyKeyStore

Modify attributes for an existing keystore. Only some keystore attributes are modifiable, depending on what we are modifying. Use the following guidelines to use the command:

• To use this command to change the keystore file that the keystore object references, specify the keyStoreName, keyStoreLocation, keyStoreType, and keyStorePassword parameters.

Required parameters:

-keyStoreName

Unique name that identifies the keystore. (String, required)

Optional parameters:

-scopeName

Management scope of the keystore. (String, optional)

-keyStoreProvider

Provider for the keystore. (String, optional)

-keyStoreType

One of the predefined keystore types. Valid values are JCEKS, CMSKS, PKCS12, PKCS11, and JKS. (String, optional)

-keyStoreLocation

Fully qualified location of the keystore file. To modify the location of the keystore file, specify the keyStoreLocation, keyStoreType, keyStorePassword, and keyStoreName parameters. (String, optional)

-keyStorePassword

Password to open the keystore. Use the changeKeystorePassword command to change the password of the keystore. (String, optional)

-keyStoreIsFileBased

Specifies whether the keystore is file-based. To modify whether the keystore is file-based, specify the keyStoreIsFileBased and keyStoreName parameters. (Boolean, optional)

-keyStoreInitAtStartup

Specifies whether the keystore initiates at server startup. To modify whether the keystore initiates at server startup, specify the keyStoreInitAtStartup and keyStoreName parameters. (Boolean, optional)

-keyStoreReadOnly

Specifies whether the keystore is writable. To modify whether the keystore is read-only, specify the keyStoreReadOnly and keyStoreName parameters. (Boolean, optional)

-keyStoreDescription

Specifies a statement that describes the keystore. To modify the keystore description, specify the keyStoreDescription and keyStoreName parameters. (String, optional)

-keyStoreUsage

Keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)

Examples

Batch mode example usage:

• Jacl:
  $AdminTask modifyKeyStore {-keyStoreName CellDefaultKeyStore -keyStoreLocation c:/temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password}

  (ZOS)

  $AdminTask modifyKeyStore {-keyStoreName CellDefaultKeyStore -keyStoreLocation /temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password}

• Jython:
  AdminTask.modifyKeyStore('-keyStoreName CellDefaultKeyStore -keyStoreLocation c:/temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password')

  (ZOS)

  AdminTask.modifyKeyStore('keyStoreName CellDefaultKeyStore -keyStoreLocation /temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password')

Interactive mode example usage:

• Jacl:
  $AdminTask modifyKeyStore {-interactive}

• Jython:
  AdminTask.modifyKeyStore('-interactive')

Related:

Key management for cryptographic uses

wsadmin AdminTask

Automating SSL configurations using scripting

Create an SSL configuration at the node scope using scripting

Use wsadmin scripting with Jython