SSLConfigCommands

Use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands in the SSLConfigCommands group can be used to manage SSL configurations and properties.

The SSLConfigCommandscommands include:

• createSSLConfig
• createSSLConfigProperty
• deleteSSLConfig
• getInheritedSSLConfig
• getSSLConfig
• getSSLConfigProperties
• listSSLCiphers
• listSSLConfigs
• listSSLConfigProperties
• listSSLProtocolTypes
• listSSLRepertoires
• modifySSLConfig

createSSLConfig

Create an SSL configuration based on key store and trust store settings. Use the SSL configuration settings to make the SSL connections.

Target object: None.

Required parameters:

-alias	The name of the alias. (String, required)
-trustStoreName	The key store that holds trust information used to validate the trust from remote connections. (String, required)
-keyStoreName	The key store that holds the personal certificates that provide identity for the connection. (String, required)

Optional parameters:

-scopeName	The name of the scope. (String, optional)
-clientKeyAlias	The certificate alias name for the client. (String, optional)
-serverKeyAlias	The certificate alias name for the server. (String, optional)
-type	The type of SSL configuration. (String, optional)
-clientAuthentication	Set value to true to request client authentication. Otherwise, set value to false. (Boolean, optional)
-securityLevel	The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM. (String, required)
-enabledCiphers	A list of ciphers used during SSL handshake. (String, optional)
-jsseProvider	One of the JSSE providers. (String, optional)
-clientAuthenticationSupported	Set value to true to support client authentication. Otherwise, set value to false. (Boolean, optional)
-sslProtocol	The protocol type for the SSL handshake. Valid values include: SSL_TLSv2, TLS, TLSv1, TLSv1.1, TLSv1.2, SSL_TLS, SSL, SSLv2, SSLv3 (String, optional)
-trustManagerObjectNames	A list of trust managers separated by commas. (String, optional)
-trustStoreScopeName	The management scope name of the trust store. (String, optional)
-keyStoreScopeName	The management scope name of the key store. (String, optional)
-keyManagerName	- Name of the Key Manager. (String, optional)
-keyManagerScopeName	Scope of the key manager. (String, optional)
-ssslKeyRingName	Specifies a system SSL (SSSL) key ring name. The value for this parameter has no affect unless the SSL configuration type is SSSL. (String, optional)
-v3timeout	- Time out in seconds for System SSL configuration types. Values range from 1 to 86400. (String, optional)

Example output

The command returns the configuration object name of the new SSL configuration object.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask createSSLConfig {-alias testSSLCfg -clientKeyAlias key1 -serverKeyAlias key2 -trustStoreName trustKS -keyStoreName testKS -keyManagerName testKeyMgr}

• Use Jython string:
  AdminTask.createSSLConfig('[-alias testSSLCfg -clientKeyAlias key1 -serverKeyAlias key2 -trustStoreName trustKS -keyStoreName testKS -keyManagerName testKeyMgr]')

• Use Jython list:
  AdminTask.createSSLConfig(['-alias', 'testSSLCfg', '-clientKeyAlias', 'key1', '-serverKeyAlias', 'key2', '-trustStoreName', 'trustKS', '-keyStoreName', 'testKS', '-keyManagerName', 'testKeyMgr'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask createSSLConfig {-interactive}

• Use Jython:
  AdminTask.createSSLConfig('-interactive')

createSSLConfigProperty

Create a property for an SSL configuration. Use this command to set SSL configuration settings that are different than the settings in the SSL configuration object.

Target object: None.

Required parameters:

-sslConfigAliasName	The alias name of the SSL configuration. (String, required)
-propertyName	The name of the property. (String, required)
-propertyValue	The value of the property. (String, required)

Optional parameters:

-scopeName

The name of the scope. (String, optional)

Example output

The command does not return output.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask createSSLConfigProperty {-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01 -propertyName test.property -propertyValue testValue}

• Use Jython string:
  AdminTask.createSSLConfigProperty('[-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01 -propertyName test.property -propertyValue testValue]')

• Use Jython list:
  AdminTask.createSSLConfigProperty(['-sslConfigAliasName', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01', '-propertyName', 'test.property', '-propertyValue', 'testValue'])

Examples:

Batch mode example usage:

Interactive mode example usage:

• Use Jacl:
  $AdminTask createSSLConfigProperty {-interactive}

• Use Jython:
  AdminTask.createSSLConfigProperty('-interactive')

deleteSSLConfig

Delete the SSL configuration object specified from the configuration.

Target object: None.

Required parameters and return values

-alias

The name of the alias. (String, required)

Optional parameters:

-scopeName

The name of the scope. (String, optional)

Example output

The command does not return output.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask deleteSSLConfig {-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01}

• Use Jython string:
  AdminTask.deleteSSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01]')

• Use Jython list:
  AdminTask.deleteSSLConfig(['-alias', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask deleteSSLConfig {-interactive}

• Use Jython:
  AdminTask.deleteSSLConfig('-interactive')

getInheritedSSLConfig

Return the SSL configuration alias and certificate alias from which a given management scope and direction inherits its SSL configuration information. This command only returns inheritance information; it does not return information about an SSL configuration that is effective for a give scope.

For example, by default in a Network Deployment environment, there are different SSL configuration effective at the cell and node levels. If we issue the getInheritedSSLConfig command, specifying the nodes management scope, we get the name of the SSL configuration for the cell, not the effective SSL configuration of the node, because the node inherits its configuration information from the cell.

Target object: None.

Required parameters and return values

-scopeName

The name of the management scope for which we want to find out where that management schope will inherit its SSL configuration. (String, required)

Optional parameters: None.

Example output

The command returns the SSL configuration alias and certificate alias from which the specified management scope and direction inherits its SSL configuration information.

Examples:

• Use Jacl:
  $AdminTask getInheritedSSLConfig {-scopeName (cell):localhostNode01Cell:(node):localhostNode01 -direction inbound} CellDefaultSSLSettings,null

• Use Jython string:
  AdminTask.getInheritedSSLConfig('[-scopeName (cell):localhostNode01Cell:(node):localhostNode01 -direction inbound]') CellDefaultSSLSettings,null

getSSLConfig

Obtain information about an SSL configuration and display the settings.

Target object: None.

Required parameters and return values

-alias

The name of the alias. (String, required)

Optional parameters:

-scopeName

The name of the scope. (String, optional)

Example output:

The command returns information about the SSL configuration of interest.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask getSSLConfig {-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01}

• Use Jython string:
  AdminTask.getSSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01]')

• Use Jython list:
  AdminTask.getSSLConfig(['-alias', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask getSSLConfig {-interactive}

• Use Jython:
  AdminTask.getSSLConfig('-interactive')

getSSLConfigProperties

Obtain information about SSL configuration properties.

Target object: None.

Required parameters and return values

-alias

The name of the alias. (String, required)

Optional parameters:

-scopeName

The name of the scope. (String, optional)

Example output

The command returns additional information about the SSL configuration properties.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask getSSLConfigProperties {-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01}

• Use Jython string:
  AdminTask.getSSLConfigProperties('[-sslConfigAliasName NodeDefaultSSLSettings -scopeName (cell):localhostNode01Cell:(node):localhostNode01]')

• Use Jython list:
  AdminTask.getSSLConfigProperties(['-sslConfigAliasName', 'NodeDefaultSSLSettings', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask getSSLConfigProperties {-interactive}

• Use Jython:
  AdminTask.getSSLConfigProperties('-interactive')

listSSLCiphers

List the SSL ciphers.

Target object: None.

Required parameters:

-securityLevel

The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM. (String, required)

Optional parameters:

-sslConfigAliasName	The alias name of the SSL configuration. (String, optional)
-scopeName	The name of the scope. (String, optional)

Example output

The command returns a list of SSL ciphers.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask listSSLCiphers {-sslConfigAliasName testSSLCfg -securityLevel HIGH}

• Use Jython string:
  AdminTask.listSSLCiphers('[-sslConfigAliasName testSSLCfg -securityLevel HIGH]')

• Use Jython list:
  AdminTask.listSSLCiphers(['-sslConfigAliasName', 'testSSLCfg', '-securityLevel', 'HIGH'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask listSSLCiphers {-interactive}

• Use Jython:
  AdminTask.listSSLCiphers('-interactive')

listSSLConfigs

List the defined SSL configuration within a management scope.

Target object: None.

Optional parameters:

-scopeName	The name of the scope. (String, optional)
-displayObjectName	Set value to true to list the SSL configuration objects within the scope. Set the value of this parameter to false to list the strings that contain the SSL configuration alias and management scope. (Boolean, optional)
-all	Specify the value of this parameter as true to list all SSL configurations. This parameter overrides the scopeName parameter. The default is false. (Boolean, optional)

Example output

The command returns a list of defined SSL configurations.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask listSSLConfigs {-scopeName (cell): localhostNode01Cell:(node):localhostNode01 -displayObjectName true}

• Use Jython string:
  AdminTask.listSSLConfigs('[-scopeName (cell):localhostNode01Cell:(node):localhostNode01 -displayObjectName true]')

• Use Jython list:
  AdminTask.listSSLConfigs(['-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01', '-displayObjectName', 'true'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask listSSLConfigs {-interactive}

• Use Jython:
  AdminTask.listSSLConfigs('-interactive')

listSSLConfigProperties

List the properties for a SSL configuration.

Target object: None.

Required parameters:

-alias

The alias name of the SSL configuration. (String, required)

Optional parameters:

-scopeName	The name of the scope. (String, optional)
-displayObjectName	Set value to true to list the SSL configuration objects within the scope. Set the value of this parameter to false to list the strings that contain the SSL configuration alias and management scope. (Boolean, optional)

Example output

Return SSL configuration properties.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask listSSLConfigProperty {-alias SSL123 -scopeName (cell):localhostNode01Cell:(node):localhostNode01 -displayObjectName true}

• Use Jython string:
  AdminTask.listSSLConfigProperty('[-alias SSL123 -scopeName (cell):localhostNode01Cell:(node):localhostNode01 -displayObjectName true]')

• Use Jython list:
  AdminTask.listSSLConfigProperty(['-alias', 'SSL123', '-scopeName', '(cell):localhostNode01Cell:(node):localhostNode01', '-displayObjectName', 'true'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask listSSLConfigProperties {-interactive}

• Use Jython:
  AdminTask.listSSLConfigProperties('-interactive')

listSSLProtocolTypes

List the SSL protocols valid for the current configured security level. If a security standard is not enabled, the full list of valid protocols are returned. Otherwise, the list of appropriate protocols for the configured security level is returned.

Target object: None.

Required parameters: None.

Returns

This command lists all available protocols for the current FIPS level.

Security mode	Available protocol types
FIPS not enabled	SSL_TLS SSL SSLv2 SSLv3 TLS TLSv1 SSL_TLSv2 TLSv1.1 TLSv1.2
FIPS140-2	TLS TLSv1 TLSv1.1 TLSv1.2
SP800-131 - Transition	TLS TLSv1 TLSv1.1 TLSv1.2
SP800-131 - Strict	TLSv1.2
Suite B 128	TLSv1.2
SP800-131 - Suite B 192	TLSv1.2

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask listSSLProtocolTypes TLSv1.2

listSSLRepertoires

List all of the SSL configuration instances that we can associate with an SSL inbound channel.If we create a new SSL alias using the administrative console, the alias name is automatically created in the node/alias_name format. However, if we create a new SSL alias using the wsadmin tool, create the SSL alias and specify both the node name and alias name in the node/alias_name format.

Target object: SSLInboundChannel instance for which the SSLConfig candidates are listed.

Required parameters

None.

Optional parameters: None.

Sample output

The command returns a list of eligible SSL configuration object names.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask listSSLRepertoires SSL_3(cells/mybuildCell01/nodes/mybuildNode01/servers/ server2|server.xml#SSLInboundChannel_1093445762330)

• Use Jython string:
  print AdminTask.listSSLRepertoires('SSL_3(cells/mybuildCell01/nodes/mybuildNode01/ servers/server2|server.xml#SSLInboundChannel_1093445762330)')

• Use Jython list:
  print AdminTask.listSSLRepertoires('SSL_3(cells/mybuildCell01/nodes/mybuildNode01/ servers/server2|server.xml#SSLInboundChannel_1093445762330)')

Interactive mode example usage:

• Use Jacl:
  $AdminTask listSSLRepertoires {-interactive}

• Use Jython:
  print AdminTask.listSSLRepertoires('-interactive')

modifySSLConfig

Modify the settings of an existing SSL configuration.

Target object: None.

Required parameters:

-alias

The name of the alias. (String, required)

Optional parameters:

-scopeName	The name of the scope. (String, optional)
-clientKeyAlias	The certificate alias name for the client. (String, optional)
-serverKeyAlias	The certificate alias name for the server. (String, optional)
-clientAuthentication	Set value to true to request client authentication. Otherwise, set value to false. (Boolean, optional)
-securityLevel	The cipher group to use. Valid values include: HIGH, MEDIUM, LOW, and CUSTOM. (String, required)
-enabledCiphers	A list of ciphers used during SSL handshake. (String, optional)
-jsseProvider	One of the JSSE providers. (String, optional)
-clientAuthenticationSupported	Set value to true to support client authentication. Otherwise, set value to false. (Boolean, optional)
-sslProtocol	The protocol type for the SSL handshake. Valid values include: SSL_TLSv2, TLS, TLSv1, TLSv1.1, TLSv1.2, SSL_TLS, SSL, SSLv2, SSLv3 (String, optional)
-trustManagerObjectNames	A list of trust managers separated by commas. (String, optional)
-trustStoreName	The key store that holds trust information used to validate the trust from remote connections. (String, optional)
-trustStoreScopeName	The management scope name of the trust store. (String, optional)
-keyStoreName	The key store that holds the personal certificates that provide identity for the connection. (String, optional)
-keyStoreScopeName	The management scope name of the key store. (String, optional)
-keyManagerName	- Name of the Key Manager. (String, optional)
-keyManagerScopeName	Scope of the key manager. (String, optional)
-ssslKeyRingName	Specifies a system SSL (SSSL) key ring name. The value for this parameter has no affect unless the SSL configuration type is SSSL. (String, optional)
-v3timeout	- Time out in seconds for System SSL configuration types. Values range from 1 to 86400. (String, optional)

Example output

The command does not return output.

Examples:

Batch mode example usage:

• Use Jacl:
  $AdminTask modifySSLConfig {-alias testSSLCfg -clientKeyAlias tstKey1 -serverKeyAlias tstKey2 -securityLevel LOW}

• Use Jython string:
  AdminTask.modifySSLConfig('[-alias testSSLCfg -clientKeyAlias tstKey1 -serverKeyAlias tstKey2 -securityLevel LOW]')

• Use Jython list:
  AdminTask.modifySSLConfig(['-alias', 'testSSLCfg', '-clientKeyAlias', 'tstKey1', '-serverKeyAlias', 'tstKey2', '-securityLevel', 'LOW'])

Interactive mode example usage:

• Use Jacl:
  $AdminTask modifySSLConfig {-interactive}

• Use Jython:
  AdminTask.modifySSLConfig('-interactive')

Related:

Key management for cryptographic uses

wsadmin AdminTask

Automating SSL configurations using scripting

Create an SSL configuration at the node scope using scripting