tklmCertList
Use the tklmCertList command to return certificate information, which is based on criteria such as a specific state.
Purpose
Use this command to return certificate information, which is based on specified criteria such as a specific state.- uuid
- alias and keystore name
Alternatively, you can list all certificates in a specified state. If you do not specify any parameter, you can list all certificates.
- The KMIP interface
for IBM Security Key Lifecycle Manager,
version 2.5 does not support the certificate object. IBM Security Key Lifecycle Manager creates
certificate objects internally, but does not set some KMIP required
and optional attributes.
Running the tklmCertList command in verbose mode lists many of the KMIP attributes as NULL. The null values do not affect the IBM Security Key Lifecycle Manager function.
- Use the tklmCertList command to find certificates that are marked as
CONFLICTED
orUNKNOWN
. Specify no value for the -usage parameter, or specify a parameter value of 3592, DS8000, orSSLSERVER
. For example, this Jython-formatted command lists all certificates for the 3592 device group:print AdminTask.tklmCertList('[-usage 3592 -v y]')
- The tklmCertList command returns only the first 2000 certificates.
Permissions
Your role must have a permission to the view action and a permission to the appropriate device group. Or, your role must have a permission to the configure action to view an SSL or KMIP certificate.
Syntax
tklmCertList -uuid universalCertID -alias certalias -keyStoreName keystorename -attributes [state value ] -usage {3592 | DS8000 | GPFS | PEER_TO_PEER | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT | SYSLOG } -v {y | n}
Parameters
There are no required parameters.
- -alias
- Specify a unique name for the certificate.
- -attributes
- Specify the attributes to search for. Only the state attribute
and the trusted attribute are supported; only one state can be specified
in a command instance.
- state
- You can include the following values for the state attribute:
- pending
- A certificate request entry is pending the return of a certificate that is approved and certified by a certificate authority.
- pre-active
- Object exists but is not yet usable for any cryptographic purpose, such as migrated certificates with a future use time stamp.
- active
- Object is in operational use for protecting and processing data that might use Process Start Date and Protect Stop Date attributes. For example, protecting includes encryption and signature issue. Processing includes decryption and signature verification.
- compromised
- The security of the object is suspect for some reason. A compromised object never returns to an
uncompromised
state, and cannot be used to protect data. Use the object only to process cryptographically protected information in a client that is trusted to handle compromised cryptographic objects.IBM Security Key Lifecycle Manager retains the state of the object immediately before it was compromised. To process data that was previously protected, the compromised object might continue to be used.
- deactivated
- Object is not to be used to apply cryptographic protection such as encryption or signing. However, if extraordinary circumstances occur, the object can be used with special permission to process cryptographically protected information. For example, processing includes decryption or verification.
- destroyed
- Object is no longer usable for any purpose. This status causes the object to be removed from the product.
- destroyed-compromised
- Object is no longer usable for any purpose. This status causes the object to be removed from the product.
- trusted
- Values are y, n, or no value.
Set the value to y to list only trusted certificates. Set this value to n to list only untrusted certificates. Not setting a value lists both trusted and untrusted certificates.
- -keyStoreName
- Specify the name of the keystore.
- -usage
- Specify the target application usage, such as
SSLSERVER
. You can specify the following values:- 3592
- Specifies the 3592 device group.
- DS8000
- Specifies the DS8000 device group.
- GPFS
- Specifies the IBM Spectrum Scale (previously known as GPFS) device group.
- PEER_TO_PEER
- Specifies the PEER_TO_PEER device group.
- GENERIC
- Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
- SSLCLIENT
- Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
- SSLSERVER
- Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
- SYSLOG
- Syslog server-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the syslog server.
- userdevicegroup
- Specifies a user-defined group that is based on a supported device family.
- -uuid
- Specify the Universal Unique Identifier of the certificate. For
example,
CERTIFICATE-b4c70958-446d-42c4-ae3b-8c9e0f44c0fa
might be the value. - -v [y | n]
- Verbose. The default is
n
, or no extra information. To list more information about a certificate, specifyy
(for yes):-v y
Example
This Jython-formatted command lists certificates that are in active state.
print AdminTask.tklmCertList('[-usage 3592
-attributes "{state active}" -v y]')
This command lists the first 2000 certificates.
print AdminTask.tklmCertList()