Skip to main content

sslcfg command

Use this command to display and configure the SSL for the IMM2 and manage certificates.

Running the sslcfg command with no options displays all SSL configuration information. The sslcfg command is used to generate a new encryption key and self-signed certificate or certificate signing request (CSR). The following table shows the arguments for the options.

Table 1. sslcfg command.

The following table is a multi-row three column table consisting of the options, option descriptions, and associated values for the options.

OptionDescriptionValues
-serverSSL server statusenabled, disabled
Note
The SSL server can be enabled only if a valid certificate is in place.
-clientSSL client statusenabled, disabled
Note
The SSL client can be enabled only if a valid server or client certificate is in place.
-cimCIM over HTTPS statusenabled, disabled
Note
CIM over HTTPS can be enabled only if a valid server or client certificate is in place.
-certGenerate self-signed certificateserver, client, sysdir, storekey
Note
  • Values for the -c, -sp, -cl, -on, and -hn command options are required when generating a self-signed certificate.
  • Values for the -cp, -ea, -ou, -s, -gn, -in, and -dq command options are optional when generating a self-signed certificate.
-csrGenerate a CSRserver, client, sysdir, storekey
Note
  • Values for the -c, -sp, -cl, -on, and -hn command options are required when generating a CSR.
  • Values for the -cp, -ea, -ou, -s, -gn, -in, -dq, -cpwd, and -un command options are optional when generating a CSR.
- csrformThe format of the CSR will be exported in (der, pem) 
-rmRemove the certificate (server,client,cim, storekey) 
-iIP address for TFTP/SFTP serverValid IP address
Note
An IP address for the TFTP or SFTP server must be specified when uploading a certificate, or downloading a certificate or CSR.
-pnPort number of TFTP/SFTP serverValid port number (default 69/22)
-uUser name for SFTP serverValid user name
-pwPassword for SFTP serverValid password
-lCertificate filenameValid filename
Note
A filename is required when downloading or uploading a certificate or CSR. If no filename is specified for a download, the default name for the file is used and displayed.
-dnldDownload certificate fileThis option takes no arguments; but, must also specify values for the -cert or -csr command option (depending on the certificate type being downloaded). This option takes no arguments; but, must also specify values for the -i command option, and -l (optional) command option.
-upldImports certificate fileThis option takes no arguments, but must also specify values for the -cert, -i, and -l command options.
-tcxTrusted certificate x for SSL clientimport, download, remove
Note
The trusted certificate number, x, is specified as an integer from 1 to 3 in the command option.
-cCountryCountry code (2 letters)
Note
Required when generating a self-signed certificate or CSR.
-spState or provinceQuote-delimited string (maximum 60 characters)
Note
Required when generating a self-signed certificate or CSR.
-clCity or localityQuote-delimited string (maximum 50 characters)
Note
Required when generating a self-signed certificate or CSR.
-onOrganization nameQuote-delimited string (maximum 60 characters)
Note
Required when generating a self-signed certificate or CSR.
-hnIMM2 hostnameString (maximum 60 characters)
Note
Required when generating a self-signed certificate or CSR.
-cpContact personQuote-delimited string (maximum 60 characters)
Note
Optional when generating a self-signed certificate or CSR.
-eaContact person email addressValid email address (maximum 60 characters)
Note
Optional when generating a self-signed certificate or CSR.
-ouOrganizational unitQuote-delimited string (maximum 60 characters)
Note
Optional when generating a self-signed certificate or CSR.
-sSurnameQuote-delimited string (maximum 60 characters)
Note
Optional when generating a self-signed certificate or CSR.
-gnGiven nameQuote-delimited string (maximum 60 characters)
Note
Optional when generating a self-signed certificate or CSR.
-inInitialsQuote-delimited string (maximum 20 characters)
Note
Optional when generating a self-signed certificate or CSR.
-dqDomain name qualifierQuote-delimited string (maximum 60 characters)
Note
Optional when generating a self-signed certificate or CSR.
-cpwdChallenge passwordString (minimum 6 characters, maximum 30 characters)
Note
Optional when generating a CSR.
-unUnstructured nameQuote-delimited string (maximum 60 characters)
Note
Optional when generating a CSR.
Syntax:
sslcfg [<em className="ph i">options</em>]
option:
-server <em className="ph i">state</em>
-client <em className="ph i">state</em>
-cim <em className="ph i">state</em>
-cert <em className="ph i">certificate_type</em>
-csr <em className="ph i">certificate_type</em>
-csrform <em className="ph i">The format of the CSR will be exported in (der, pem)</em>
-rm <em className="ph i">Remove the certificate (server, client, cim, storekey</em>
-i <em className="ph i">ip_address</em>
-pn <em className="ph i">port_number</em>
-u <em className="ph i">username</em>
-pw <em className="ph i">password</em>
-l <em className="ph i">filename</em>
-dnld
-upld
-tc <em className="ph i">x</em><em className="ph i">action</em>
-c <em className="ph i">country_code</em>
-sp <em className="ph i">state_or_province</em>
-cl <em className="ph i">city_or_locality</em>
-on <em className="ph i">organization_name</em>
-hn <em className="ph i">imm_hostname</em>
-cp <em className="ph i">contact_person</em>
-ea <em className="ph i">email_address</em>
-ou <em className="ph i">organizational_unit</em>
-s <em className="ph i">surname</em>
-gn <em className="ph i">given_name</em>
-in <em className="ph i">initials</em>
-dq <em className="ph i">dn_qualifier</em>
-cpwd <em className="ph i">challenge_password</em>
-un <em className="ph i">unstructured_name</em>
Examples:
system> sslcfg
-server enabled
-client disabled
-sysdir enabled
SSL Server Certificate status:
A self-signed certificate is installed
SSL Client Certificate status:
A self-signed certificate is installed
SSL CIM Certificate status:
A self-signed certificate is installed
SSL Client Trusted Certificate status:
Trusted Certificate 1: Not available
Trusted Certificate 2: Not available
Trusted Certificate 3: Not available
Trusted Certificate 4: Not available

Client certificate examples:

  • To generate a CSR for a storage key, enter the following command:

    system> sslcfg
    -csr storekey -c US -sp NC -cl rtp -on IBM -hn IMM2-5cf3fc6e0c9d
    -cp Contact -ea "" -ou""
    ok

The above example is displayed on multiple lines due to space limitations.
  • To download a certificate from the IMM2 to another server, enter the following command:

    system> sslcfg
    -csr storekey -dnld -i 192.168.70.230 -l storekey.csr
    ok

  • To upload the certificate processed by the Certificate Authority (CA), enter the following command:

    system> sslcfg
    -cert storekey -upld -i 192.168.70.230 -l tklm.der

  • To generate a self-signed certificate, enter the following command:

    system> sslcfg
    -cert storekey -c US -sp NC -cl rtp -on IBM -hn IMM2-5cf3fc6e0c9d
    -cp Contact -ea "" -ou "
    ok

    The above example is displayed on multiple lines due to space limitations.

SKLM Server certificate example:

  • To import the SKLM server certificate, enter the following command:

    system> storekeycfg
    -add -ip 192.168.70.200 -f tklm-server.der
    ok