SSLMigrationCommands command group for the AdminTask object

You can use the Jython or Jacl scripting languages to migrate key store configurations. Use the commands in the SSLMigrationCommands group to convert self-signed certificates to chained personal certificates and to enable writable key rings.

The SSLMigrationCommands command group for the AdminTask object includes the following commands:

convertSelfSignedCertificatesToChained command

The convertSelfSignedCertificatesToChained command converts specific self-signed certificates to chained personal certificates.

Note: Chained certificates are the default certificate type in Websphere Application Server Version 7.0. The convertSelfSignedCertificatesToChained command takes information from the self-signed certificate—such as issued-to DN, size, and life span—and creates a chained certificate with the same information. The new chained certificate replaces the self-signed certificate. Signer certificates from the self-signed certificate that are distributed across the security configuration are replaced with the signer certificates from the root certificate used to sign the chained certificate.

Syntax

The command has the following syntax:
wsadmin>$AdminTask convertSelfSignedCertificatesToChained
                     [-certificateReplacementOption ALL_CERTIFICATES | DEFAULT_CERTIFICATES | KEYSTORE_CERTIFICATES]
                     [-keyStoreName keystore_name]
                     [-keyStoreScope keystore_scope]
                     [-rootCertificateAlias alias_name]

Required parameters

certificateReplacementOption
Specifies the convert self-signed certificates replacement options. (String, required)
Specify the value for the parameter as one of the following options:
ALL_CERTIFICATES

This option looks for all self-signed certificates in all keystores with in the specified scope.

The scope can be provided in the -keyStoreScope parameter. If no scope is provided using the -keyStoreScope parameter, all scopes are visited.

DEFAULT_CERTIFICATES

This option looks for self-signed certificates in the default CellDefaultKeyStore and NodeDefaultKeyStore keystores within the specified scope.

The scope can be provided with the -keyStoreScope parameter. If no scope is provided using the -keyStoreScope parameter, all scopes are visited.

KEYSTORE_CERTIFICATES

This option replaces only those self-signed certificates in the keystore that are specified by the -keyStoreName parameter.

If no scope is provided using the -keyStoreScope parameter, the default scope is used.

Optional parameters

keyStoreName
Specifies the name of a keystore in which to look for self-signed certificates to convert. Use this parameter with the KEYSTORE_CERTIFICATES option on the certificateReplacementOption parameter. (String, optional)
keyStoreScope
Specifies the name of the scope in which to look for the self-signed certificates to convert. (String, optional)
rootCertificateAlias
Specifies the root certificate to use from the default root store used to sign the chained certificate. The default value is root. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

enableWritableKeyrings command

The enableWritableKeyrings command modifies the keystore and enables writable SAF support. The system uses this command during migration. The command creates additional writable keystore objects for the control region and servant region key rings for SSL keystores.

Required parameters

-keyStoreName
Specifies the name that uniquely identifies the keystore that you want to delete. (String, required)

Optional parameters

-controlRegionUser
Specifies the control region user to use to enable writable key rings. (String, optional)
-servantRegionUser
Specifies the servant region user to enable writable key rings. (String, optional)
-scopeName
Specifies the name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)

Examples

Batch mode example usage:

Interactive mode example usage:

convertSSLConfig command

The convertSSLConfig command migrates existing SSL configurations to the new configuration object format for SSL configurations.

Required parameters

-sslConversionOption
Specifies how the system converts the SSL configuration. Specify the CONVERT_SSLCONFIGS value to convert the SSL configuration objects from the previous SSL configuration object to the new SSL configuration object. Specify the CONVERT_TO_DEFAULT value to convert the SSL configuration to a centralized SSL configuration, which also removes the SSL configuration direct referencing from the servers.

Optional parameters

None.

Examples

Batch mode example usage:

Interactive mode example usage:




Related concepts
Key management for cryptographic uses
Related tasks
Using the wsadmin scripting AdminTask object for scripted administration
Automating SSL configurations using scripting
Creating an SSL configuration at the node scope using scripting
Related reference
KeyStoreCommands command group for the AdminTask object
Reference topic Reference topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 3:08:41 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-zos&topic=rxml_7sslmigration
File name: rxml_7sslmigration.html