You can use the Jython or Jacl scripting languages to migrate
key store configurations. Use the commands in the SSLMigrationCommands
group to convert self-signed certificates to chained personal certificates
and to enable writable key rings.
The SSLMigrationCommands command group for the AdminTask object
includes the following commands:
convertSelfSignedCertificatesToChained command
The
convertSelfSignedCertificatesToChained command converts specific self-signed
certificates to chained personal certificates.
Note: Chained
certificates are the default certificate type in Websphere Application
Server Version 7.0. The convertSelfSignedCertificatesToChained command
takes information from the self-signed certificate—such as issued-to
DN, size, and life span—and creates a chained certificate with the
same information. The new chained certificate replaces the self-signed
certificate. Signer certificates from the self-signed certificate
that are distributed across the security configuration are replaced
with the signer certificates from the root certificate used to sign
the chained certificate.
Syntax
The
command has the following syntax:
wsadmin>$AdminTask convertSelfSignedCertificatesToChained
[-certificateReplacementOption ALL_CERTIFICATES | DEFAULT_CERTIFICATES | KEYSTORE_CERTIFICATES]
[-keyStoreName keystore_name]
[-keyStoreScope keystore_scope]
[-rootCertificateAlias alias_name]
Required parameters
- certificateReplacementOption
- Specifies the convert self-signed certificates replacement options.
(String, required)
Specify the value for the parameter as one of
the following options:
- ALL_CERTIFICATES
This option looks for all self-signed certificates in all keystores
with in the specified scope.
The scope can be provided in the
-keyStoreScope parameter. If no scope is provided using the -keyStoreScope
parameter, all scopes are visited.
- DEFAULT_CERTIFICATES
This option looks for self-signed certificates in the default
CellDefaultKeyStore and NodeDefaultKeyStore keystores within the specified
scope.
The scope can be provided with the -keyStoreScope parameter.
If no scope is provided using the -keyStoreScope parameter, all scopes
are visited.
- KEYSTORE_CERTIFICATES
This option replaces only those self-signed certificates in
the keystore that are specified by the -keyStoreName parameter.
If
no scope is provided using the -keyStoreScope parameter, the default
scope is used.
Optional parameters
- keyStoreName
- Specifies the name of a keystore in which to look for self-signed
certificates to convert. Use this parameter with the KEYSTORE_CERTIFICATES
option on the certificateReplacementOption parameter. (String, optional)
- keyStoreScope
- Specifies the name of the scope in which to look for the self-signed
certificates to convert. (String, optional)
- rootCertificateAlias
- Specifies the root certificate to use from the default root store
used to sign the chained certificate. The default value is root.
(String, optional)
Examples
Batch
mode example usage:
Using Jacl:
$AdminTask convertSelfSignedCertificatesToChained {-certificateReplacementOption ALL_CERTIFICATES -keyStoreName testKS}
Using Jython string:
AdminTask.convertSelfSignedCertificatesToChained('[-certificateReplacementOption ALL_CERTIFICATES -keyStoreName testKS]')
Using Jython list:
AdminTask.convertSelfSignedCertificatesToChained(['-certificateReplacementOption', 'ALL_CERTIFICATES', '-keyStoreName', 'testKS'])
Interactive mode example usage:
Using Jacl:
$AdminTask exchangeSigners {-interactive}
Using Jython:
AdminTask.exchangeSigners('-interactive')
enableWritableKeyrings command
The enableWritableKeyrings
command modifies the keystore and enables writable SAF support. The
system uses this command during migration. The command creates additional
writable keystore objects for the control region and servant region
key rings for SSL keystores.
Required
parameters
- -keyStoreName
- Specifies the name that uniquely identifies the keystore that
you want to delete. (String, required)
Optional parameters
- -controlRegionUser
- Specifies the control region user to use to enable writable key
rings. (String, optional)
- -servantRegionUser
- Specifies the servant region user to enable writable key rings.
(String, optional)
- -scopeName
- Specifies the name that uniquely identifies the management scope,
for example: (cell):localhostNode01Cell. (String, optional)
Examples
Batch
mode example usage:
Using Jython string:
AdminTask.enableWritableKeyrings('[-keyStoreName testKS -controlRegionUser CRUser1 -servantRegionUser SRUser1]')
Using Jython list:
AdminTask.enableWritableKeyrings(['-keyStoreName', 'testKS', '-controlRegionUser', 'CRUser1', '-servantRegionUser', 'SRUser1'])
Interactive mode example usage:
Using Jython:
AdminTask.enableWritablekeyrings('-interactive')
convertSSLConfig command
The convertSSLConfig
command migrates existing SSL configurations to the new configuration
object format for SSL configurations.
Required
parameters
- -sslConversionOption
- Specifies how the system converts the SSL configuration. Specify
the CONVERT_SSLCONFIGS value to convert the SSL configuration
objects from the previous SSL configuration object to the new SSL
configuration object. Specify the CONVERT_TO_DEFAULT value
to convert the SSL configuration to a centralized SSL configuration,
which also removes the SSL configuration direct referencing from the
servers.
Optional parameters
None.
Examples
Batch mode example usage:
Using Jython string:
AdminTask.convertSSLConfig('[-keyStoreName testKS -controlRegionUser CRUser1 -servantRegionUser SRUser1]')
Using Jython list:
AdminTask.convertSSLConfig(['-keyStoreName', 'testKS', '-controlRegionUser', 'CRUser1', '-servantRegionUser', 'SRUser1'])
Interactive mode example usage:
Using Jython:
AdminTask.convertSSLConfig('-interactive')