Automating SSL configurations using scripting

SSL configuration is needed for the product to perform SSL connections with other servers. You can configure SSL through the administrative console. But AdminTask provides an automated way to create an SSL configuration.

Before you begin

The wsadmin tool must be running. For more information, see the topic about starting the wsadmin scripting client.

About this task

AdminTask can be used in interactive mode and batch mode. For automation, use the batch mode options. AdminTask batch mode can be called in a Jython script. Interactive mode steps through all parameters the task needs, required ones are marked with an asterisk (*). Before the interactive task runs the task, it echoes the batch mode syntax of the task to the screen. The syntax can help you write batch mode scripts.

An SSL configuration requires the following attributes:

A keystore
Default client certificate alias
Default server certificate alias
Truststore
The handshake protocol
The ciphers needed during handshake
Supporting client authentication or not

To automate the creation of an SSL configuration, you might need to create some of the attribute values, such as the keystore, truststore, key manager, and trust managers.

Procedure

Create or change an SSL configuration.

To create an SSL configuration, use the AdminTask createSSLConfig command. To change an SSL configuration, use the AdminTask modifySSLConfig command.

Interactive mode:
Interactive mode steps you through all attributes and displays the default value of the attribute, if there is one. The default value is in brackets [] on the prompt line. The actual flag that is used in batch mode is in parentheses () on each prompt line. If you are using the default value, then the flag does not display on the batch command line.

Using Jacl:
```
$AdminTask createSSLConfig -interactive
```

Using Jython:

AdminTask.createSSLConfig ('[interactive]')

Example output:

*SSL Configuration Alias (alias): testSSLConfig
Management Scope Name (scopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
Client Key Alias (clientKeyAlias): clientCert
Server Key Alias (serverKeyAlias): serverCert
SSL Type (type): [JSSE]
Client Authentication (clientAuthentication): [false]
Security Level of the SSL Configuration (securityLevel): [HIGH] HIGH
Enabled Ciphers SSL Configuration (enabledCiphers): 
JSSE Provider (jsseProvider): [IBMJSSE2]
Client Authentication Support (clientAuthenticationSupported): [false]
SSL Protocol (sslProtocol): [SSL_TLSv2] SSL_TLSv2
Trust Manager Object Names (trustManagerObjectNames):
*Trust Store Name (trustStoreName): testTrustStore
Trust Store Scope (trustStoreScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
*Key Store Name (keyStoreName): testKeyStore
Key Store Scope Name (keyStoreScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01
Key Manager Name (keyManagerName): IbmX509
Key Manager Scope Name (keyManagerScopeName): (cell):HOSTNode01Cell:(node):HOSTNode01

Create SSL Configuration

F (Finish)
C (Cancel)

Select [F, C]: [F]
WASX7278I: Generated command line: $AdminTask createSSLConfig {-alias testSSLConfig 
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert 
-serverKeyAlias serverCert -trustStoreName testTrustStore 
-trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 }
(cells/HOSTNode01Cell|security.xml#SSLConfig_1137687301834)

At the end of the output, the batch mode parameters are provided.

Batch mode:

Using Jacl:

$AdminTask createSSLConfig {-alias testSSLConfig 
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert 
-serverKeyAlias serverCert -trustStoreName testTrustStore 
-trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01}

Using Jython:

AdminTask.createSSLConfig ('[-alias testSSLConfig 
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 -clientKeyAlias clientCert 
-serverKeyAlias serverCert -trustStoreName testTrustStore 
-trustStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-keyStoreName testKeyStore -keyStoreScopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-keyManagerName IbmX509 -keyManagerScopeName (cell):HOSTNode01Cell:(node):HOSTNode01]')

Example output:

(cells/HOSTNode01Cell|security.xml#SSLConfig_1137687301834)

Create a keystore or truststore.
The keystore and truststore might exist or a new one might need to be created. To create a new keystore or truststore, use the AdminTask createKeyStore command. It creates a keystore file and stores the configuration object in the system configuration. A truststore is a keystore that usually has only signer certificates in it. To create a keystore, enter:
- Using Jacl:
```
$AdminTask createKeyStore {-keyStoreName testKeyStore  -keyStoreType PKCS12 
-keyStoreLocation $(USER_INSTALL_ROOT)\testKeyStore.p12 -keyStorePassword abcd 
-keyStorePasswordVerify abcd  -keyStoreIsFileBased true -keyStoreReadOnly false}
```
- Using Jython:
```
AdminTask.createKeyStore ('[-keyStoreName testKeyStore  -keyStoreType PKCS12 
-keyStoreLocation $(USER_INSTALL_ROOT)\testKeyStore.p12 -keyStorePassword abcd 
-keyStorePasswordVerify abcd  -keyStoreIsFileBased true -keyStoreReadOnly false]')
```
To populate the keystore with certificates, see the topic about managing certificates with the administrative console and AdminTask. The keystore and truststore are required to create an SSL configuration. Use the -keyStoreName and -trustStoreName flags on the createSSLConfig command. You can add their scopes with the -keyStoreScope and -trustStoreScope flags.
Create a key manager.
Key managers are used to determine how a certificate is selected. The IbmX509 key manager is in the security configuration by default. If you need a different key manager, then use the AdminTask createKeyManager command to create it. To create a key manager, enter:
- Using Jacl:
```
$AdminTask createKeyManager {-name testKeyManager 
-scopeName  (cell):HOSTNode01Cell:(node):HOSTNode01 
-provider IBMJSSE2 -algorithm specialAlgorithm }
```
- Using Jython:
```
AdminTask.createKeyManager ('[-name testKeyManager 
-scopeName  (cell):HOSTNode01Cell:(node):HOSTNode01 
-provider IBMJSSE2 -algorithm specialAlgorithm]')
```
To supply a key manager on the AdminTask createSSLConfig command, use the -keyManagerName flag along with the -keyManagerScopeName flag.

Create a trust manager.

Trust managers are used to determine how trust is established during SSLcommunication. The IbmX509 and IbmPKIX are trust managers in the security configuration by default. If a different or additional trust manager is needed, then use the AdminTask createTrustManager command to create it. To create a trust manager, enter:

Using Jacl:

$AdminTask createTrustManager {-name testTrustManager 
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-provider IBMJSSE2 -algorithm specialAlgorithm }

Using Jython:

AdminTask.createTrustManager ('[-name testTrustManager 
-scopeName (cell):HOSTNode01Cell:(node):HOSTNode01 
-provider IBMJSSE2 -algorithm specialAlgorithm]')

The SSL configuration can have multiple trust managers. To supply multiple trust managers, give a colon (:) separated list of the trust manager configuration IDs with the -trustManagerObjectNames flag. When you create a trust manager the configuration object ID is returned. To get a list of trust managers object IDs, use the listTrustManagers command of the AdminTask object with the -displayObjectName flag set to true. For example:

wsadmin>$AdminTask listTrustManagers -interactive
List Trust Managers

List trust managers.

Management Scope Name (scopeName):
Display list in ObjectName Format (displayObjectName): [false] true

List Trust Managers

F (Finish)
C (Cancel)

Select [F, C]: [F]
Inside generate script command
WASX7278I: Generated command line: $AdminTask listTrustManagers {-displayObjectName true }
IbmX509(cells/IBM-0AF8DABCF16Node01Cell|security.xml#TrustManager_IBM-0AF8DABCF16Node01_1)
IbmPKIX(cells/IBM-0AF8DABCF16Node01Cell|security.xml#TrustManager_IBM-0AF8DABCF16Node01_2)