blob: 705d54724ca411088dc837dd5bf9b7f65fe479ed [file] [log] [blame]
type=page
status=published
title=create-ssl
next=create-system-properties.html
prev=create-service.html
~~~~~~
= create-ssl
[[create-ssl-1]][[GSRFM00058]][[create-ssl]]
== create-ssl
Creates and configures the SSL element in the selected HTTP listener,
IIOP listener, or IIOP service
[[sthref537]]
=== Synopsis
[source]
----
asadmin [asadmin-options] create-ssl [--help]
[--target target]
--type listener_or_service_type
--certname cert_name
[--ssl2enabled={false|true}] [--ssl2ciphers ss12ciphers]
[--ssl3enabled={true|false}] [--tlsenabled={true|false}]
[--ssl3tlsciphers ssl3tlsciphers]
[--tlsrollbackenabled={true|false}]
[--clientauthenabled={false|true}]
[listener_id]
----
[[sthref538]]
=== Description
The `create-ssl` subcommand creates and configures the SSL element in
the selected HTTP listener, IIOP listener, or IIOP service to enable
secure communication on that listener/service.
This subcommand is supported in remote mode only.
[[sthref539]]
=== Options
If an option has a short option name, then the short option precedes the
long option name. Short options have one dash whereas long options have
two dashes.
asadmin-options::
Options for the `asadmin` utility. For information about these
options, see the link:asadmin.html#asadmin-1m[`asadmin`(1M)] help page.
`--help`::
`-?`::
Displays the help text for the subcommand.
`--target`::
Specifies the target on which you are configuring the ssl element. The
following values are valid:
`server`;;
Specifies the server in which the iiop-service or HTTP/IIOP listener
is to be configured for SSL.
config;;
Specifies the configuration that contains the HTTP/IIOP listener or
iiop-service for which SSL is to be configured.
cluster;;
Specifies the cluster in which the HTTP/IIOP listener or
iiop-service is to be configured for SSL. All the server instances
in the cluster will get the SSL configuration for the respective
listener or iiop-service.
instance;;
Specifies the instance in which the HTTP/IIOP listener or
iiop-service is to be configured for SSL.
`--type`::
The type of service or listener for which the SSL is created. The type
can be:
* `network-listener`
* `http-listener`
* `iiop-listener`
* `iiop-service`
* `jmx-connector`
+
When the type is `iiop-service`, the `ssl-client-config` along with
the embedded `ssl` element is created in `domain.xml`.
`--certname`::
The nickname of the server certificate in the certificate database or
the PKCS#11 token. The format of the name in the certificate is
tokenname:nickname. For this property, the tokenname: is optional.
`--ssl2enabled`::
Set this property to `true` to enable SSL2. The default value is
`false`. If both SSL2 and SSL3 are enabled for a virtual server, the
server tries SSL3 encryption first. In the event SSL3 encryption
fails, the server then tries SSL2 encryption.
`--ssl2ciphers`::
A comma-separated list of the SSL2 ciphers to be used. Ciphers not
explicitly listed will be disabled for the target, even if those
ciphers are available in the particular cipher suite you are using. If
this option is not used, all supported ciphers are assumed to be
enabled. Allowed values are:
* `rc4`
* `rc4export`
* `rc2`
* `rc2export`
* `idea`
* `des`
* `desede3`
`--ssl3enabled`::
Set this property to `false` to disable SSL3. The default value is
`true`. If both SSL2 and SSL3 are enabled for a virtual server, the
server tries SSL3 encryption first. In the event SSL3 encryption
fails, the server then tries SSL2 encryption.
`--tlsenabled`::
Set this property to `false` to disable TLS. The default value is
`true` It is good practice to enable TLS, which is a more secure
version of SSL.
`--ssl3tlsciphers`::
A comma-separated list of the SSL3 and/or TLS ciphers to be used.
Ciphers not explicitly listed will be disabled for the target, even if
those ciphers are available in the particular cipher suite you are
using. If this option is not used, all supported ciphers are assumed
to be enabled. Allowed values are:
* `SSL_RSA_WITH_RC4_128_MD5`
* `SSL_RSA_WITH_3DES_EDE_CBC_SHA`
* `SSL_RSA_WITH_DES_CBC_SHA`
* `SSL_RSA_EXPORT_WITH_RC4_40_MD5`
* `SSL_RSA_WITH_NULL_MD5`
* `SSL_RSA_WITH_RC4_128_SHA`
* `SSL_RSA_WITH_NULL_SHA`
`--tlsrollbackenabled`::
Set to `true` (default) to enable TLS rollback. TLS rollback should be
enabled for Microsoft Internet Explorer 5.0 and 5.5. This option is
only valid when `-tlsenabled=true`.
`--clientauthenabled`::
Set to `true` if you want SSL3 client authentication performed on
every request independent of ACL-based access control. Default value
is `false`.
[[sthref540]]
=== Operands
listener_id::
The ID of the HTTP or IIOP listener for which the SSL element is to be
created. The listener_id is not required if the `--type` is `iiop-service`.
[[sthref541]]
=== Examples
[[GSRFM525]][[sthref542]]
==== Example 1   Creating an SSL element for an HTTP listener
The following example shows how to create an SSL element for an HTTP
listener named `http-listener-1`.
[source]
----
asadmin> create-ssl
--type http-listener
--certname sampleCert http-listener-1
Command create-ssl executed successfully.
----
[[sthref543]]
=== Exit Status
0::
subcommand executed successfully
1::
error in executing the subcommand
[[sthref544]]
=== See Also
link:asadmin.html#asadmin-1m[`asadmin`(1M)]
link:delete-ssl.html#delete-ssl-1[`delete-ssl`(1)]