How do I create a new keystore file with wsadmin tool in websphere.
I tried this command
AdminTask.createKeyStore('-keyStoreName <someName>
-keyStoreType PKCS12
-keyStoreLocation <some file location.p12>
-keyStorePassword <pwd>
-keyStorePasswordVerify <pwd>'
)
but looks like it just loads the keystore in the given location. but i want to create a new keystore and store it in the given location.
What command should I use for that?
Thanks.
What do you mean it 'loads keystore'?
I've used the following command:
AdminTask.createKeyStore('[-keyStoreName testKS -keyStoreType PKCS12
-keyStoreLocation c:/testKeyFile.p12 -keyStorePassword testpwd
-keyStorePasswordVerify testpwd -keyStoreIsFileBased true
-keyStoreInitAtStartup true -keyStoreReadOnly false]')
and I see keystore correctly created in the file system, and also visible via admin console.
Remember to call AdminConfig.save() afterwards to save changes.
See details here KeyStoreCommands command group for the AdminTask object
Related
In my spring boot application I making a https(secure) request. For that I need pass flowing argument as JVM argument.
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
Eg :
-Djavax.net.ssl.trustStore=~/home/dinusha/keystore.jks -Djavax.net.ssl.trustStorePassword=pass
In PCF (Cloud Foundry) I can not copy keystore.jks file to PCF. So how can I pass this values on PCF
You have to bundle the keystore.jks file with application. Please find the step bellow.
Put your keystore.jks file into you application resources(src/main/resources) folder.
Add the keystore.jks path and it's password in the application.properties
client.ssl.trust-store = keystore.jks
client.ssl.trust-password = pass
Now get the property value form application.properties
#value("${client.ssl.trust-password}")
private String trustPassword
#value("${client.ssl.trust-store}")
private String trustStore
Now initialize flowing properties
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",trustPassword);
Finaly push to PCF
Best to refer and store Keystore.jks and trustStrore.jks is to outsiode your application (WAR , JAR , EAR).
And yes , for request you donot neend ketstore instead you require truststore.jks.
You can store it in GIT or some othe Repo location and point to that location from your application via CloundFoundry.
Put your keystore.jks file into you application resources(src/main/resources) folder.
Add the Truststore.jks path and it's password in the application.properties
*client.ssl.trust-store = keystore.jks
client.ssl.trust-password = pass*
Now get the property value form application.properties
#value("${client.ssl.trust-password}")
private String trustPassword
#value("${client.ssl.trust-store}")
private String trustStore
Put the location with protocol details in manifest file like below :
env:
loglevel: DEBUG,APP
JAVA_OPTS: -XX:+UseConcMarkSweepGC
TRUSTSTORE_LOCATION: https://XXXX:yyyyyy#svninst1.uk.fid-intl.com:18080/svn/TAPP100367DC_API/trunk/dc-Member-Api/dc-Member-Api-web/src/main/resources/cacerts.jks
and get it like:
#value("${client.ssl.trust-password}")
private String trustPassword
#value("${TRUSTSTORE_LOCATION}")
private String trustStore
For specifying the preferenced order of encryption algorithms in GPG I use
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP, NULL, CONFIG_DIR);
to set a custom config file. However how can I check if this operation was successful? home_dir is set to the given value, but this also happens if I pass a directory without a config file. I can't see any function or call in the documentation to evaluate if the config file was loaded OR what the current preference order is.
The function returns an error value if a problem occured. From the documentation:
This function returns the error code GPG_ERR_NO_ERROR if successful, or an eror code on failure.
You observed unexpected behavior with setting a home directory without a configuration file:
home_dir is set to the given value, but this also happens if I pass a directory without a config file.
This is expected behavior in GnuPG. An empty configuration file is not an error, but simply means no other configuration but the defaults is in place. Similar things happen if you pass --homedir to GnuPG with a reference to an empty folder: GnuPG will try to initialize this folder as a home directory, but print an information message:
$ LANG=C gpg --homedir /tmp
gpg: keyring `/tmp/secring.gpg' created
gpg: keyring `/tmp/pubring.gpg' created
gpg: Go ahead and type your message ...
If you want to verify the folder is already set up, I'd propose to verify some options you'd expect, or test for a configuration file (or whatever you expect to be available) on your own.
I'm trying to configure SSL. Hovever, I get an exception saying
org.springframework.context.ApplicationContextException: Unable to start embedded container; nested exception is org.springframework.boot.context.embedded.EmbeddedServletContainerException: Could not find key store classpath:keystore.jks
This is my application-https.properties file:
server.port = 8443
server.ssl.key-store = classpath:keystore.jks
server.ssl.key-store-password = secret
server.ssl.key-password = another-secret
spring.datasource.url=jdbc:postgresql://127.0.0.1:5432/postgres?currentSchema=myschema
spring.datasource.username=postgresql
spring.datasource.password=postgresql
spring.datasource.driverClassName=org.postgresql.Driver
My application.properties:
spring.profiles.active=https
I've read documentation about ssl and I don't know what's wrong. Any help will be appreciated.
Make sure you did the following:
placed the .jks file inside main/resources.
you ran the command: mvn clean install
Keystore is not readable from classpath other than Spring. (In case of kafka we don't have any option and kafka always expect location to be on filesystem not in jar file.) So I suggest to use below property and give absolute path to keystore location.
application.properties
spring.kafka.ssl.key-store-location=file:certificate.jks
In code:
#Value("${spring.kafka.ssl.key-store-location}")
private Resource keystoreLocation;
props.put(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG, keystoreLocation.getFile().getAbsolutePath());
This way you can read the keystore. You may need to copy the file on file system rather than in Jar.
I would like to clone an existing profile, start the server and modify it via the Admin Console.
I already read the IBM documentation about
manageprofiles.bat
but the manageprofiles tool does not contain something like:
# would be nice if a clone action exists
manageprofiles.bat -clone -profileName base -targetProfileName base1
This is what I need and I don't see a way to achieve this.
The tool can create, delete, backup and restore a profile.
What I already tried
Copied the profile directory and renamed it
Edited the paths in the bin/setupCmdLine.bat
Added the profile to the AppServer/properties/profileRegistry.xml
Executed manageprofiles -validateAndUpdateRegistry
But the profile is still not recognized by WAS. I can verify this by executing
manageprofiles -listProfiles
How do you clone or copy profiles?
Is there a manual way?
If so, which files in the profile's dir must be edited?
Solved
Here are the manual steps that I did to clone an existent profile.
Make shure that the server is shutdown.
Copy the existent profile from Profiles/<oldProfile> to Profiles/<newProfile>
Update Path WAS_USER_SCRIPT in Profiles\<newProfile>\bin\setupCmdLine.bat
Update Path USER_INSTALL_ROOT in Profiles\<newProfile>\bin\setupCmdLine.bat
Update property user.root in Profiles\<newProfile>\properties\ssl.client.props
Replace all occurences of <oldProfile> with <newProfile> in Profiles\<newProfile>\firststeps\firststeps.bat
Edit AppServer\properties\profileRegistry.xml. Make a copy of the <oldProfile> and update the tag values with the <newProfile>. Should look something like this: <profile isAReservationTicket="false" isDefault="false" name="newProfile" path=".....\Profiles\newProfile" template=".......\AppServer\profileTemplates\default"/>
Copy AppServer\properties\fsdb\<oldProfile>.bat to AppServer\properties\fsdb\<newProfile>.bat. This step will make the profile available to "AppServer\bin\manageprofiles.bat -listProfiles"
Edit config/cells/<cell>/nodes/<node>/variables.xml. Update the USER_INSTALL_ROOT path.
Update the path of WAS_USER_SCRIPT in AppServer\properties\fsdb\<newProfile>.bat
This worked for me. Please comment or vote to let me know if it also worked for you.
Here is a build-in WebSphere solution. This works fine on WAS 8.5.5.3.
Run your application server in source profile
Run command line utility by running script <WAS_INSTAL_ROOT>/AppServer/profiles/<YOUR_SOURCE_PROFILE>/bin/wsadmin.sh or <WAS_INSTAL_ROOT>/AppServer/profiles/<YOUR_SOURCE_PROFILE>/bin/wsadmin.bat (on Windows machines)
Execute command in this utility:
$AdminTask exportWasprofile {-archive <PATH/TO/PROFILE/EXPORT/ARCHIVE>}
Create new target profile or use existing and run application server on it
Run command line utility for target profile by running script <WAS_INSTAL_ROOT>/AppServer/profiles/<YOUR_TARGET_PROFILE>/bin/wsadmin.sh or <WAS_INSTAL_ROOT>/AppServer/profiles/<YOUR_TARGET_PROFILE>/bin/wsadmin.bat (on Windows machines)
Execute command to import profile settings into target profile in this utility:
$AdminTask importWasprofile {-archive <PATH/TO/PROFILE/EXPORT/ARCHIVE> -deleteExistingServers}
Execute command to save new settings into target profile in this utility:
$AdminConfig save
I needed to do this today on WebSphere 8.5 Network Deployment, so I tracked it down and wrote a script. Here's how I do it.
Create a WebSphere profile using the GUI based Profile Management Tool.
Each one you create will write a log file to:
C:\Program Files (x86)\IBM\WebSphere\AppServer\logs\manageprofiles\XXXX_create.log
In the log, look for the -create switch. Clean up and copy that line into a script, modifying or parameterizing the fields as you wish:
SET PROFILENAME=Profile2
SET HOSTNAME=MyHostName
SET WAS_BIN=C:\Program Files (x86)\IBM\WebSphere\AppServer\bin
SET PROFILE_PATH=C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\%PROFILENAME%
SET WAS_TEMPLATE=C:\Program Files (x86)\IBM\WebSphere\AppServer\profileTemplates\default
SET WAS_CELL=%HOSTNAME%%PROFILENAME%Cell
SET WAS_PORTS_FILE=C:\Program Files (x86)\IBM\WebSphere\AppServer\logs\manageprofiles\was_default_portdef.props
SET A1=-create -serverName %PROFILENAME% -profileName %PROFILENAME% -cellName %WAS_CELL% -nodeName %PROFILENAME% -hostName %HOSTNAME%
SET A2=-profilePath "%PROFILE_PATH%" -templatePath "%WAS_TEMPLATE%"
SET A3=-applyPerfTuningSetting development -enableAdminSecurity false -winserviceCheck false -omitAction defaultAppDeployAndConfig
SET A4=-portsFile "%WAS_PORTS_FILE%"
SET A5=-signingCertDN "cn=10.0.2.15\\,ou=Root Certificate\\,ou=%WAS_CELL%\\,ou=%PROFILENAME%\\,o=IBM\\,c=US" -personalCertDN "cn=10.0.2.15\\,ou=%WAS_CELL%\\,ou=%PROFILENAME%\\,o=IBM\\,c=US"
SET A6=-personalCertValidityPeriod 10 -signingCertValidityPeriod 15
SET WAS_ARGS=%A1% %A2% %A3% %A4% %A5% %A6%
call "%WAS_BIN%\manageprofiles.bat" %WAS_ARGS%
You will need to look for the "C:\Program Files (x86)\IBM\WebSphere\AppServer\logs\manageprofiles*_portdef.props" files and copy one of them for your use as I did.
The output of my script was thus a cloned/tweaked version of a profile I had created before.
I then ran it at the commandline:
"C:\Program Files (x86)\IBM\WebSphere\AppServer\bin\manageprofiles.bat" -create -serverName Unica9103 -profileName Unica9103 -cellName UnicaVMUnica9103Cell -nodeName Unica9103 -hostName UnicaVM -profilePat
h "C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\Unica9103" -templatePath "C:\Program Files (x86)\IBM\WebSphere\AppServer\profileTemplates\default" -a
pplyPerfTuningSetting development -enableAdminSecurity false -winserviceCheck false -omitAction defaultAppDeployAndConfig -portsFile "C:\Program Files (x86)\IB
M\WebSphere\AppServer\logs\manageprofiles\was_default_portdef.props" -signingCertDN "cn=10.0.2.15\\,ou=Root Certificate\\,ou=UnicaVMUnica9103Cell\\,ou=Unica9103
\\,o=IBM\\,c=US" -personalCertDN "cn=10.0.2.15\\,ou=UnicaVMUnica9103Cell\\,ou=Unica9103\\,o=IBM\\,c=US" -personalCertValidityPeriod 10 -signingCertValidityPeri
od 15
Notice that the commas need to be escaped with double backslashes or you get cryptic errors.
You will get something like the following on success:
INSTCONFSUCCESS: Success: Profile Unica9103 now exists. Please consult C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\Unica9103\logs\AboutThisProfile.txt for more information about this profile.
I have not tested the method but wsadmin has the following command:
createAppServerTemplate
This script creates a new application server template in your
configuration. A server template is used to define the configuration
settings for a new application server. When you create a new
application server, you either select the default server template or a
template you previously created, that is based on another, already
existing application server. The default template is used if you do
not specify a different template when you create the server.
You could create a template from your initial profile and create a new profile using the template.
I believe that createAppServerTemplate creates e template for the server not the profile. Therefore if you already have configured a profile you can than use the template to create additional servers within this profile.
You would then use createApplicationServer to create new servers based on the above created template.
I guess if you want to copy a profile the best method is to record the configurations and set them in a script file.
Just for information In MyEclipseBlue version 10 we can export server profile configuration & import in new profile; hence retaining all the configuration.
René answer is correct but i faced issues while Running the server in Debug Mode.
\WebSphere8552\AppServer\properties\fsdb\AppSrv01.bat change was_user_script path
\WebSphere8552\AppServer\properties\fsdb_was_profile_defauldefault.bat change was_user_script path with actual
Also change path in : \AppServer\properties\profileRegistry.xml for validating license
I'm trying to automate process of deployment and I want to upload some files to WAS using wsadmin (jython). My question is if it is possible to upload file from my standalone wsadmin to remote WAS Server. And if so, is it possible to upload file somewhere out of application (fe. /opt/IBM/WebSphere/AppServer/temp)? I don't want to upload it to specific profile, but to server root.
When I'm deploying application it is copying war/ear file to WAS, so is it there some mechani to upload separate file?
many thanks
AntAgent allows you to upload any file, provided that the content of the file can fit in memory:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.javadoc.doc/web/mbeanDocs/AntAgent.html
In wsadmin you'll need to use invoke_jmx method of AdminControl object.
from java.lang import String
import jarray
fileContent = 'hello!'
antAgent = AdminControl.makeObjectName(AdminControl.queryNames('WebSphere:*,type=AntAgent,process=dmgr'))
str = String(fileContent)
bytes = str.getBytes()
AdminControl.invoke_jmx(antAgent, 'putScript', [String('hello.txt'),bytes], jarray.array(['java.lang.String', '[B'], String))
Afterwards you'll find 'hello.txt' file in WAS profile's temp directory. You may use relative paths as well.