Use this topic to create a certificate authority (CA) client
object. The client object contains all of the configuration information
necessary to connect to your third-party CA server. A CA client must
exist in your configuration before you can issue a request to the
CA to create personal certificates with the requestCACertificate command.
Before you begin
A CA client object contains information that the system
uses to connect to a certificate authority. Implement the com.ibm.ws.WSPKIClient
interface to connect to the certificate authority and provide the
com.ibm.ws.WSPKIClient class when creating the CA client object.
About this task
If a CA client does not exist in your configuration, use
the steps in this topic to create a new CA client.
Procedure
- Launch the wsadmin scripting tool using the Jython scripting
language. See the Starting the wsadmin scripting client article for
more information.
- Determine if a CA client exists in your configuration.
Use the following listCAClients command to list all certificate
authority clients in your configuration:
print AdminTask.listCAClients()
- If no CA clients exist, then create a new CA client.
Use the createCAClient command to create a new CA client
object. The application server connects to a CA server through the
WSPKIClient() implementation, which handles all connections and communications
with the CA server.
Table 1. Required parameter . You must specify the following configuration information for
a new CA client object:
Parameter |
Description |
Data Type |
-CAClientName |
Specify a name to uniquely identify the CA client
object. |
String |
Table 2. Additional parameters . You can specify additional configuration information using the
following parameters:
Parameter |
Description |
Data Type |
-scopeName |
Specify the management scope of the CA client.
For a deployment manager profile, the system uses the cell scope as
the default value. For an application server profile, the system uses
the node scope as the default value. |
String |
-pkiClientImplClass |
Specify the class path that implements the WSPKIClient
interface. The system uses this path to connect to the CA and to issue
requests to the CA. The default value is com.ibm.wsspi.ssl.WSPKIClient. |
String |
-host |
Specify the host name in your system where the
CA resides. |
String |
-port |
Specify the port on the server where the CA
listens. |
String |
-userName |
Specify the user name to use to authenticate
to the CA. |
String |
-password |
Specify the password for the user name that
authenticates to the CA. |
String |
-frequencyCheck |
Specify how often, in minutes, the system checks
with the CA to determine if a certificate has been created. |
String |
-retryCheck |
Specify the number of times to check with the
CA to determine if a certificate has been created. |
String |
-customProperties |
Specifies a comma separated list of attribute
and value (attribute=value) custom property pairs to add to the CA
client object. |
String |
Use the following example command
to create a new CA client object:
AdminTask.createCAClient('[-caClientName clientObj01 -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient
-host machine011 -port 9022 -userName admin -password pw4admin]')
The command returns the object name of the CA client that
has been created.
- Save your configuration changes.
Use the following command example to save your configuration
changes:
AdminConfig.save()
What to do next
If the CA client object was successfully created, then
you can configure the application server to use a personal certificate
created by an external CA.