Setting a certificate authority certificate as the default certificate using the wsadmin tool

Use this topic to make a request to an external certificate authority (CA) to create a personal certificate. After the CA returns the certificate and the certificate is saved in the keystore, then you can use it as the server default personal certificate.

Before you begin

You must configure a CA client object in your environment. The client object contains all of the configuration information necessary to connect to your third-party CA server.

About this task

After profile creation, the system is assigned a default chained personal certificate. Use the following steps to modify the application server to use a default personal certificate created by an external CA.

Procedure

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
  2. Verify that a certificate authority client exists in your configuration. Use the listCAClients command to query your environment for all existing certificate authority clients and configuration attributes, or the getCAClient command to return the configuration attributes for a specific certificate authority client. If the listCAClients or getCAClient commands do not return any attributes, then you must create a certificate authority client object before you can complete the remaining steps.
    • List all certificate authority client objects in your configuration.
      Use the listCAClients command to list all certificate authority clients in your configuration. If you do not provide a value for the -scopeName parameter, then the command queries the cell if you use a deployment manager profile or queries the node if you use an application server profile. Use the -all parameter to query your environment without using a specific scope, as the following example demonstrates:
      print AdminTask.listCAClients('-all true')
      The command returns an array of attribute lists, displaying one attribute list for each CA client, as the following example output displays:
      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
      ] [scopeName (cell):myCell01] [name jenCAClient] [baseDn ] [_Websphere_Config_Da
      ta_Id cells/myCell01|security.xml#CAClient_1181834566881] [port 2950] [CACertifi
      cate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Webspher
      e_Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pa
      ssword ] [host ] ]'
      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementScope_1)
      ] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphere_Config_Dat
      a_Id cells/myCell01|security.xml#CAClient_1181834566882] [port 2951] [CACertific
      ate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [userId ] [_Websphere
      _Config_Data_Type CAClient] [retryCheck 0] [properties ] [frequencyCheck 0] [pas
      sword ] [host ] ]'
    • List the configuration attributes for a specific certificate authority client.
      Use the getCAClient command to view the list of attributes for a specific certificate authority client, as the following example demonstrates:
      print AdminTask.getCAClient('-caClientName myCAClient')
      The command returns an attribute list that contains the attribute and value pairs for the specific certificate authority client, as the following example demonstrates:
      '[ [backupCAs ] [managementScope (cells/myCell01|security.xml#ManagementSc
      ope_1)] [scopeName (cell):myCell01] [name myCAClient] [baseDn ] [_Websphe
      re_Config_Data_Id cells/myCell01|security.xml#CAClient_1181834566882] [por
      t 2951] [CACertificate ] [pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient] [u
      serId ] [_Websphere_Config_Data_Type CAClient] [retryCheck 0] [properties ] [fre
      quencyCheck 0] [password ] [host ] ]'
  3. Optional: If a certificate authority client does not exist in your environment, then configure a CA client object.
  4. Optional: View the current default personal certificate.
    Use the following listPersonalCertificates command to display the current default personal certificate to replace:
    AdminTask.listPersonalCertificates('[-keyStoreName CellDefaultKeyStore -keyStoreScope (cell):myCell01]')
  5. Request a certificate from a certificate authority.
    Before the current default personal certificate can be replaced, you must request a certificate from a certificate authority. You can create a new certificate request or use the createCertificateRequest command to use a predefined certificate request. The system uses the certificate request and the certificate authority configuration information from the CA client object to request the certificate from the certificate authority. If the certificate authority returns a certificate, then the requestCAcertificate command stores the certificate in the specified key store and returns a message of COMPLETE.
    Table 1. Required parameters.

    Use the requestCACertificate command and the following required parameters to request a certificate from a certificate authority:

    Parameter Description Data Type
    -certificateAlias Specifies the alias of the certificate. You can specify a predefined certificate request. String
    -keyStoreName Specifies the name of the keystore object that stores the CA certificate. Use the listKeyStores command to display a list of available keystores. String
    -caClientName Specifies the name of the CA client that was used to create the CA certificate. String
    -revocationPassword Specifies the password to use to revoke the certificate at a later date. String
    You can also use the following parameters to specify additional certificate request options. If you do not specify an optional parameter, then the command uses the default value.
    Table 2. Optional parameters
    Parameter Description Data Type
    -keyStoreScope Specifies the management scope of the keystore. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -caClientScope Specifies the management scope of the CA client. For a deployment manager profile, the default value is the cell scope. For an application server profile, the default value is the node scope. String
    -certificateCommonName Specifies the common name (CN) part of the full distinguished name (DN) of the certificate. This common name can represent a person, company, or machine. For Web sites, the common name is frequently the DNS host name where the server resides. String
    -certificateSize Specifies the size of the certificate key. The valid values are 512, 1024, and 2048. The default value is 1024. String
    -certificateOrganization Specifies the organization portion of the distinguished name. String
    -certificateOrganizationalUnit Specifies the organizational unit portion of the distinguished name. String
    -certificateLocality Specifies the locality portion of the distinguished name. String
    -certificateState Specifies the state portion of the distinguished name. String
    -certificateZip Specifies the zip code portion of the distinguished name. String
    -certificateCountry Specifies the country portion of the distinguished name. String
    Use the following example command syntax to request a certificate from a certificate authority:
    AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName 
    CellDefaultKeyStore -caClientName myCAClient -revocationPassword revokeCApw 
    -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
    The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate. Use the queryCACertificate command to view the current status of the certificate request, as the following example demonstrates:
    AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName 
    CellDefaultKeyStore -pkiClientImplClass com.ibm.wsspi.ssl.WSPKIClient')
  6. Replace the server default personal certificate.
    Use the following replaceCertificate command example to replace the existing default personal certificate with the newly created CA personal certificate:
    AdminTask.replaceCertificate('-keyStoreName CellDefaultKeyStore -certificateAlias
    defaultPersonalCertificate -replacementCertificateAlias newCertificate')
  7. Save your configuration changes.
    Use the following command example to save your configuration changes:
    AdminConfig.save()

Results

The default personal certificate for the server is a certificate that is created by an external CA.

What to do next

If the CA client object was successfully created, then you can configure the application server to use a personal certificate created by an external CA.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 7:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-dist&topic=txml_7percert
File name: txml_7percert.html