This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

securityUtility command

The securityUtility command supports plain text encryption and SSL certificate creation for Liberty.

Syntax

The command syntax is as follows:

securityUtility task [options] 

Where the options are different based on the value of task.

Parameters

The following tasks are available for the securityUtility command:
encode
Encodes the provided text by using Base64. If no options are specified, the command enters interactive mode. Otherwise, the provided text is encoded. If the text includes spaces it must be put in quotation marks.
The options are:
--encoding=encoding_type
Specifies how to encode the password. Supported encodings are xor, aes, and hash. If this option is not provided, the default is xor.
Note: The hash encoding option is used for encoding passwords for the basic user registry only.
--key=encryption_key
Specifies the key to be used when encoding using AES encryption. This string is hashed to produce an encryption key that is used to encrypt and decrypt the password. The key can be provided to the server by defining the variable wlp.password.encryption.key whose value is the key. If this option is not provided, a default key is used.
--notrim
Specify whether space characters are removed from the beginning and end of the specified text. If this option is specified, the provided text is encoded as it is. If this option is not specified, space characters from the beginning and end of the specified text is removed.
text
The text that is to be encoded.
See also The limits to protection through password encryption.
createSSLCertificate
Creates a default keystore including an SSL certificate for use in a server or client configuration. [8.5.5.6 or later]
Keystore details:
location: In the server's or client's directory under resource/security/key.jks.
type: JKS
password: Password provided with the --password option. The password is needed to open the keystore file and retrieve the key from the keystore file.
[8.5.5.6 or later]
Certificate details:
type: Self-signed certificate
size: 2048 by default, alternate size can be specified with the --keySize option.
signature algorithm: SHA256withRSA, can be customized with the--sigAlg option.
validity: 365 days by default, can be customized with the --validity option.
SubjectDN: CN=<hostname>,OU=<client or server name>,O=ibm,C=us by default, can be customized with the --subject option.

The options are:

[8.5.5.6 or later]--server=name
[8.5.5.6 or later]Specifies the name of the Liberty server for which the keystore and certificate is created. This option cannot be used if the--client option is specified.
[8.5.5.6 or later]--client=name
[8.5.5.6 or later]Specifies the name of the Liberty client for which the keystore and certificate is created. This option cannot be used if the --server option is specified.
[8.5.5.6 or later]--keySize=size
[8.5.5.6 or later]Specifies the certificate key bit size. The default value is 2048.
--password=password
Specifies the password to be used in the keystore, which must be at least 6 characters in length. This option is required.
--passwordEncoding=password_encoding_type
Specifies how to encode the keystore password. Supported encoding value is xor or aes. If this option is not provided, a default value of xor is used.
--passwordkey=password_encryption_key
Specifies the key to use to encode the keystore password by using AES encryption. This string is hashed to produce an encryption key that is used to encrypt and decrypt the password. The key can be provided to the server by defining the variable wlp.password.encryption.key whose value is the key. If this option is not provided, a default key is used.
--validity=days
Specifies the number of days that the certificate is valid, which must be equal to or greater than 365. If this option is not provided, a default value of 365 is used.
[8.5.5.6 or later]--subject=DN
[8.5.5.6 or later]Specifies the Distinguished Name (DN) for the certificate subject and issuer. If this option is not provided, a default value of CN=<hostname>,OU=<server or client name>,O=ibm,C=us is used. The CN value is retrieved by using a java method to get the machine's local host name. If the host name cannot be resolved, the IP address is returned.
[8.5.5.7 or later]--sigAlg
[8.5.5.7 or later]Specifies the signature algorithm that is used to sign the self-signed certificate. The signature algorithm that is supported depends on what is supported by the underlying JRE. Stronger signature algorithms might require the JRE to have the unrestricted policy file in place.
[8.5.5.7 or later]The command accepts SHA256withRSA (default), SHA1withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA. The signature algorithms that end with RSA creates certificates with RSA keys and those that end with ECDSA creates certificates with Elliptical Curve (EC) keys.
Note: If you are using certificates that are created with EC keys, then your server needs a customized ciphers list in the ssl configuration to include EC ciphers.
help
Prints help information for a specified task.

Usage

The following examples demonstrate correct syntax:

securityUtility encode --encoding=aes GiveMeLiberty
securityUtility createSSLCertificate --server=myserver --password=mypassword --validity=365
                                     --subject=CN=mycompany,O=myOrg,C=myCountry
securityUtility help createSSLCertificate 
CAUTION:
Different operating system might treat some characters differently. For the Windows environment, if you have ! in your input string, it needs to be escaped by the ^ character. For example,
D:\Liberty\images\855\Liberty855\wlp\bin>securityUtility encode "a^!" 

Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=rwlp_command_securityutil
File name: rwlp_command_securityutil.html