create-ssl

creates and configures the SSL element in the selected HTTP listener, IIOP listener, or IIOP service

Synopsis

create-ssl [--help]
[--target target]
--type listener_or_service_type
--certname cert_name 
[--ssl2enabled={false|true}] [--ssl2ciphers ss12ciphers] 
[--ssl3enabled={true|false}] [--tlsenabled={true|false}]
[--ssl3tlsciphers ssl3tlsciphers]
[--tlsrollbackenabled={true|false}]
[--clientauthenabled={false|true}]
[listener_id]

Description

The create-ssl subcommand creates and configures the SSL element in the selected HTTP listener, IIOP listener, or IIOP service to enable secure communication on that listener/service.

This subcommand is supported in remote mode only.

Options

If an option has a short option name, then the short option precedes the long option name. Short options have one dash whereas long options have two dashes.

--help
-?

Displays the help text for the subcommand.

--target

Specifies the target on which you are configuring the ssl element. The following values are valid:

server

Specifies the server in which the iiop-service or HTTP/IIOP listener is to be configured for SSL.

config

Specifies the configuration that contains the HTTP/IIOP listener or iiop-service for which SSL is to be configured.

cluster

Specifies the cluster in which the HTTP/IIOP listener or iiop-service is to be configured for SSL. All the server instances in the cluster will get the SSL configuration for the respective listener or iiop-service.

instance

Specifies the instance in which the HTTP/IIOP listener or iiop-service is to be configured for SSL.

--type

The type of service or listener for which the SSL is created. The type can be:

  • network-listener

  • http-listener

  • iiop-listener

  • iiop-service

  • jmx-connector

When the type is iiop-service, the ssl-client-config along with the embedded ssl element is created in domain.xml.

--certname

The nickname of the server certificate in the certificate database or the PKCS#11 token. The format of the name in the certificate is tokenname:nickname. For this property, the tokenname: is optional.

--ssl2enabled

Set this property to true to enable SSL2. The default value is false. If both SSL2 and SSL3 are enabled for a virtual server, the server tries SSL3 encryption first. In the event SSL3 encryption fails, the server then tries SSL2 encryption.

--ssl2ciphers

A comma-separated list of the SSL2 ciphers to be used. Ciphers not explicitly listed will be disabled for the target, even if those ciphers are available in the particular cipher suite you are using. If this option is not used, all supported ciphers are assumed to be enabled. Allowed values are:

  • rc4

  • rc4export

  • rc2

  • rc2export

  • idea

  • des

  • desede3

--ssl3enabled

Set this property to false to disable SSL3. The default value is true. If both SSL2 and SSL3 are enabled for a virtual server, the server tries SSL3 encryption first. In the event SSL3 encryption fails, the server then tries SSL2 encryption.

--tlsenabled

Set this property to false to disable TLS. The default value is true It is good practice to enable TLS, which is a more secure version of SSL.

--ssl3tlsciphers

A comma-separated list of the SSL3 and/or TLS ciphers to be used. Ciphers not explicitly listed will be disabled for the target, even if those ciphers are available in the particular cipher suite you are using. If this option is not used, all supported ciphers are assumed to be enabled. Allowed values are:

  • SSL_RSA_WITH_RC4_128_MD5

  • SSL_RSA_WITH_3DES_EDE_CBC_SHA

  • SSL_RSA_WITH_DES_CBC_SHA

  • SSL_RSA_EXPORT_WITH_RC4_40_MD5

  • SSL_RSA_WITH_NULL_MD5

  • SSL_RSA_WITH_RC4_128_SHA

  • SSL_RSA_WITH_NULL_SHA

--tlsrollbackenabled

Set to true (default) to enable TLS rollback. TLS rollback should be enabled for Microsoft Internet Explorer 5.0 and 5.5. This option is only valid when -tlsenabled=true.

--clientauthenabled

Set to true if you want SSL3 client authentication performed on every request independent of ACL-based access control. Default value is false.

Operands

listener_id

The ID of the HTTP or IIOP listener for which the SSL element is to be created. The listener_id is not required if the --type is iiop-service.

Examples

Example 1   Creating an SSL element for an HTTP listener

The following example shows how to create an SSL element for an HTTP listener named http-listener-1.

asadmin> create-ssl 
--type http-listener
--certname sampleCert http-listener-1
Command create-ssl executed successfully.

Exit Status

0

subcommand executed successfully

1

error in executing the subcommand

See Also

delete-ssl(1)

asadmin(1M)