Command-line interface

The IBM® Security Guardium® Key Lifecycle Manager command-line interface provides commands to match the function in the IBM Security Guardium Key Lifecycle Manager graphical user interface. The commands use the wsadmin interface that the WebSphere® Application Server provides.

Note:

The IBM Security Guardium Key Lifecycle Manager command-line interface commands are available with IBM Security Guardium Key Lifecycle Manager traditional only.
The IBM Security Guardium Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Guardium Key Lifecycle Manager. Use the REST interfaces instead.
All references to the alias property of cryptographic keys and certificates in the graphical user interface, command-line interface, and REST interface will be deprecated in the later versions of IBM Security Guardium Key Lifecycle Manager.

wsadmin commands

You can run wsadmin commands in batch or interactive mode, in a script, or from a command prompt by using the wsadmin -c command.

Note: To successfully run commands on the IBM Security Guardium Key Lifecycle Manager command-line interface, which uses wsadmin commands, you must initially log in as root on systems such as Linux® or AIX®.

Use one of these formats for a command:

commandName

Starts a command that does not require an argument.

commandName options

Starts a command with the specified options. Use this syntax to enter interactive mode if -interactive mode is included in the options.

Note:

Empty values "" for attributes are allowed only in interactive mode.
In interactive mode, running a command with a space at the end of a value returns an error message. Be careful to not type extra spaces in commands when you use interactive mode.

The wsadmin tool supports two scripting languages: JACL and Jython. Because the Jython syntax for wsadmin is the strategic direction for WebSphere Application Server administrative automation, these examples use the Jython syntax.

The Jython syntax has a parameter and a value:

AdminTask.tklmConfigList()
AdminTask.tklmKeyStoreList('[-v y]')

To enable Jython, specify the wsadmin -lang jython command-line parameter. For example, change directory to the bin directory in WAS_HOME:

Windows systems: drive:\Program Files\IBM\WebSphere\AppServer\bin
Other systems such as Linux: /opt/IBM/WebSphere/AppServer/bin

Then, type:

Windows systems:

wsadmin -username SKLMAdmin 
-password mypwd -lang jython

Other systems such as AIX or Linux:

./wsadmin.sh -username SKLMAdmin 
-password mypwd -lang jython

Format output by using `print` for readability

In Jython, use print before the AdminTask command to format the output for readability. If you do not use print, output characters have a corrupted appearance in some languages.

Do not add print to an AdminTask command in a script file.

Session security by using wsadmin

There is no automatic timeout for an idle wsadmin session. To maintain a secure session, you must manually close the session. Ensure that your system has a password-protected screen lock.

IBM Security Guardium Key Lifecycle Manager commands by using wsadmin

To get a list of all command groups by using wsadmin, type:

print AdminTask.help ("-commandGroups")

Command groups for both IBM Security Guardium Key Lifecycle Manager and WebSphere Application Server are listed when you run commandGroups. The following list provides the IBM Security Guardium Key Lifecycle Manager command groups.

TKLMBackupCommands: Back up and restore IBM Security Guardium Key Lifecycle Manager data.
TKLMConfigurationCommands: Configure the IBM Security Guardium Key Lifecycle Manager application.
TKLMDefaultRolloverCommands: Manage certificates and key groups that are specified in a default rollover list.
TKLMDeviceCommands: Manage devices such as tape drives.
TKLMDeviceGroupCommands: Manage device groups such as the LTO device group.
TKLMGroupCommands: Manage groups of keys.
TKLMInfoCommands: Obtain more information such as the IBM Security Guardium Key Lifecycle Manager version number.
TKLMKeyCertManagementCommands: Manage keys and certificates.
TKLMKeyServerCommands: Manage an internal component that is called the keyserver.
TKLMKeyStoreCommands: Manage the IBM Security Guardium Key Lifecycle Manager keystore.
TKLMKMIPCommands: Manage KMIP objects.
TKLMMachineAffinityCommands: Manage the association of disk drives to DS5000 storage servers.
TKLMPendingAutoCommands: Manage the acceptance or rejection of devices in a list of pending devices to which IBM Security Guardium Key Lifecycle Manager might serve keys or certificates upon request.

To see all the commands in a group such as the certificate management commands group, type:

wsadmin>print AdminTask.help ("TKLMKeyCertManagementCommands")

To see the parameters for an individual command within a group, such as the tklmCertCreate command, type:

wsadmin>print AdminTask.help ("tklmCertCreate")

To extract and print the help for the command, type:

wsadmin>s = AdminTask.help("tklmCertCreate")
wsadmin>print s

Larger timeout interval for command processing

To ensure adequate time to run a command that requires significant processing, you might set a larger default timeout interval. To change the value, set the com.ibm.SOAP.requestTimeout parameter in the WAS_HOME/profiles/KLMProfile/properties/soap.client.props property to a larger value, or set the value to zero for no timeout.

Syntax examples

To specify attributes within a list of parameters, use double quotation marks (") and braces {} as delimiters. For example:

print AdminTask.tklmDeviceUpdate 
	('[-uuid DEVICE-64c588ad-5ed8-4934-8c84-64cb9e11d990 
		-attributes "{aliasTwo myPartner99}"]')

To avoid syntax errors in commands that you type at a prompt, do not copy and paste auto-generated commands into your command statements.

This example creates a group that has a name that contains spaces:

print AdminTask.tklmGroupCreate 
	('[-name "my Key Group" -type keygroup -usage LTO]')

To specify a value with more than one word for an attribute, use additional braces as delimiters. For example:

print AdminTask.tklmCertUpdate 
	('[-uuid CERTIFICATE-33fc26e-5fb5a0e66143 
 		-usage DS8000 -attributes "{information {new information}}"]')

Backslash character on Windows systems

wsadmin is a Java™ process that uses the backslash (\) as an escape character. On Windows systems, modify your specification of the path to a file by changing the backslash to a forward slash (/), or by using two backslash characters.

For example:

wsadmin>print AdminTask.tklmBackupRun 
	('[-backupDirectory c:\\tklm -description testBackUp 
	-databaseBackupDirectory c:\\tklmtempdir -password password]')

Backslash in multi-line command entry

To avoid overwriting the right margin of printed output, these command-line examples are arbitrarily divided into lengths that fit on a printed page. They do not show an escape or continuation character.

In actual commands, however, you might use the backslash (\) as an escape or continuation character. For example:

print AdminTask.tklmBackupList \
	('[-backupDirectory C:\\tipbak1\\tklmbackup1 -v y]')

The escape character cannot occur inside delimited values. A statement is not valid that places the backslash between a parameter such as -backupDirectory and its value. For example, this statement is not valid:

print AdminTask.tklmBackupList \
	('[-backupDirectory \
		C:\\tipbak1\\tklmbackup1 -v y]')

Parameter error messages

If you incorrectly type the name of a parameter in a command that you run, an error message returns the incorrect string.

For example, suppose that you type -uui by mistake, instead of typing -uuid as a parameter. The return message is like the following:

wsadmin>AdminTask.tklmDeviceDelete('[-uui adsflk]')
  WASX7015E: Exception running command: 
	"AdminTask.tklmDeviceDelete('[-uui adsflk]')"; exception information:
  com.ibm.ws.scripting.ScriptingException: WASX8009E: Invalid parameter: uui

Examine the parameters that you typed, by using the invalid parameter information as a guide. Make the appropriate correction. Then, try the command again.