This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
securityUtility command
The securityUtility command supports plain text encryption and SSL certificate creation for Liberty.
Syntax
The command syntax is as follows:
securityUtility task [options]
Where the options are different based on the value of task.
Parameters
The following tasks
are available for the securityUtility command:
- encode
- Encodes the provided text by using Base64.
If no options are specified, the command enters interactive mode.
Otherwise, the provided text is encoded. If the text includes
spaces it must be put in quotation marks.The options are:
- --encoding=encoding_type
- Specifies how to encode the password. Supported encodings are xor,
aes, and hash. If this option is not provided, the default is
xor.Note: The hash encoding option is used for encoding passwords for the basic user registry only.
- --key=encryption_key
- Specifies the key to be used when encoding using AES encryption. This string is hashed to produce an encryption key that is used to encrypt and decrypt the password. The key can be provided to the server by defining the variable wlp.password.encryption.key whose value is the key. If this option is not provided, a default key is used.
- --notrim
- Specify whether space characters are removed from the beginning and end of the specified text. If this option is specified, the provided text is encoded as it is. If this option is not specified, space characters from the beginning and end of the specified text is removed.
- text
- The text that is to be encoded.
- createSSLCertificate
- Creates a default keystore including an SSL certificate for use
in a server or client configuration.
- Keystore details:
- location: In the server's or client's directory under resource/security/key.jks.
- type: JKS
- password: Password provided with the --password option. The password is needed to open the keystore file and retrieve the key from the keystore file.
- Certificate details:
- type: Self-signed certificate
- size: 2048 by default, alternate size can be specified with the --keySize option.
- signature algorithm: SHA256withRSA, can be customized with the--sigAlg option.
- validity: 365 days by default, can be customized with the --validity option.
- SubjectDN: CN=<hostname>,OU=<client or server name>,O=ibm,C=us by default, can be customized with the --subject option.
The options are:
--server=name
Specifies the name of the Liberty server for which the keystore and certificate is created. This option cannot be used if the--client option is specified.
--client=name
Specifies the name of the Liberty client for which the keystore and certificate is created. This option cannot be used if the --server option is specified.
--keySize=size
Specifies the certificate key bit size. The default value is 2048.
- --password=password
- Specifies the password to be used in the keystore, which must be at least 6 characters in length. This option is required.
- --passwordEncoding=password_encoding_type
- Specifies how to encode the keystore password. Supported encoding value is xor or aes. If this option is not provided, a default value of xor is used.
- --passwordkey=password_encryption_key
- Specifies the key to use to encode the keystore password by using AES encryption. This string is hashed to produce an encryption key that is used to encrypt and decrypt the password. The key can be provided to the server by defining the variable wlp.password.encryption.key whose value is the key. If this option is not provided, a default key is used.
- --validity=days
- Specifies the number of days that the certificate is valid, which must be equal to or greater than 365. If this option is not provided, a default value of 365 is used.
--subject=DN
Specifies the Distinguished Name (DN) for the certificate subject and issuer. If this option is not provided, a default value of CN=<hostname>,OU=<server or client name>,O=ibm,C=us is used. The CN value is retrieved by using a java method to get the machine's local host name. If the host name cannot be resolved, the IP address is returned.
--sigAlg
Specifies the signature algorithm that is used to sign the self-signed certificate. The signature algorithm that is supported depends on what is supported by the underlying JRE. Stronger signature algorithms might require the JRE to have the unrestricted policy file in place.
The command accepts SHA256withRSA (default), SHA1withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA. The signature algorithms that end with RSA creates certificates with RSA keys and those that end with ECDSA creates certificates with Elliptical Curve (EC) keys.
Note: If you are using certificates that are created with EC keys, then your server needs a customized ciphers list in the ssl configuration to include EC ciphers.
- help
- Prints help information for a specified task.
Usage
The following examples demonstrate correct syntax:
securityUtility encode --encoding=aes GiveMeLiberty
securityUtility createSSLCertificate --server=myserver --password=mypassword --validity=365
--subject=CN=mycompany,O=myOrg,C=myCountry
securityUtility help createSSLCertificate
CAUTION:
Different operating system might treat some characters
differently. For the Windows environment,
if you have ! in your input string, it needs to be
escaped by the ^ character. For example,
D:\Liberty\images\855\Liberty855\wlp\bin>securityUtility encode "a^!"