You can use the Jython or Jacl scripting languages to configure security with the wsadmin tool. The commands and parameters in the PersonalCertificateCommands group can be used to create and manage personal or signer certificates.
Target object
None.
Required parameters
Optional parameters
Return value
The command does not return output.Batch mode example usage
AdminTask.createChainedCertificate('-keyStoreName myKeystore -certificateAlias newCertificate -certificateSize 10 -certificateCommonName localhost -certificateOrganization ibm')
AdminTask.createChainedCertificate('-keyStoreName', 'myKeystore', '-certificateAlias', 'newCertificate', '-certificateSize', '10', '-certificateCommonName', 'localhost', '-certificateOrganization', 'ibm')
Interactive mode example usage
AdminTask.createChainedCertificate('-interactive')
The createSelfSignedCertificate command creates a self-signed personal certificate in a keystore.
Target object
None.Required parameters
Optional parameters
Example output
The command does not return output.Examples
Batch mode example usage:
$AdminTask createSelfSignedCertificate {-keyStoreName testKeyStore -certificateAlias default -certificateCommonName localhost -certificateOrganization ibm}
AdminTask.createSelfSignedCertificate('[-keyStoreName testKeyStore -certificateAlias default -certificateCommonName localhost -certificateOrganization ibm]')
AdminTask.createSelfSignedCertificate(['-keyStoreName', 'testKeyStore', '-certificateAlias', 'default', '-certificateCommonName', 'localhost', '-certificateOrganization', 'ibm'])
Interactive mode example usage:
AdminTask.createSelfSignedCertificate('-interactive')
The deleteCertificate command deletes a personal certificate from a keystore. The command saves a copy of the certificate in the delete keystore.
Target object
None.Required parameters
Optional parameters
Example output
The command does not return output.Examples
Interactive mode example usage:
AdminTask.deleteCertificate('-interactive')
The exportCertificate command exports a personal certificate from one keystore to another.
Target object
None.Required parameters
Optional parameters
Example output
The command does not return output.Examples
Interactive mode example usage:
AdminTask.exportCertificate('-interactive')
The exportCertToManagedKS command exports a personal certificate to a managed keystore in the configuration.
Target object
None.
Required parameters
Optional parameters
Return value
The command does not return output.
Batch mode example usage
AdminTask.exportCertificateToManagedKS('-keyStoreName myKS -keyStorePassword myKSpw -toKeyStoreName myKS2 -certificateAlias testingKeyStore')
AdminTask.exportCertificateToManagedKS(['-keyStoreName', 'myKS', '-keyStorePassword', 'myKSpw', '-toKeyStoreName', 'myKS2', '-certificateAlias', 'testingKeyStore'])
Interactive mode example usage
AdminTask.exportCertificateToManagedKS('-interactive')
The extractCertificate command extracts the signer part of a personal certificate to a certificate file. The certificate in the file can later be added to a keystore to establish trust.
Target object
None.Required parameters
Optional parameters
Example output
The command does not return output.Examples
Batch mode example usage:
$AdminTask extractCertificate {-keyStoreName testKeyStore -certificateFilePath c:/temp/CertFile.arm -certificateAlias testCertificate}
$AdminTask extractCertificate {-keyStoreName testKeyStore -certificateFilePath /temp/CertFile.arm -certificateAlias testCertificate}
AdminTask.extractCertificate('[-keyStoreName testKeyStore -certificateFilePath c:/temp/CertFile.arm -certificateAlias testCertificate]')
AdminTask.extractCertificate('[-keyStoreName testKeyStore -certificateFilePath /temp/CertFile.arm -certificateAlias testCertificate]')
AdminTask.extractCertificate(['-keyStoreName', 'testKeyStore', '-certificateFilePath', 'c:/temp/CertFile.arm', '-certificateAlias', 'testCertificate'])
AdminTask.extractCertificate(['-keyStoreName', 'testKeyStore', '-certificateFilePath', '/temp/CertFile.arm', '-certificateAlias', 'testCertificate'])
Interactive mode example usage:
AdminTask.extractCertificate('-interactive')
The getCertificate command obtains information about a particular personal certificate in a keystore. If the certificate of interest was created with the requestCACertificate command, the certificate can be in the COMPLETE or REVOKED state. Certificate requests can be in the PENDING state. Use the getCertificateRequest command to determine if a certificate request is in the PENDING state.
Target object
None.Required parameters
Optional parameters
Example output
The command returns information about the certificate request.Examples
Interactive mode example usage:
AdminTask.getCertificate('-interactive')
The getCertificateChain command queries your configuration for information about each personal certificate in a certificate chain.
Target object
None.Required parameters and return values
Optional parameters
Example output
The command returns an array of attribute lists that contain configuration information for each certificate in a chain.
Examples
Batch mode example usage:
$AdminTask getCertificateChain {-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore}
AdminTask.getCertificateChain('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore')
AdminTask.getCertificateChain(['-certificateAlias', 'newCertificate', '-keyStoreName', 'CellDefaultKeyStore'])
Interactive mode example usage:
AdminTask.getCertificateChain('-interactive')
The importCertificate command imports a personal certificate from a keystore.
Target object
None.Required parameters
Optional parameters
Example output
The command does not return output.Examples
Interactive mode example usage:
AdminTask.importCertificate('-interactive')
The importCertFromManagedKS command imports a personal certificate from a managed keystore in the configuration.
Target object
None.
Required parameters
Optional parameters
Return value
The command does not return output.
Batch mode example usage
AdminTask.importCertFromManagedKS('-keyStoreName myKeystore -fromKeyStoreName oldKeystore -fromKeyStorePassword my122password -certificateAliasFromKeyStore myCertificate')
AdminTask.importCertFromManagedKS('-keyStoreName', 'myKeystore', '-fromKeyStoreName', 'oldKeystore', '-fromKeyStorePassword', 'my122password', '-certificateAliasFromKeyStore', 'myCertificate')
Interactive mode example usage
AdminTask.importCertFromManagedKS('-interactive')
The listKeySizes command is an administrative console helper task used to display the set of certificate key sizes that are allowed when creating a personal certificate.
By default, the set of valid key sizes include 512, 1024, 2048, 4096 and 8192. You can customize the list of comma-separated key sizes in the com.ibm.websphere.customKeySizeList security custom property. The com.ibm.websphere.customKeySizeList custom property can be set using the setAdminActiveSecuritySettings command.
Valid key sizes must be 512 or larger, but no larger then 16384, and must be multiples of 8. Any values in com.ibm.websphere.customKeySizeList that do not meet the size requirements are ignored. If the custom list does not contain anything in it when it is finished processing then the list of default sizes is returned.
Target object
None.Required parameters
None.Optional parameters
None.Example output
512
1024
2048
4096
8192
Examples
Batch mode example usage:
$AdminTask listKeySize
AdminTask.listKeySizes()
The listPersonalCertificates command lists the personal certificates in a particular keystore.
Target object
None.Required parameters
Optional parameters
Example output
The command returns a list of attributes for each personal certificate in a keystore.
Examples
Batch mode example usage:
AdminTask.listPersonalCertificates('-keyStoreName myKS')
AdminTask.listPersonalCertificates(['-keyStoreName', 'myKS'])
Interactive mode example usage:
AdminTask.listPersonalCertificates('-interactive')
The queryCACertificate command queries your configuration to determine if the CA has completed the certificate. If the CA returns a personal certificate, then the system marks the certificate as COMPLETE. Otherwise, it remains marked as PENDING.
Target object
None.Required parameters and return values
Optional parameters
Example output
The command returns one of two values: Certificate COMPLETE or certificate PENDING. If the command returns the Certificate COMPLETE message, the certificate authority returned the requested certificate and the default personal certificate is replaced. If the command returns the certificate PENDING message, the certificate authority did not yet return a certificate.
Examples
Batch mode example usage:
$AdminTask queryCACertificate {-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore}
AdminTask.queryCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore')
AdminTask.queryCACertificate(['-certificateAlias', 'newCertificate', '-keyStoreName', 'CellDefaultKeyStore'])
Interactive mode example usage:
AdminTask.queryCACertificate('-interactive')
The receiveCertificate command receives a signer certificate from a file to a personal certificate.
Target object
None.Required parameters
Optional parameters
Example output
The command does not return output.Examples
Batch mode example usage:
$AdminTask receiveCertificate {-keyStoreName testKeyStore -certificateFilePath c:/temp/CertFile.arm}
$AdminTask receiveCertificate {-keyStoreName testKeyStore -certificateFilePath /temp/CertFile.arm}
AdminTask.receiveCertificate('[-keyStoreName testKeyStore -certificateFilePath c:/temp/CertFile.arm]')
AdminTask.receiveCertificate('[-keyStoreName testKeyStore -certificateFilePath /temp/CertFile.arm]')
AdminTask.receiveCertificate(['-keyStoreName', 'testKeyStore', '-certificateFilePath', 'c:/temp/CertFile.arm'])
AdminTask.receiveCertificate(['-keyStoreName', 'testKeyStore', '-certificateFilePath', '/temp/CertFile.arm'])
Interactive mode example usage:
AdminTask.receiveCertificate('-interactive')
The renewCertificate command renews a certificate with a new generated certificate.
Target object
None.
Required parameters
Optional parameters
Return value
The command does not return output.
Batch mode example usage
AdminTask.renewCertificate('-keyStoreName myKS -certificateAlias testCertificate')
AdminTask.renewCertificate(['-keyStoreName', 'myKS', '-certificateAlias', 'testCertificate'])
Interactive mode example usage
AdminTask.renewCertificate('-interactive')
The replaceCertificate command replaces a personal certificate with another personal certificate. The command finds each reference to the old certificate alias in the configuration and replaces the alias with the new one. The command also replaces each signer certificate from the old personal certificate with the signer from the new personal certificate.
Target object
None.Required parameters and return values
Optional parameters
Example output
The command does not return output.Examples
Batch mode example usage:
$AdminTask replaceCertificate {-keyStoreName testKeyStore -certificateAlias default -replacementCertificateAlias replaceCert -deleteOldCert true -deleteOldSigners true}
AdminTask.replaceCertificate('[-keyStoreName testKeyStore -certificateAlias default -replacementCertificateAlias replaceCert -deleteOldCert true -deleteOldSigners true]')
AdminTask.replaceCertificate(['-keyStoreName', 'testKeyStore', '-certificateAlias', 'default', '-replacementCertificateAlias', 'replaceCert', '-deleteOldCert', 'true', '-deleteOldSigners', 'true'])
Interactive mode example usage:
AdminTask.replaceCertificate('-interactive')
The requestCACertificate command creates a certificate request and sends the request to a certificate authority (CA). If the certificate authority returns a personal certificate, then the returned certificate replaces the certificate request in the keystore. The command also works with a preexisting certificate request that was created with the createCertificateRequest command. When the CA returns a personal certificate, the system marks the certificate as COMPLETE and the command returns a message stating that the certificate is complete. If the CA does not return a personal certificate, then the system marks the certificate request as PENDING and the command returns a message stating that the certificate is PENDING.
Target object
None.Required parameters and return values
Optional parameters
Example output
The command returns one of two values: Certificate COMPLETE or certificate PENDING.
Examples
Batch mode example usage:
$AdminTask requestCACertificate {-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -CAClientName myCAClient -revocationPassword revokeCApw}
AdminTask.requestCACertificate('-certificateAlias newCertificate -keyStoreName CellDefaultKeyStore -CAClientName myCAClient -revocationPassword revokeCApw')
AdminTask.requestCACertificate(['-certificateAlias','newCertificate','-keyStoreName', 'CellDefaultKeyStore','-CAClientName','myCAClient','-revocationPassword', 'revokeCApw'])
Interactive mode example usage:
AdminTask.requestCACertificate('-interactive')
The revokeCACertificate command sends a request to the CA to revoke the CA personal certificate of interest.
Target object
None.Required parameters and return values
Optional parameters
Example output
AdminTask.getCertificate('-certificateAlias myCertificate -keyStoreName CellDefaultKeyStore')
Examples
Batch mode example usage:
$AdminTask revokeCACertificate {-keyStoreName CellDefaultKeyStore -certificateAlias myCertificate -revocationPassword pw4revoke}
AdminTask.revokeCACertificate('[-keyStoreName CellDefaultKeyStore -certificateAlias myCertificate -revocationPassword pw4revoke]')
AdminTask.revokeCACertificate(['-keyStoreName', 'CellDefaultKeyStore', '-certificateAlias', 'myCertificate', '-revocationPassword', 'pw4revoke'])
Interactive mode example usage:
AdminTask.revokeCACertificate('-interactive')