KeyStoreCommands command group for the AdminTask object

You can use the Jython or Jacl scripting languages to configure keystores with the wsadmin tool. A keystore is created by the application server during installation and can contain cryptographic keys or certificates. The commands and parameters in the KeyStoreCommands group can be used to create, delete, and manage keystores.

The KeyStoreCommands command group for the AdminTask object includes the following commands:

changeKeyStorePassword

The changeKeyStorePassword command modifies the password of a keystore. The command automatically saves the new password to the configuration.

Required parameters

-keyStoreName
Specifies the name of the keystore that needs a password change. (String, required)
-keyStorePassword
Specifies the name of the password to change. (String, required)
-newKeyStorePassword
Specifies the new password that to use to access the keystore. (String, required)
-newKeyStorePasswordVerify
Specifies the new password to confirm the new keystore password. (String, required)

Optional parameters

-scopeName
Specifies the management scope of the keystore. (String, optional)

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask changeKeyStorePassword {-keystoreName myKeystore -keyStorePassword 
WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd}
  • Using Jython string:
    AdminTask.changeKeyStorePassword('[-keystoreName myKeystore -keyStorePassword 
WebAS -newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd]')
  • Using Jython list:
    AdminTask.changeKeyStorePassword(['-keystoreName', 'myKeystore', '-keyStorePassword', 
'WebAS', '-newKeyStorePassword', 'newpwd', '-newKeyStorePasswordVerify', 'newpwd'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask changeKeyStorePassword {-interactive}
  • Using Jython:
    AdminTask.changeKeyStorePassword('-interactive')

changeMultipleKeyStorePasswords

The changeMultipleKeyStorePasswords command updates the passwords for each keystores in the configuration that has a specific password. This is useful because when you create keystore files on the system, they will have WebAS as a password by default.

Required parameters

-keyStorePassword
Specifies the name of the password that you want to change. (String, required)
-newKeyStorePassword
Specifies the new password that you will use to access the keystore. (String, required)
-newKeyStorePasswordVerify
Confirms the new keystore password. (String, required)

Optional parameters

None.

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask changeMultipleKeyStorePasswords {-keyStorePassword WebAS 
-newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd}
  • Using Jython string:
    AdminTask.changeMultipleKeyStorePasswords('[-keyStorePassword WebAS 
-newKeyStorePassword newpwd -newKeyStorePasswordVerify newpwd]')
  • Using Jython list:
    AdminTask.changeMultipleKeyStorePasswords(['-keyStorePassword', 'WebAS', 
'-newKeyStorePassword', 'newpwd', '-newKeyStorePasswordVerify', 'newpwd'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask changeMultipleKeyStorePasswords {-interactive}
  • Using Jython:
    AdminTask.changeMultipleKeyStorePasswords('-interactive')

createKeyStore

The createKeyStore command creates the keystore settings in the configuration and the keystore database.

Required parameters

-keyStoreName
The name that uniquely identifies the keystore configuration object. (String, required)
-keyStoreType
The implementation of the keystore management. (String, required)
-keyStoreLocation
The location of the keystore. For file based, the location is the files system path to the keystore database. For hardware keystore, the location is the path to the token library. (String, required)

[IBM i]If you create the IBMi5OSKeyStore keystore, the keystore location must include the .kdb file extension.

-keyStorePassword
The password that protects the keystore. (String, required)
-keyStorePasswordVerify
The password that protects the keystore. (String, required)

Optional parameters

-keyStoreProvider
The provider that is used to implement the keystore. (String, optional)
-keyStoreIsFileBased
Set the value of this parameter to true if the keystore is file based. Set the value of this parameter to false for hardware crypto keystores. (Boolean, optional)
-keyStoreHostList
A list of host names that indicate from where the keystore is remotely managed, separated by commas. (String, optional)
-keyStoreInitAtStartup
Set the value of this parameter to true if the keystore is initialized at startup. Otherwise, set the value of this parameter to false. (Boolean, optional)
-keyStoreReadOnly
Set the value of this parameter to true if you cannot write to the keystore. Otherwise, set the value of this parameter to false. (Boolean, optional)
-keyStoreStashFile
Set the value of this parameter to true if you want to create stash files for CMS type keystore. Otherwise, set the value of this parameter to false. (Boolean, optional)
-enableCryptoOperations
Specifies if the keystore object will be used for hardware cryptographic operations or not. The default value is false. (Boolean, optional)
-keyStoreDescription
Specifies user-defined text to describe the keystore of interest. (String, optional)
-keyStoreUsage
Specifies the keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)
-scopeName
The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
-controlRegionUser
Specifies the control region user to create a writable keystore object for the control regions key ring. Specify this option for SAF key rings when SAF writable key rings is enabled. (String, optional)
-servantRegionUser
Specifies the servant region user to create a writable keystore object for the servant regions key ring. Specify this option for SAF key rings when SAF writable key rings is enabled. (String, optional)

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask createKeyStore {-keyStoreName testKS -keyStoreType JCEKS 
-keyStoreLocation c:/temp/testKeyFile.p12 -keyStorePassword testpwd 
-keyStorePasswordVerify testpwd -keyStoreIsFileBased true -keyStoreInitAtStartup 
true -keyStoreReadOnly false}
  • Using Jython string:
    AdminTask.createKeyStore('[-keyStoreName testKS -keyStoreType JCEKS -keyStoreLocation 
c:/temp/testKeyFile.p12 -keyStorePassword testpwd -keyStorePasswordVerify testpwd 
-keyStoreIsFileBased true -keyStoreInitAtStartup true -keyStoreReadOnly false]')
  • Using Jython list:
    AdminTask.createKeyStore(['-keyStoreName', 'testKS', '-keyStoreType', 'JCEKS',
'-keyStoreLocation', 'c:/temp/testKeyFile.p12', '-keyStorePassword', 'testpwd', 
'-keyStorePasswordVerify', 'testpwd', '-keyStoreIsFileBased', 'true', 
'-keyStoreInitAtStartup', 'true', '-keyStoreReadOnly', 'false'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask createKeyStore {-interactive}
  • Using Jython:
    AdminTask.createKeyStore('-interactive')

createCMSKeyStore

The createCMSKeyStore command creates a CMS keystore database and the keystore settings in the configuration.

Required parameters

-cmsKeyStoreURI
The URI of the CMS keystore. (String, required)
-pluginHostName
The host name of the plug-in. (String, required)

Optional parameters

None.

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask createCMSKeyStore {-cmsKeyStoreURI CMSKeystoreURI -pluginHostName myHostName}
  • Using Jython string:
    AdminTask.createCMSKeyStore('-cmsKeyStoreURI CMSKeystoreURI -pluginHostName myHostName')
  • Using Jython list:
    AdminTask.createCMSKeyStore(['-cmsKeyStoreURI', 'CMSKeystoreURI', '-pluginHostName', 
'myHostName'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask createCMSKeyStore {-interactive}
  • Using Jython:
    AdminTask.createCMSKeyStore('-interactive')

deleteKeyStore

The deleteKeyStore command deletes the settings of a keystore from the configuration and the keystore file.

Required parameters

-keyStoreName
The name that uniquely identifies the keystore that you want to delete. (String, required)

Optional parameters

-scopeName
The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
-removeKeyStoreFile
Specifies whether to remove the keystore file. Specify true to remove the keystore file or false to keep the keystore file in your configuration. (Boolean, optional)

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask deleteKeyStore {-keyStoreName testKS}
  • Using Jython string:
    AdminTask.deleteKeyStore('[-keyStoreName testKS]')
  • Using Jython list:
    AdminTask.deleteKeyStore(['-keyStoreName', 'testKS'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask deleteKeyStore {-interactive}
  • Using Jython:
    AdminTask.deleteKeyStore('-interactive')

exchangeSigners

The exchangeSigners command exchange signer certificate between keystores.

Required parameters

-keyStoreName1
The name that uniquely identifies a keystore. You must specify a second keystore name using the keyStoreName2 parameter. (String, required)
-keyStoreName2
The name that uniquely identifies a keystore. You must specify a second keystore name using the keyStoreName1 parameter. (String, required)

Optional parameters

-keyStoreScope1
The scope name of the keystore that you specified with the keyStoreName1 parameter. (String, optional)
-keyStoreScope2
The scope name of the keystore that you specified with the keyStoreName2 parameter. (String, optional)
-certificateAlaisList1
A list of aliases separated by a comma. (String, optional)
-certificateAliasList2
A list of aliases separated by a comma. (String, optional)

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask exchangeSigners {-keyStoreName1 testKS -certificateAliasList1 testCert1 
-keyStoreName2 secondKS -certificateAlaisList2 certAlis}
  • Using Jython string:
    AdminTask.exchangeSigners('[-keyStoreName1 testKS -certificateAliasList1 testCert1 
-keyStoreName2 secondKS -certificateAlaisList2 certAlis]')
  • Using Jython list:
    AdminTask.exchangeSigners(['-keyStoreName1', 'testKS', '-certificateAliasList1', 
'testCert1', '-keyStoreName2', 'secondKS', '-certificateAlaisList2', 
'certAlis'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask exchangeSigners {-interactive}
  • Using Jython:
    AdminTask.exchangeSigners('-interactive')

getKeyStoreInfo

The getKeyStoreInfo command displays the settings of a particular keystore.

Required parameters

-keyStoreName
The name that uniquely identifies the keystore. (String, required)

Optional parameters

-scopeName
The name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask getKeyStoreInfo {-name testKS}
  • Using Jython string:
    AdminTask.getKeyStoreInfo('[-name testKS]')
  • Using Jython list:
    AdminTask.getKeyStoreInfo(['-name', 'testKS'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask getKeyStoreInfo {-interactive}
  • Using Jython:
    AdminTask.getKeyStoreInfo('-interactive')

listKeyFileAliases

The listKeyFileAliases command lists the certificates in a keystore file.

Required parameters

-keyFilePath
The path of the key file. (String, required)
-keyFilePassword
The password for the key file. (String, required)
-keyFileType
The key file type. (String, required)

Optional parameters

None.

Examples

Batch mode example usage:

  • Using Jacl:
    [Windows]
    $AdminTask listKeyFileAliases {-keyFilePath c:/temp/testKeyFile.p12 
-keyFilePassword testPwd -keyFileType PKCS12}
    [Linux][AIX][HP-UX][IBM i][Solaris]
    $AdminTask listKeyFileAliases {-keyFilePath /temp/testKeyFile.p12 
-keyFilePassword testPwd -keyFileType PKCS12}
  • Using Jython string:
    [Windows]
    AdminTask.listKeyFileAliases('[-keyFilePaht c:/temp/testKeyFile.p12 
-keyFilePassword testPwd -keyFileType PKCS12]')
    [Linux][AIX][HP-UX][IBM i][Solaris]
    AdminTask.listKeyFileAliases('[-keyFilePaht /temp/testKeyFile.p12 
-keyFilePassword testPwd -keyFileType PKCS12]')
  • Using Jython list:
    [Windows]
    AdminTask.listKeyFileAliases(['-keyFilePaht', 'c:/temp/testKeyFile.p12', 
'-keyFilePassword', 'testPwd', '-keyFileType', 'PKCS12'])
    [Linux][AIX][HP-UX][IBM i][Solaris]
    AdminTask.listKeyFileAliases(['-keyFilePaht', '/temp/testKeyFile.p12', 
'-keyFilePassword', 'testPwd', '-keyFileType', 'PKCS12'])

Interactive mode example usage:

  • Using Jacl:
    $AdminTask listKeyFileAliases {-interactive}
  • Using Jython:
    AdminTask.listKeyFileAliases('-interactive')

listKeyStores

The listKeyStores command lists the keystore for a particular scope.

Required parameters

None.

Optional parameters

-scopeName
Specifies the name that uniquely identifies the management scope, for example: (cell):localhostNode01Cell. (String, optional)
-all
Specify the value of this parameter as true to list all keystores. This parameter overrides the scopeName parameter. The default value is false. (Boolean, optional)
-keyStoreUsage
Specifies the keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask listKeyStores
  • Using Jython:
    AdminTask.listKeyStores()

Interactive mode example usage:

  • Using Jacl:
    $AdminTask listKeyStores {-interactive}
  • Using Jython:
    AdminTask.listKeyStores('-interactive')

listKeyStoreTypes

The listKeyStoreTypes command lists all valid keystore types.

Required parameters

None.

Optional parameters

None.

Examples

Batch mode example usage:

  • Using Jacl:
    $AdminTask listKeyStoreTypes
  • Using Jython:
    AdminTask.listKeyStoreTypes()

Interactive mode example usage:

  • Using Jacl:
    $AdminTask listKeyStoreTypes {-interactive}
  • Using Jython string:
    AdminTask.listKeyStoreTypes('-interactive')

listSignatureAlgorithms

The listSignatureAlgorithms command lists the signature algorithms that are valid for the current security level configured. If a security standard is not enabled, all signature algorithms are returned; otherwise, the valid signature algorithms for the configured security level are returned.

Required parameters

None.

Optional parameters

None.
Table 1. FIPS Level and compliant signature algorithms
Security mode Available signature algorithms
Fips not enabled
SHA1withRSA
SHA1withDSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
Note: SHA512withECDSA requires Java unrestricted policy installed.
FIPS140-2
SHA1withRSA
SHA1withDSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SP800-131 - Transition
SHA1withRSA
SHA1withDSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
Note: SHA512withECDSA requires Java unrestricted policy installed.
SP800-131 - Strict
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
Note: SHA512withECDSA requires Java unrestricted policy installed.
Suite B 128
SHA256withECDSA
Suite B 192
SHA256withECDSA
SHA384withECDSA

modifyKeyStore

The modifyKeyStore command modifies attributes for an existing keystore. Only some keystore attributes are modifiable, depending on what you are modifying. Use the following guidelines to use the command:
  • To use this command to change the keystore file that the keystore object references, specify the keyStoreName, keyStoreLocation, keyStoreType, and keyStorePassword parameters.

Required parameters

-keyStoreName
Specifies the unique name that identifies the keystore. (String, required)

Optional parameters

-scopeName
Specifies the management scope of the keystore. (String, optional)
-keyStoreProvider
Specifies the provider for the keystore. (String, optional)
-keyStoreType
Specifies one of the predefined keystore types. Valid values are JCEKS, CMSKS, PKCS12, PKCS11, and JKS. (String, optional)
-keyStoreLocation
Specifies the fully qualified location of the keystore file. To modify the location of the keystore file, you must specify the keyStoreLocation, keyStoreType, keyStorePassword, and keyStoreName parameters. (String, optional)
-keyStorePassword
Specifies the password to open the keystore. Use the changeKeystorePassword command to change the password of the keystore. (String, optional)
-keyStoreIsFileBased
Specifies whether the keystore is file-based. To modify whether the keystore is file-based, specify the keyStoreIsFileBased and keyStoreName parameters. (Boolean, optional)
-keyStoreInitAtStartup
Specifies whether the keystore initiates at server startup. To modify whether the keystore initiates at server startup, specify the keyStoreInitAtStartup and keyStoreName parameters. (Boolean, optional)
-keyStoreReadOnly
Specifies whether the keystore is writable. To modify whether the keystore is read-only, specify the keyStoreReadOnly and keyStoreName parameters. (Boolean, optional)
-keyStoreDescription
Specifies a statement that describes the keystore. To modify the keystore description, specify the keyStoreDescription and keyStoreName parameters. (String, optional)
-keyStoreUsage
Specifies the keystore usage of interest. Specify SSLKeys, KeySetKeys, RootKeys, DeletedKeys, DefaultSigners, or RSATokenKeys. (String, optional)

Examples

Batch mode example usage:

  • Using Jacl:[AIX Solaris HP-UX Linux Windows][IBM i]
    $AdminTask modifyKeyStore {-keyStoreName CellDefaultKeyStore 
-keyStoreLocation c:/temp/testKeyFile.p12 -keyStoreType JCEKS 
-keyStorePassword my1password}
  • Using Jython:[AIX Solaris HP-UX Linux Windows][IBM i]
    AdminTask.modifyKeyStore('-keyStoreName CellDefaultKeyStore -keyStoreLocation 
c:/temp/testKeyFile.p12 -keyStoreType JCEKS -keyStorePassword my1password')

Interactive mode example usage:

  • Using Jacl:
    $AdminTask modifyKeyStore {-interactive}
  • Using Jython:
    AdminTask.modifyKeyStore('-interactive')