SSLMigrationCommands command group for the AdminTask object
You can use the Jython or Jacl scripting languages to migrate key store configurations. Use the commands in the SSLMigrationCommands group to convert self-signed certificates to chained personal certificates and to enable writable key rings.
convertSelfSignedCertificatesToChained command
The convertSelfSignedCertificatesToChained command converts specific self-signed certificates to chained personal certificates.
Syntax
wsadmin>$AdminTask convertSelfSignedCertificatesToChained
[-certificateReplacementOption ALL_CERTIFICATES | DEFAULT_CERTIFICATES | KEYSTORE_CERTIFICATES]
[-keyStoreName keystore_name]
[-keyStoreScope keystore_scope]
[-rootCertificateAlias alias_name]
Required parameters
- Specifies the convert self-signed certificates replacement options.
(String, required)Specify the value for the parameter as one of the following options:
Optional parameters
- keyStoreName
- Specifies the name of a keystore in which to look for self-signed certificates to convert. Use this parameter with the KEYSTORE_CERTIFICATES option on the certificateReplacementOption parameter. (String, optional)
- keyStoreScope
- Specifies the name of the scope in which to look for the self-signed certificates to convert. (String, optional)
- rootCertificateAlias
- Specifies the root certificate to use from the default root store used to sign the chained certificate. The default value is root. (String, optional)
Examples
Batch mode example usage:
- Using Jacl:
$AdminTask convertSelfSignedCertificatesToChained {-certificateReplacementOption ALL_CERTIFICATES -keyStoreName testKS}
- Using Jython string:
AdminTask.convertSelfSignedCertificatesToChained('[-certificateReplacementOption ALL_CERTIFICATES -keyStoreName testKS]')
- Using Jython list:
AdminTask.convertSelfSignedCertificatesToChained(['-certificateReplacementOption', 'ALL_CERTIFICATES', '-keyStoreName', 'testKS'])
Tip: To ensure the migration is successful, go to the security.xml file and change the default of dynamicallyUpdateSSLConfig to false in the file. For more information, see the Dynamic configuration updates in SSL topic.
Interactive mode example usage:
- Using Jacl:
$AdminTask exchangeSigners {-interactive}
- Using Jython:
AdminTask.exchangeSigners('-interactive')
enableWritableKeyrings command
The enableWritableKeyrings command modifies the keystore and enables writable SAF support. The system uses this command during migration. The command creates additional writable keystore objects for the control region and servant region key rings for SSL keystores.
Required parameters
- -keyStoreName
- Specifies the name that uniquely identifies the keystore that you want to delete. (String, required)
Optional parameters
- -controlRegionUser
- Specifies the control region user to use to enable writable key rings. (String, optional)
- -servantRegionUser
- Specifies the servant region user to enable writable key rings. (String, optional)
- -scopeName
- Specifies the name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
Examples
Batch mode example usage:
- Using Jython string:
AdminTask.enableWritableKeyrings('[-keyStoreName testKS -controlRegionUser CRUser1 -servantRegionUser SRUser1]')
- Using Jython list:
AdminTask.enableWritableKeyrings(['-keyStoreName', 'testKS', '-controlRegionUser', 'CRUser1', '-servantRegionUser', 'SRUser1'])
Interactive mode example usage:
- Using Jython:
AdminTask.enableWritablekeyrings('-interactive')
convertSSLConfig command
The convertSSLConfig command migrates existing SSL configurations to the new configuration object format for SSL configurations.
Required parameters
- -sslConversionOption
- Specifies how the system converts the SSL configuration. Specify the CONVERT_SSLCONFIGS value to convert the SSL configuration objects from the previous SSL configuration object to the new SSL configuration object. Specify the CONVERT_TO_DEFAULT value to convert the SSL configuration to a centralized SSL configuration, which also removes the SSL configuration direct referencing from the servers.
Optional parameters
None.Examples
Batch mode example usage:
- Using Jython string:
AdminTask.convertSSLConfig('[-keyStoreName testKS -controlRegionUser CRUser1 -servantRegionUser SRUser1]')
- Using Jython list:
AdminTask.convertSSLConfig(['-keyStoreName', 'testKS', '-controlRegionUser', 'CRUser1', '-servantRegionUser', 'SRUser1'])
Interactive mode example usage:
- Using Jython:
AdminTask.convertSSLConfig('-interactive')
convertSSLCertificates command
The convertSSLCertificates command converts SSL personal certificates to a personal certificate that is created with the desired signature algorithm or lists SSL personal certificates that are not created with the desired signature algorithm.
Required parameters
NoneOptional parameters
- -convertSSLCertAction
- Specify LIST to list certificate that are not created with the signature algorithm specified in the -signatureAlgorithm parameter or specify REPLACE to replace SSL certificates not created with the signature algorithm provided in the -signatureAlgorithm with one that is created with the signature algorithm specified in the -signatureAlgorithm parameter. The default is LIST.
- -signatureAlgorithm
- Specifies the signature algorithm to check and report what personal certificates are not created with it or the signature algorithm used to create new personal certificates to replaces ones that are not created with the signature algorithm. Valid signature algorithms include SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA. The default value is SHA256withRSA.
Examples
Batch mode example usage:
-
Using Jython string:
AdminTask.convertSSLCertificates('[- convertSSLCertAction list -signatureAlgorithm SHA256withRSA')
-
Using Jython list:
AdminTask.convertSSLCertificates(['-convertSSLCertAction', 'list', '-signatureAlgorithm', 'SHA256withRSA'])
Interactive mode example usage:
-
Using Jython:
AdminTask.convertSSLCertificates('-interactive')