enable_ssl_cli

certcli
Enabling SSL on WS7.0\* using CLI




Sun Java System Web Server 7.0  provides an easy to use Command Line tool wadm which allows installation and management of certificates. Enabling SSL on the server involves use of the following CLI :

set-token-pin
create-selfsigned-cert
list-certs
create-cert-request
install-cert
delete-cert
set-ssl-prop


All the CLI explained below are executed from the wadm prompt.
To enter the wadm prompt, execute the following from <server-root>/bin. (eg, if user=admin, port=8888, admin password is saved in <server-root>/bin/admin.pwd)
./wadm --user=admin --port=8888 --password-file=admin.pwd
wadm>

For seeing the usage of any CLI, give command name at the wadm prompt.


Pre  requisites:
1) SJSWS7.0 Technology Preview-1 installed
2) Config and instance exists


Setting token password for internal (optional):
wadm> set-token-pin --save-pin=true --token=internal --config=config1
Please enter token-pin> {Enter token pin if set already}
Please enter new-token-pin> {Enter new pin, say 88888888}
Please enter new-token-pin again> {88888888}
CLI201 Command 'set-token-pin' ran successfully

The pin can also be set in a passwordfile as follows:
vi <server-root>/bin/certdb.pwd

wadm_token_pin=12345678
wadm_new_token_pin=88888888

=========================

wadm> set-token-pin --save-pin=true --password-file=certdb.pwd --token=internal --config=config1

Note: For the execution of the remaining CLI,  if wadm_token_pin is set in the passwordfile, user will not be prompted for the pin each time.


Creating self signed certificates:

Key type: RSA (there is option to specify key size)
wadm> create-selfsigned-cert --token=internal --validity=12 --org=SUN --country=IN --key-type=rsa --config=config1 --server-name=server1 --nickname=cert1
CLI201 Command 'create-selfsigned-cert' ran successfully

Key type: ECC ( there is an option to specify the curvename)
wadm> create-selfsigned-cert --token=internal --validity=12 --org=SUN --country=IN --key-type=ecc --config=config1 --server-name=server2 --nickname=cert2
CLI201 Command 'create-selfsigned-cert' ran successfully


Listing the installed certificates:

The same CLI can be used with different options of cert-type  to list server and CA certificates.

wadm> list-certs --token=internal --cert-type=server --config=config1
cert1
cert2

wadm> list-certs --token=internal --cert-type=ca --config=config1
Builtin Object Token:Verisign/RSA Secure Server CA
Builtin Object Token:GTE CyberTrust Root CA
Builtin Object Token:GTE CyberTrust Global Root
Builtin Object Token:Thawte Personal Basic CA
.
.
.
.

Generating certificate request:

wadm> create-cert-request --org=SUN --config=config1 --token=internal --server-name=server3

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBXzCByQIBADAgMQwwCgYDVQQKEwNTVU4xEDAOBgNVBAMTB3NlcnZlcjMwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMDp+9nvsAglieLcgXQ/czAAn5xlsx1a
/3cZc9FlZw3/ILJ3/eMDVbo9ZrQLinW+xk7tYwH5zLPnhJFad55XSr2yT/1tHG8u
gjHFXninrSsNNjg47jt6Q+RUWKy/HOgXhqAXtBz+eyvzGUFK1OcZhK2xim1dXAg3
hS1X53G/1TUtAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAeKF4itZlI3jGgqjNk
bxKR6PvEjYqQlo6Ux9BLTXCYxKpHQMcJLOENt3IyB9UqUFRDJZGsX4/TDIWcm+oM
0ny/xAAsHNsj8Rt1cu9uBCIMicJbBqhESj+LWZSIO+yQ2OlNyqhV4APpKyh8tSbJ
qSxgnLG+ozaAxOpJbEFg++HcQw==
-----END NEW CERTIFICATE REQUEST-----

Copy the above request to a file and get it signed by certificate signing authority.


Installing CA signed server certificates, CA certificates, certificate chain:

The same CLI can be used with different options of cert-type to install server, CA or certificate chain.

For installing CA signed server certificate, first generate request using CLI create-cert-request and get it signed by CA. Then use following CLI to provide file path to the CA signed certificate which can be in ascii or binary format.

wadm>install-cert  --config=config1 --token=internal --cert-type=server --nickname=cert3 /space/certreq/server.cert
CLI201 Command 'install-cert' ran successfully

For CA certificate and chain, provide the certificate file.
wadm>install-cert  --config=config1 --token=internal --nickname="Cert Manager" --cert-type=ca  /space/certreq/ca.cert
CLI201 Command 'install-cert' ran successfully

Use CLI list-certs with option cert-type as server/ca to verify the installation of these certificates.


Deletion of certificates:

wadm> delete-cert --token=internal --config=config1 cert1
CLI201 Command 'delete-cert' ran successfully


Enabling SSL:

To enable ssl on the default listener using certificate cert2:

wadm>
set-ssl-prop --config=config1 --http-listener=http-listener-1 server-cert-nickname=cert2
CLI201 Command 'set-ssl-prop' ran successfully


wadm>get-ssl-prop --config=config1 --http-listener=http-listener-1
tls=true
server-cert-nickname=[cert2]
client-auth-timeout=60
client-auth=false
enabled=false
ssl2=false
max-client-auth-data=1048576
tls-rollback-detection=true
ssl3=true

Other properties such as SSL/TLS settings, Client authentication etc can be edited with the same CLI set-ssl-prop.

Deploy the config and start instance.

wadm> deploy-config config1
CLI201 Command 'deploy-config' ran successfully

wadm> start-instance --config=config1 server1
CLI204 Successfully started the server instance.

Now you have an SSL enabled instance running.

========================================

Installing certificates & enabling SSL through admininstration GUI, installing binary certificates shall be discussed in the next couple of posts...


\*Sun Java System Web Server 7.0-Technology-Preview-1


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

dee

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today