Command-line interface
The IBM® Security Guardium® Key Lifecycle Manager command-line interface provides commands to match the function in the IBM Security Guardium Key Lifecycle Manager graphical user interface. The commands use the wsadmin interface that the WebSphere® Application Server provides.
- The IBM Security Guardium Key Lifecycle Manager command-line interface commands are available with IBM Security Guardium Key Lifecycle Manager traditional only.
- The IBM Security Guardium Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Guardium Key Lifecycle Manager. Use the REST interfaces instead.
- All references to the alias property of cryptographic keys and certificates in the graphical user interface, command-line interface, and REST interface will be deprecated in the later versions of IBM Security Guardium Key Lifecycle Manager.
wsadmin commands
You can run wsadmin commands in batch or interactive mode, in a script, or from a command prompt by using the wsadmin -c command.
Use one of these formats for a command:
- commandName
- Starts a command that does not require an argument.
- commandName options
- Starts a command with the specified options. Use this syntax to
enter interactive mode if
-interactive
mode is included in the options.Note:- Empty values "" for attributes are allowed only in interactive mode.
- In interactive mode, running a command with a space at the end of a value returns an error message. Be careful to not type extra spaces in commands when you use interactive mode.
The wsadmin tool supports two scripting languages: JACL and Jython. Because the Jython syntax for wsadmin is the strategic direction for WebSphere Application Server administrative automation, these examples use the Jython syntax.
The Jython syntax has a parameter and a value:
AdminTask.tklmConfigList()
AdminTask.tklmKeyStoreList('[-v y]')
bin
directory
in WAS_HOME
:- Windows systems:
drive:\Program Files\IBM\WebSphere\AppServer\bin
- Other systems such as Linux:
/opt/IBM/WebSphere/AppServer/bin
Then, type:
- Windows systems:
wsadmin -username SKLMAdmin -password mypwd -lang jython
- Other systems such as AIX or Linux:
./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
Format output
by using print
for readability
In Jython,
use print
before the AdminTask command
to format the output for readability. If you do not use print
,
output characters have a corrupted appearance in some languages.
Do
not add print
to an AdminTask command
in a script file.
Session security by using wsadmin
There is no automatic timeout for an idle wsadmin session. To maintain a secure session, you must manually close the session. Ensure that your system has a password-protected screen lock.
IBM Security Guardium Key Lifecycle Manager commands by using wsadmin
To get a list of all command groups by using wsadmin, type:
print AdminTask.help ("-commandGroups")
Command groups for both IBM Security Guardium Key Lifecycle Manager and WebSphere Application Server are listed when you run commandGroups. The following list provides the IBM Security Guardium Key Lifecycle Manager command groups.
- TKLMBackupCommands
- Back up and restore IBM Security Guardium Key Lifecycle Manager data.
- TKLMConfigurationCommands
- Configure the IBM Security Guardium Key Lifecycle Manager application.
- TKLMDefaultRolloverCommands
- Manage certificates and key groups that are specified in a default rollover list.
- TKLMDeviceCommands
- Manage devices such as tape drives.
- TKLMDeviceGroupCommands
- Manage device groups such as the LTO device group.
- TKLMGroupCommands
- Manage groups of keys.
- TKLMInfoCommands
- Obtain more information such as the IBM Security Guardium Key Lifecycle Manager version number.
- TKLMKeyCertManagementCommands
- Manage keys and certificates.
- TKLMKeyServerCommands
- Manage an internal component that is called the keyserver.
- TKLMKeyStoreCommands
- Manage the IBM Security Guardium Key Lifecycle Manager keystore.
- TKLMKMIPCommands
- Manage KMIP objects.
- TKLMMachineAffinityCommands
- Manage the association of disk drives to DS5000 storage servers.
- TKLMPendingAutoCommands
- Manage the acceptance or rejection of devices in a list of pending devices to which IBM Security Guardium Key Lifecycle Manager might serve keys or certificates upon request.
To see all the commands in a group such as the certificate management commands group, type:
wsadmin>print AdminTask.help ("TKLMKeyCertManagementCommands")
To see the parameters for an individual command within a group, such as the tklmCertCreate command, type:
wsadmin>print AdminTask.help ("tklmCertCreate")
To extract and print the help for the command, type:
wsadmin>s = AdminTask.help("tklmCertCreate")
wsadmin>print s
Larger timeout interval for command processing
To ensure adequate time to run a command
that requires significant processing, you might set a larger default
timeout interval. To change the value, set the com.ibm.SOAP.requestTimeout parameter
in the WAS_HOME/profiles/KLMProfile/properties/soap.client.props
property
to a larger value, or set the value to zero for no timeout.
Syntax examples
To specify attributes within a list of parameters, use double quotation marks (") and braces {} as delimiters. For example:
print AdminTask.tklmDeviceUpdate
('[-uuid DEVICE-64c588ad-5ed8-4934-8c84-64cb9e11d990
-attributes "{aliasTwo myPartner99}"]')
To avoid syntax errors in commands that you type at a prompt, do not copy and paste auto-generated commands into your command statements.
This example creates a group that has a name that contains spaces:
print AdminTask.tklmGroupCreate
('[-name "my Key Group" -type keygroup -usage LTO]')
To specify a value with more than one word for an attribute, use additional braces as delimiters. For example:
print AdminTask.tklmCertUpdate
('[-uuid CERTIFICATE-33fc26e-5fb5a0e66143
-usage DS8000 -attributes "{information {new information}}"]')
Backslash character on Windows systems
wsadmin is a Java™ process that uses the backslash (\) as an escape character. On Windows systems, modify your specification of the path to a file by changing the backslash to a forward slash (/), or by using two backslash characters.
For example:
wsadmin>print AdminTask.tklmBackupRun
('[-backupDirectory c:\\tklm -description testBackUp
-databaseBackupDirectory c:\\tklmtempdir -password password]')
Backslash in multi-line command entry
To avoid overwriting the right margin of printed output, these command-line examples are arbitrarily divided into lengths that fit on a printed page. They do not show an escape or continuation character.
In actual commands, however, you might use the backslash (\) as an escape or continuation character. For example:
print AdminTask.tklmBackupList \
('[-backupDirectory C:\\tipbak1\\tklmbackup1 -v y]')
The
escape character cannot occur inside delimited values. A statement
is not valid that places the backslash between a parameter such as -backupDirectory
and
its value. For example, this statement is not valid:
print AdminTask.tklmBackupList \
('[-backupDirectory \
C:\\tipbak1\\tklmbackup1 -v y]')
Parameter error messages
If you incorrectly type the name of a parameter in a command that you run, an error message returns the incorrect string.
For example,
suppose that you type -uui
by mistake, instead of
typing -uuid
as a parameter. The return message is
like the following:
wsadmin>AdminTask.tklmDeviceDelete('[-uui adsflk]')
WASX7015E: Exception running command:
"AdminTask.tklmDeviceDelete('[-uui adsflk]')"; exception information:
com.ibm.ws.scripting.ScriptingException: WASX8009E: Invalid parameter: uui
Examine the parameters that you typed, by using the invalid parameter information as a guide. Make the appropriate correction. Then, try the command again.