SSL configuration is needed for WebSphere® to perform SSL connections with other servers. A SSL
configuration can be configured through the Admin Console. But if an automated way to create a SSL
configuration is desired then AdminTask should be used.
Before you begin
Before starting this task, the wsadmin tool must be running. See the Starting the wsadmin
scripting client article for more information.
About this task
AdminTask can be used in a interactive mode and batch mode. For automation the batch mode options
should be used. AdminTask batch mode can be called in a Jacl or Jython script. Interactive mode will
step through all the parameter the task needs, requires ones are marked with a '*'. Before the
interactive task executes the task it echoes the batch mode syntax of the task to the screen. This
can be helpful when writing batch mode scripts.
There attributes needed to create an SSL configuration:
- A key store
- Default client certificate alias
- Default server certificate alias
- Trust store
- The handshake protocol
- The ciphers needed during handshake
- Supporting client authentication or not
If automating the creation of a SSL Configuration it may be needed to create some of the
attribute values needed like the key store, truststore, key manager, and trust managers.
Procedure
-
To create a SSL configuration the createSSLConfig AdminTask can be used. To make changes to the
SSL configurations use the modifySSLConfig AdminTask.
Example output:
*SSL Configuration Alias (alias): testSSLConfig
Management Scope Name (scopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
Client Key Alias (clientKeyAlias): clientCert
Server Key Alias (serverKeyAlias): serverCert
SSL Type (type): [JSSE]
Client Authentication (clientAuthentication): [false]
Security Level of the SSL Configuration (securityLevel): [HIGH] HIGH
Enabled Ciphers SSL Configuration (enabledCiphers):
JSSE Provider (jsseProvider): [IBMJSSE2]
Client Authentication Support (clientAuthenticationSupported): [false]
SSL Protocol (sslProtocol): [SSL_TLS] SSL_TLS
Trust Manager Object Names (trustManagerObjectNames):
*Trust Store Name (trustStoreName): testTrustStore
Trust Store Scope (trustStoreScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
*Key Store Name (keyStoreName): testKeyStore
Key Store Scope Name (keyStoreScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
Key Manager Name (keyManagerName): IbmX509
Key Manager Scope Name (keyManagerScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
Create SSL Configuration
F (Finish)
C (Cancel)
Select [F, C]: [F]
WASX7278I: Generated command line: $AdminTask createSSLConfig {-alias testSSLConfig
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert
-serverKeyAlias serverCert -trustStoreName testTrustStore
-trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 }
(cells/HOSTNode01Cell|security.xml#SSLConfig_1137687301834)
At
the end of the output, the batch mode parameters are provided.
- Batch mode:
Using Jacl:
$AdminTask createSSLConfig {-alias testSSLConfig
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert
-serverKeyAlias serverCert -trustStoreName testTrustStore
-trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01}
-
Using Jython:
AdminTask.createSSLConfig ('[-alias testSSLConfig
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert
-serverKeyAlias serverCert -trustStoreName testTrustStore
-trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01]')
Example
output:
(cells/HOSTNode01Cell|security.xml#SSLConfig_1137687301834)
-
Key Stores and Trust Stores
The key store and truststore may already exist or a new one may need to be created. To create
a new key store or truststore use the createKeyStore AdminTask. It will create a key store file and
store the configuration object in the system configuration. A truststore is just a key store that
usually only has signer certificates in it. To create a key store enter:
-
Using Jacl:
$AdminTask createKeyStore {-keyStoreName testKeyStore -keyStoreType PKCS12
-keyStoreLocation $(USER_INSTALL_ROOT)\testKeyStore.p12 -keyStorePassword abcd
-keyStorePasswordVerify abcd -keyStoreIsFileBased true -keyStoreReadOnly false}
-
Using Jython:
AdminTask.createKeyStore ('[-keyStoreName testKeyStore -keyStoreType PKCS12
-keyStoreLocation $(USER_INSTALL_ROOT)\testKeyStore.p12 -keyStorePassword abcd
-keyStorePasswordVerify abcd -keyStoreIsFileBased true -keyStoreReadOnly false]')
To populate the key store with certificates see “Managing Certificates using AdminConsole and
Admin Task” The key store and truststore are required to create a SSL configuration. Use the
'-keyStoreName' and '-trustStoreName' flags on the createSSLConfig. There scopes can be added with
the '-keyStoreScope' flag and '-trustStoreScope' flags.
-
Key Manager
Key manager are used to determine how a certificate is selected. The IbmX509 key manager is in
the security configuration by default. If a different key manager is needed then use
createKeyManager AdminTask to create it. To create a key manager enter:
-
Using Jacl:
$AdminTask createKeyManager {-name testKeyManager
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-provider IBMJSSE2 -algorithm specialAlgorithm }
-
Using Jython:
AdminTask.createKeyManager ('[-name testKeyManager
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-provider IBMJSSE2 -algorithm specialAlgorithm]')
To supply a key manager on the createSSLConfig AdminTask use the '-keyManagerName' along with
the '-keyManagerScopeName' flag.
-
Trust Manager
Trust managers are use to determine how trust is established during ssl communication. The
IbmX509 and IbmPKIX are trust managers are in the security configuration by default. If a different
or additional trust manager is needed then use the createTrustManager AdminTask to create it. To
create a trust manager enter:
-
Using Jacl:
$AdminTask createTrustManager {-name testTrustManager
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-provider IBMJSSE2 -algorithm specialAlgorithm }
-
Using Jython:
AdminTask.createTrustManager ('[-name testTrustManager
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01
-provider IBMJSSE2 -algorithm specialAlgorithm]')
The SSL Configuration can have multiple trust managers. To supply multiple trust managers give
a colon (
:) separated list of the trust managers configuration IDs with the
-trustManagerObjectNames flag. When you create a trust manager the configuration object ID
is returned. To get a list of trust managers object IDs use the
listTrustManagers command of
the AdminTask object with the
-displayObjectName true flag. For
example:
wsadmin>$AdminTask listTrustManagers -interactive
List Trust Managers
List trust managers.
Management Scope Name (scopeName):
Display list in ObjectName Format (displayObjectName): [false] true
List Trust Managers
F (Finish)
C (Cancel)
Select [F, C]: [F]
Inside generate script command
WASX7278I: Generated command line: $AdminTask listTrustManagers {-displayObjectName true }
IbmX509(cells/IBM-0AF8DABCF16Node01Cell|security.xml#TrustManager_IBM-0AF8DABCF16Node01_1)
IbmPKIX(cells/IBM-0AF8DABCF16Node01Cell|security.xml#TrustManager_IBM-0AF8DABCF16Node01_2)