Create an SSL configuration at the node scope using scripting

Overview

An SSL configuration references many other configuration objects. To help you make valid selections for the new SSL configuration before you create it, view information about existing configuration objects. Information about existing objects is also useful when creating a node scoped SSL configuration using createSSLConfig command of the AdminTask object.

Start wsadmin

The security.xml file is restricted. To make changes to security.xml, verify that the user ID has administrator role authorization. For a user ID with operator role authorization, we can perform a node synchronization, but any changes that made to security.xml are not synchronized.

To use the information in this task effectively, familiarize yourself with the instructions in Create an SSL configuration.

Create an SSL configuration at the node scope

1. To see which management scopes are defined.
   • Jacl...

     $AdminTask listManagementScopes {-scopeName (cell):MyCell02:(node):MyNode02}

   • Jython...

     AdminTask.listManagementScopes ('[-scopeName (cell):MyCell02:(node):MyNode02]')

   This shows an existing cell scope and existing node scope.

   To create a different scope, use the createManagementScope command of the AdminTask object to define a different one. Valid scope parameters...

   • cell
   • nodegroup
   • node
   • server
   • cluster
   • endpoint

   See the Central management of SSL configurations for more information on scope definitions.

2. To list the key stores that exist in the configuration including key stores and trust stores.
   • Jacl...

     $AdminTask listKeyStores -all true

   • Jython...

     AdminTask.listKeyStores('-all true')

   For example...

   CellDefaultKeyStore(cells/MyCell02|security.xml#KeyStore_1)
   CellDefaultTrustStore(cells/MyCell02|security.xml#KeyStore_2)
   CellLTPAKeys(cells/MyCell02|security.xml#KeyStore_3)

   To obtain key stores for other scopes, specify the scopeName parameter...

   • Jacl...

     $AdminTask listKeyStores {-scopeName (cell):MyCell02:(node):MyNode02 }

   • Jython...

     $AdminTask listKeyStores ('[-scopeName (cell):MyCell02:(node):MyNode02]')

   For example...

   CellDefaultKeyStore(cells/MyCell02|security.xml#KeyStore_1)
   CellDefaultTrustStore(cells/MyCell02|security.xml#KeyStore_2)
   CellLTPAKeys(cells/MyCell02|security.xml#KeyStore_3)
   NodeDefaultKeyStore(cells/MyCell02|security.xml#KeyStore_1134610924357)
   NodeDefaultTrustStore(cells/MyCell02|security.xml#KeyStore_1134610924377)

3. To list specific trust or key managers.
   • Jacl...

     $AdminTask listTrustManagers {-scopeName (cell):MyCell02:(node):MyNode02 -displayObjectName true }

   • Jython...

     AdminTask.listTrustManagers ('[-scopeName (cell):MyCell02:(node):MyNode02 -displayObjectName true]')

   For example...

   IbmX509(cells/MyCell02|security.xml#TrustManager_1)
   IbmPKIX(cells/MyCell02|security.xml#TrustManager_2)
   IbmX509(cells/MyCell02|security.xml#TrustManager_1134610924357)
   IbmPKIX(cells/MyCell02|security.xml#TrustManager_1134610924377)

   We display the object name for the trust managers. We need the object name for the SSL configuration because we can specify multiple trust manager instances.

4. Create the node-scoped SSL configuration in interactive mode.

   Now that we have the information we need to choose from, we need to decide if these objects are sufficient or if we need to create new ones. For now, we will reuse what we've already got in the configuration and save creating new instances to task documents specific to those objects.

   • Jacl...

     $AdminTask createSSLConfig -interactive

   • Jython...

     AdminTask.createSSLConfig ('[-interactive]')

   For example...

   Create an SSL Configuration.

   *SSL Configuration Alias (alias): MyNode02SSL
   Config Management Scope Name (scopeName): (cell):MyCell02:(node):MyNode02
   Client Key Alias (clientKeyAlias): default
   Server Key Alias (serverKeyAlias): default SSL Type (type): [JSSE]
   Client Authentication (clientAuthentication): [false]
   Security Level of the SSL Configuration (securityLevel): [HIGH]
   Enabled Ciphers SSL Configuration (enabledCiphers):
   JSSE Provider (jsseProvider): [IBMJSSE2]
   Client Authentication Support (clientAuthenticationSupported): [false]
   SSL Protocol (sslProtocol): [SSL_TLS]
   Trust Manager Object Names (trustManagerObjectNames): (cells/MyCell02|security.xml#TrustManager_1)
   *Trust Store Name (trustStoreName): NodeDefaultTrustStore
   Trust Store Scope (trustStoreScopeName): (cell):MyCell02:(node):MyNode02
   *Key Store Name (keyStoreName): NodeDefaultKeyStore
   Key Store Scope Name (keyStoreScopeName): (cell):MyCell02:(node):MyNode02
   Key Manager Name (keyManagerName): IbmX509
   Key Manager Scope Name (keyManagerScopeName): (cell):MyCell02:(node):MyNode02

   Create SSL Configuration

   F (Finish) C (Cancel)

   Select [F, C]: [F] F

   WASX7278I: Generated command line: $AdminTask createSSLConfig {-alias MyNode02SSLConfig -scopeName (cell):MyCell02:(node):MyNode02 -clientKeyAlias default -serverKeyAlias default -trustManagerObjectNames (cells/MyCell02|security.xml#TrustManager_1) -trustStoreName NodeDefaultTrustStore -trustStoreScopeName (cell):MyCell02:(node):MyNode02 -keyStoreName NodeDefaultKeyStore -keyStoreScopeName (cell):MyCell02:(node):MyNode02 -keyManagerName IbmX509 -keyManagerScopeName (cell):MyCell02:(node):MyNode02 }

5. Save the configuration changes.
6. In a network deployment environment only, synchronize the node.

 

Results

The name of the SSL configuration object that you created, for example, (cells/MyCell02|security.xml#SSLConfig_1136652770753), appears in security.xml.

Example security.xml file output:

<repertoire xmi:id="SSLConfig_1136652770753" 
            alias="MyNode02SSLConfig" 
            type="JSSE"  
            managementScope="ManagementScope_1134610924357">

    <setting xmi:id="SecureSocketLayer_1136652770924" 
             clientKeyAlias="default" 
             serverKeyAlias="default"  
             clientAuthentication="false" 
             securityLevel="HIGH"  
             jsseProvider="IBMJSSE2" 
             sslProtocol="SSL_TLS"  
             keyStore="KeyStore_1134610924357" 
             trustStore="KeyStore_1134610924377" 
             trustManager="TrustManager_1"  
             keyManager="KeyManager_1134610924357"/>

</repertoire>

 

What to do next

Once you create the SSL configuration object, the next step is to use it. There are several different ways that we can associate SSL configurations with protocols...

• Set the SSL configuration on the thread programmatically.

• Associate the SSL configuration with an outbound protocol or a target host and port.

• Directly associating the SSL configuration using the alias.

• Centrally managing the SSL configurations by associating them with SSL configuration groups or zones so that they are used based upon the group from where the end point exists.

SSL configurations
Dynamic outbound selection of SSL configurations
Central management of SSL configurations