sslcfg command
Use this command to display and configure the SSL for the IMM2 and manage certificates.
Running the sslcfg command with no options displays all SSL configuration information. The sslcfg command is used to generate a new encryption key and self-signed certificate or certificate signing request (CSR). The following table shows the arguments for the options.
Option | Description | Values |
---|---|---|
-server | SSL server status | enabled, disabled Note The SSL server can be enabled only if a valid certificate is in place. |
-client | SSL client status | enabled, disabled Note The SSL client can be enabled only if a valid server or client certificate is in place. |
-cim | CIM over HTTPS status | enabled, disabled Note CIM over HTTPS can be enabled only if a valid server or client certificate is in place. |
-cert | Generate self-signed certificate | server, client, sysdir, storekey Note
|
-csr | Generate a CSR | server, client, sysdir, storekey Note
|
- csrform | The format of the CSR will be exported in (der, pem) | |
-rm | Remove the certificate (server,client,cim, storekey) | |
-i | IP address for TFTP/SFTP server | Valid IP address Note An IP address for the TFTP or SFTP server must be specified when uploading a certificate, or downloading a certificate or CSR. |
-pn | Port number of TFTP/SFTP server | Valid port number (default 69/22) |
-u | User name for SFTP server | Valid user name |
-pw | Password for SFTP server | Valid password |
-l | Certificate filename | Valid filename Note A filename is required when downloading or uploading a certificate or CSR. If no filename is specified for a download, the default name for the file is used and displayed. |
-dnld | Download certificate file | This option takes no arguments; but, must also specify values for the -cert or -csr command option (depending on the certificate type being downloaded). This option takes no arguments; but, must also specify values for the -i command option, and -l (optional) command option. |
-upld | Imports certificate file | This option takes no arguments, but must also specify values for the -cert, -i, and -l command options. |
-tcx | Trusted certificate x for SSL client | import, download, remove Note The trusted certificate number, |
-c | Country | Country code (2 letters) Note Required when generating a self-signed certificate or CSR. |
-sp | State or province | Quote-delimited string (maximum 60 characters) Note Required when generating a self-signed certificate or CSR. |
-cl | City or locality | Quote-delimited string (maximum 50 characters) Note Required when generating a self-signed certificate or CSR. |
-on | Organization name | Quote-delimited string (maximum 60 characters) Note Required when generating a self-signed certificate or CSR. |
-hn | IMM2 hostname | String (maximum 60 characters) Note Required when generating a self-signed certificate or CSR. |
-cp | Contact person | Quote-delimited string (maximum 60 characters) Note Optional when generating a self-signed certificate or CSR. |
-ea | Contact person email address | Valid email address (maximum 60 characters) Note Optional when generating a self-signed certificate or CSR. |
-ou | Organizational unit | Quote-delimited string (maximum 60 characters) Note Optional when generating a self-signed certificate or CSR. |
-s | Surname | Quote-delimited string (maximum 60 characters) Note Optional when generating a self-signed certificate or CSR. |
-gn | Given name | Quote-delimited string (maximum 60 characters) Note Optional when generating a self-signed certificate or CSR. |
-in | Initials | Quote-delimited string (maximum 20 characters) Note Optional when generating a self-signed certificate or CSR. |
-dq | Domain name qualifier | Quote-delimited string (maximum 60 characters) Note Optional when generating a self-signed certificate or CSR. |
-cpwd | Challenge password | String (minimum 6 characters, maximum 30 characters) Note Optional when generating a CSR. |
-un | Unstructured name | Quote-delimited string (maximum 60 characters) Note Optional when generating a CSR. |
sslcfg [<em className="ph i">options</em>]
option:
-server <em className="ph i">state</em>
-client <em className="ph i">state</em>
-cim <em className="ph i">state</em>
-cert <em className="ph i">certificate_type</em>
-csr <em className="ph i">certificate_type</em>
-csrform <em className="ph i">The format of the CSR will be exported in (der, pem)</em>
-rm <em className="ph i">Remove the certificate (server, client, cim, storekey</em>
-i <em className="ph i">ip_address</em>
-pn <em className="ph i">port_number</em>
-u <em className="ph i">username</em>
-pw <em className="ph i">password</em>
-l <em className="ph i">filename</em>
-dnld
-upld
-tc <em className="ph i">x</em><em className="ph i">action</em>
-c <em className="ph i">country_code</em>
-sp <em className="ph i">state_or_province</em>
-cl <em className="ph i">city_or_locality</em>
-on <em className="ph i">organization_name</em>
-hn <em className="ph i">imm_hostname</em>
-cp <em className="ph i">contact_person</em>
-ea <em className="ph i">email_address</em>
-ou <em className="ph i">organizational_unit</em>
-s <em className="ph i">surname</em>
-gn <em className="ph i">given_name</em>
-in <em className="ph i">initials</em>
-dq <em className="ph i">dn_qualifier</em>
-cpwd <em className="ph i">challenge_password</em>
-un <em className="ph i">unstructured_name</em>
system> sslcfg
-server enabled
-client disabled
-sysdir enabled
SSL Server Certificate status:
A self-signed certificate is installed
SSL Client Certificate status:
A self-signed certificate is installed
SSL CIM Certificate status:
A self-signed certificate is installed
SSL Client Trusted Certificate status:
Trusted Certificate 1: Not available
Trusted Certificate 2: Not available
Trusted Certificate 3: Not available
Trusted Certificate 4: Not available
Client certificate examples:
- To generate a CSR for a storage key, enter the following command:
system> sslcfg
-csr storekey -c US -sp NC -cl rtp -on IBM -hn IMM2-5cf3fc6e0c9d
-cp Contact -ea "" -ou""
ok
To download a certificate from the IMM2 to another server, enter the following command:
system> sslcfg
-csr storekey -dnld -i 192.168.70.230 -l storekey.csr
ok
To upload the certificate processed by the Certificate Authority (CA), enter the following command:
system> sslcfg
-cert storekey -upld -i 192.168.70.230 -l tklm.der
To generate a self-signed certificate, enter the following command:
system> sslcfg
-cert storekey -c US -sp NC -cl rtp -on IBM -hn IMM2-5cf3fc6e0c9d
-cp Contact -ea "" -ou "
okThe above example is displayed on multiple lines due to space limitations.
SKLM Server certificate example:
To import the SKLM server certificate, enter the following command:
system> storekeycfg
-add -ip 192.168.70.200 -f tklm-server.der
ok