List / Import / Export / Delete / Convert KSS keystore using WLST

Original Publish date : 8/28/2018

In this blog post we will see how to perform different operation on KSS keystore using WLST:

1) List the available KSS keystores :

wls:/offline> connect()

// Create an object of OPSS KeyStoreService

wls:/wdsoaqau_domain/serverConfig/> svc = getOpssService(name=’KeyStoreService’)

wls:/wdsoaqau_domain/serverConfig/> svc.listKeyStores(appStripe=’*’)

2) List the certificates in KSS DemoTrust keystore (i.e list all the alias of a KSS keystore) :

This is similar to “keytool -list -keystore <>” command.

NOTE : the password for KSS trust keystore is the same as the weblogic user’s password.

svc.listKeyStoreAliases(appStripe=’system’, name=’trust’, password=’welcome1′, type=’*’)

3) Print the details of a particular certificate in KSS keystore 

This is similar to “keytool -list -v -alias <> -keystore <>” command.

svc.getKeyStoreCertificates(appStripe=’system’, name=’trust’, password=’welcome1′, alias=’democa’)

4) List the certificates in demoIdentity KSS keystore :

This is similar to “keytool -list -v -keystore <> -alias <>”

NOTE :

The storepass for demoIdentity KSS keystore is : DemoIdentityKeyStorePassPhrase

and the alias is : DemoIdentity

svc.getKeyStoreCertificates(appStripe=’system’, name=’demoidentity’, password=’DemoIdentityKeyStorePassPhrase’, alias=’DemoIdentity’)

5) Convert a KSS keystore to JKS keystore :

NOTE :

In this scenario we are trying to convert demoIdentity KSS keystore to demoIdentity JKS keystore.

Storepass : DemoIdentityKeyStorePassPhrase

Keypass : DemoIdentityPassPhrase

Alias : DemoIdentity

svc.exportKeyStore(appStripe=’system’, name=’demoidentity’, password=’DemoIdentityKeyStorePassPhrase’, aliases=’DemoIdentity’, keypasswords=’DemoIdentityPassPhrase’,type=                              ‘JKS’,filepath=’/tmp/demoidentity_exported.jks’)

You can then list the JKS keystore using the following command :

keytool -list -v -keystore /tmp/demoidentity_exported.jks

6) Delete a certificate from KSS keystore :

svc.deleteKeyStoreEntry(appStripe=’opss’, name=’trustservice_ts’, password=’Welcome1′,alias=’xell’, keypassword=’Welcome1′)

7) Import a JKS keystore into KSS keystore :

svc.importKeyStore(appStripe=’opss’, name=’trustservice_ks’, password=’Welcome1′,aliases=’xell’, keypasswords=’Welcome1′, type=’JKS’, permission=true, filepath=’/opt/oracle/Middleware/user_projects/domains/iam_domain/config/fmwconfig/default-keystore.jks’)

NOTE :

password is the keystore password and keypassword is the password of the alias.

svc.importKeyStoreCertificate(appStripe=’appstripe1′, name=’keystore2′, password=’password’, alias=’mykey’, keypassword=’keypassword’, type=’Certificate’, filepath=’/tmp/cert.txt’)

8) Change certificate password :

NOTE : 

password is the keystore password and keypassword is the password of the certificate alias.

svc.changeKeyPassword(appStripe=’system1′, name=’keystore’, password=’password’, alias=’testkey’, currentkeypassword=’currentkeypassword’, newkeypassword=’newkeypassword’)

9) Export a certificate or Trusted Certificate :

NOTE :

password is the keystore password and keypassword is the password of the alias.

svc.exportKeyStoreCertificate(appStripe=’appstripe1′, name=’keystore2′, password=’password’, alias=’mykey’, keypassword=’keypassword’, type=’Certificate’, filepath=’/tmp/cert.txt’)

10) Generate a keypair :

NOTE :

password is the keystore password and keypassword is the password of the alias.

svc.generateKeyPair(appStripe=’appstripe2′, name=’keystore2′, password=’password’, dn=’cn=www.example.com’, keysize=’1024′, alias=’myalias’, keypassword=’keypassword’)

11) Generate CSR for a keypair :

NOTE :

password is the keystore password and keypassword is the password of the alias. The CSR is exported to an operating system file.

svc.exportKeyStoreCertificateRequest(appStripe=’stripe1′, name=’keystore1′, password=’password’, alias=’testalias’, keypassword=’keypassword’, filepath=’/tmp/csr-file’)

NOTE :

Keystore Service supports import of PEM/BASE64-encoded certificates only. You cannot import DER-encoded certificates or trusted certificates into a KSS keystore.

12) Export KSS to Oracle Wallet :

svc.exportKeyStore(appStripe=’mystripe’, name=’keystore3′, password=’mypassword’,aliases=’myorakey1,myorakey2′, keypasswords=”, type=’OracleWallet’,path=’/tmp’)

13) Import a wallet to KSS keystore :

svc.importKeyStore(appStripe=’mystripe’, name=’keystore4′, password=’owPwd1234′,aliases=’myorakey1,myorakey2′, keypasswords=”, type=’OracleWallet’, permission=true, filepath=’/tmp’)