WebSphere® Application Server provides the
function to allow a WebSphere Application Server
administrator to perform certificate management operations on System
Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic
Services Facility) OCSF Data library functions for SAF keyrings.
This task migrates existing configurations and enables writable SAF
keyrings.
Before you begin
This task is used for migrating keystore objects that have
not been enabled for writable support through profile creation. Writable
keyring support is only configurable when running z/OS
® Release
1.9 or at z/OS Release 1.8 with APAR OA22287 - resource
access control facility (RACF
®) (or the APAR for your equivalent
security product) and APAR OA22295 – SAF.
Before starting this task,
the wsadmin tool must be running. See the information about starting
the wsadmin scripting client.
About this task
By default, if writable keyring support is enabled during
profile management, the default keystore configurations are enabled
for writable keyrings. Alternatively, if migrating from a pervious WebSphere Application Server installation,
you can enable writable keyrings for a keystore object using the following
steps.
AdminTask can be used in interactive mode and batch mode.
For automation the batch mode options should be used. AdminTask batch
mode can be called in a JACL or Jython script. Interactive mode steps
you through all the parameters the task needs, required ones are marked
with a ‘*'. Before the AdminTask runs the task, it echoes the
batch mode syntax of the task to the screen. This can be helpful when
writing batch mode scripts for automation.
The following attributes
are needed to create writable SAF keyring keystore objects:
- keyStoreName
- controlRegionUser
- servantRegionUser
The interactive mode procedure to enable writable SAF
keyrings is as follows:
Procedure
- Use interactive mode to step through all attributes and
use any default values for attributes (if desired).
The
default value is in ‘[]' on the prompt line. The actual flag
used in batch mode is in ‘()' on each prompt line. If you are
using the default value then the flag will not show up on the batch
command line.
- An example of output from step (1) appears below:
*Keystore Name (keyStoreName): NodeDefaultKeyStore
Management Scope Name (scopeName):
*Control region userid for z/OS (SAF) (controlRegionUser): CRRACFID
*Servant region userid for z/OS (SAF) (servantRegionUser): SRRACFID
Modify keystore for writable SAF support
F (Finish)
C (Cancel)
Select [F, C]: [F] F
WASX7278I: Generated command line: $AdminTask enableWritableKeyrings {-keyStoreName NodeDefaultKeyStore
-controlRegionUser CRRACFID -servantRegionUser SRRACFID })
Results
Two additional keystore objects are created that can be accessed
using the administrative console to perform certificate operations
on the appropriate keyring. The keystore objects are named
your_keystore_name
-CR and
your_keystore_name -SR, where
your_keystore_name is
the name of the keystore specified on the create command.
your_keystore_name
-CR corresponds to the keyring owned by the RACF ID
of the control region process and your_keystore_name -SR corresponds
to the keystore owned by the RACF ID of the servant region process.
These
keystores are created in the same scope as
your_keystore_name and
can be accessed using the administrative console from the
your_keystore_name collection
panel.
What to do next
Accessing writable SAF keyrings
- Click Security > SSL certificate and key management > Manage
endpoint security configurations > {Inbound | Outbound} > ssl_configuration > Key
stores and certificates > [keystore ].
- Under Writable SAF Keyrings, click either Control Region Keyring or Servant
Region Keyring to display the keystore collection panel for either
the control region keyring or servant region keyring, respectively.
- Under Additional Properties, navigate to the certificate collection
panels to perform certificate management operations.