Crypto commands
Crypto mode provides the commands to manage crypto resources on the DataPower® Gateway.
To enter crypto mode, use the global crypto command.
While in this mode, use the commands in the following table to manage crypto resources.
To exit crypto mode and save changes to the running configuration, use the exit command.
| Command | Purpose |
|---|---|
| certificate | This command creates a certificate object for an X.509 certificate file. |
| cert-monitor | This command enters certificate monitor mode. |
| cookie-attribute-policy | This command enters cookie attribute policy mode. |
| crl | This command enters CRL mode to create or modify a CRL update policy. |
| fwcred | This command enters service keystore mode. |
| idcred | This command enters keystore mode. |
| jose-recipient-identifier | This command enters recipient identifier mode. |
| jose-signature-identifier | This command enters signature identifier mode. |
| jwe-header | This command enters JWE header mode. |
| jwe-recipient | This command enters JWE recipient mode. |
| jwks | This command enters the mode to create a JWK Set. |
| jws-signature | This command enters JWS Signature mode. |
| jwt-generator | This command enters JWT Generator mode. |
| jwt-validator | This command enters JWT Validator mode. |
| kerberos-kdc | This command enters Kerberos KDC server mode. |
| kerberos-keytab | This command enters Kerberos keytab mode. |
| key | This command creates a private key object. |
| password-map | This command manages the mapping between password aliases and their plaintext values in an encrypted file. |
| social-login-policy | This command enters social login policy mode. |
| sshclientprofile | This command enters SSH client profile mode. |
| sshdomainclientprofile | This command enters SSH domain client profile mode. |
| sshserverprofile | This command enters SSH server profile mode. |
| sskey | This command creates a shared secret key. |
| ssl-client | This command enters TLS client profile mode. |
| ssl-server | This command enters TLS server profile mode. |
| ssl-sni-mapping | This command enters TLS hostname map mode. |
| ssl-sni-server | This command enters TLS SNI server profile mode. |
| valcred | This command enters truststore mode. |
| Command | Purpose |
|---|---|
| api-oauth-cache-delete | This command deletes entries for an OAuth provider from the OAuth cache. |
| authcookie-cache-delete | This command deletes AuthCookie cache
entries. |
| convert-certificate | This command converts a certificate to a specific output format and writes it to a file. |
| convert-key | This command converts a private key to a specific output format and writes it to a file. |
| create-jwkset-file | This command uses a JSON string to create or overwrite the JSON file that contains a JWK Set. |
| create-luna-clientcert | This command generates the Luna HSM client key-certificate pair for the DataPower Gateway. |
| crypto-export | This command creates an export package that contains a certificate or key. |
| crypto-hw-disable | This command schedules how many aspects of the crypto card to disable for the next firmware reload. |
| crypto-import | This command uses an input file to create a certificate or a key. For a key, the crypto file is created on the HSM. |
| crypto-mode-set | This command sets the crypto mode for the DataPower
main task that takes effect at the next firmware reload. |
| hsm-clone-kwk | This command clones the key wrapping key between HSM-equipped appliances. |
| hsm-delete-key | This command deletes a key from the HSM. |
| hsm-reinit | This command schedules an HSM reinitialization for the next restart. After you initialize the HSM, the next firmware reload deletes all private keys in the HSM. |
| hsm-set-role | This command specifies that the FIPS 140-3 role is CU or CO. |
| import-luna-clientcert | This command imports an existing Luna HSM client certificate-key pair for the DataPower Gateway. |
| kerberos-ticket-delete | This command deletes Kerberos tickets from the cache. |
| keygen | This command generates a key pair, which is either a public key and CSR or a public key and self-signed certificate. |
| oauth-cache-delete | This command deletes data for an OAuth client from the OAuth cache. |
| test password-map | This command tests the association between an encrypted password alias and a file. |