IBM GKLM
Documentation Links
Procedures
Migrating Keys Using CLI
On SKLM server2, do the following:
- Login as LOCAL ADMINISTRATOR
-
Change directories:
cd \Program Files\IBM\WebSphere\AppServer\bin>
-
Log into the WebSphere CLI
wsadmin.bat -username SKLMAdmin -password ESI@2019bpic -lang jython
-
Create an SSL certificate, say sslCert, on server2 if not previously done:
print AdminTask.tklmCertCreate ('[-type selfsigned -alias sslCert -cn SSLCert -keyStoreName defaultKeyStore -usage SSLSERVER -validity 9000]') Where sslCert is an example for an alias label.
-
List the certificate to verify it is created or if it is already there.
print AdminTask.tklmCertList() Example Output clipped as we care only about the following 3 parameters: CTGKM0001I Command succeeded. ... uuid = CERTIFICATE-xxxxxxxx-xxxx-xxx-xxxx-xxxxxxxxxxxx alias(es) = sslCert key store name(s) = defaultKeyStore ... Make a note of above 3 parameters as they will be used in the certificate export command:
-
Export sslCert into a file, say sslCert.der.
print AdminTask.tklmCertExport ('[-uuid CERTIFICATE-b4741a9-651e699c-8825-4f55-bed6-a37067bed6a0 -format DER -fileName sslCert.der]') CTGKM0001I Command succeeded. C:\Program Files\IBM\WebSphere\AppServer\products\sklm\data\sslCert.der
-
Copy sslCert.der file to TKLM server1.
On TKLM server1, do the following:
- Login as LOCAL ADMINISTRATOR
-
Change directories:
cd C:\IBM\tivoli\tiptklmV2\bin
-
Log into the Websphere CLI
wsadmin.bat -username TKLMAdmin -password <put.pwd.here> -lang jython
-
List the certificates to get the 'keystore name' on that server1 as it will be used in the import certificate command:
print AdminTask.tklmCertList() Example Output clipped as we care only about the following parameter: CTGKM0001I Command succeeded. ... key store name(s) = defaultKeyStore ...
-
Import sslCert.der on TKLM server1 that came from SKLM server2
print AdminTask.tklmCertImport ('[-fileName C:\\SKLM\\svc-v7k_v5k.der -alias svc-v7k_v5k -format DER -keyStoreName "defaultKeyStore" -usage SSLSERVER]')
-
List the certificate to verify it is imported.
print AdminTask.tklmCertList() Make a note of the following parameters as they will be used in the key export command: uuid = CERTIFICATE-xxxc20f3 alias(es) = sslCert key store name(s) = Tivoli Key Lifecycle Manager Keystore
-
List the keys on TKLM server1 to find out which keys to move to SKLM server2:
print AdminTask.tklmKeyList()
-
Export desired key or a range of keys into a file, say exportedKeys, while specifying the SSL certificate alias sslCert.der. Keys should be wrapped by the certificate.
print AdminTask.tklmKeyExport('[-aliasRange uni00-c7 -fileName C:\\exportedKeys -keyStoreName "Tivoli Key Lifecycle Manager Keystore" -type secretkey -keyAlias sslCert]')
-
Copy exportedKeys file to SKLM server2.
On SKLM server2, do the following:
-
Import exportedKeys on SKLM server2 that came from TKLM server1
print AdminTask.tklmKeyImport ('[-keyAlias sslCert -type secretkey -fileName C:\\exportedKeys -keyStoreName defaultKeyStore -usage LTO]')
-
List the keys to verify they are imported.
print AdminTask.tklmKeyList()
-
Create a keygroup on SKLM server2, example name: tklmKeyGroup.
print AdminTask.tklmGroupCreate ('[-name tklmKeyGroup -type keygroup -usage LTO]')
-
List the keygroup to either obtain the name if it was already created or confirm creation:
print AdminTask.tklmGroupList('[-type keygroup -v y]')
-
Add one key into keygroup.
print AdminTask.tklmGroupEntryAdd('[-name tklmKeyGroup -type keygroup -entry "{type key} {alias aaa000000000000000019} {keyStoreName defaultKeyStore}"]')
-
Restart sklm.