IBM

Onboarding WebSphere (Linux)

Prerequisites

Ensure that application/service users have the appropriate read/write permission to perform the CLM actions on the server device, if the access elevation is selected as None.
When the access elevation is dzdo, all the commands used to perform the CLM operations will be executed with dzdo.
Verify that the commands needing dzdo access have been enabled on the server.
[Websphere Linux] Ensure that the following packages are installed to facilitate device addition:
- dzdo (optional, as per the access elevation selected)
- SFTP
Ensure that the target IP address is accessible from the cloud connector and the port is open.
Make sure that the language setting for the Websphere Server is set to English. Ensure that the dzdo prompt string follows the standard Linux format, which is typically "[dzdo] password for <your_username>:"
Only certifiticates in p12 and .jks formats and key files are discovered.
SSH private keys cannot be used in conjunction with password-enabled sudo/dzdo settings. Therefore, if an SSH key is used for authentication, ensure that the sudo/dzdo configuration is set to passwordless.
Certificates are not identified from the path that does not have the required permission such as 640 for the user. Ensure that the file is the same as configured in device addition; hence, configure the certificates in the config files with accessible path or change file permissions to make the files accessible.
Confirm that the WebSphere instance is properly configured with the necessary profiles, servers, and management scope, including the correct cell and node details.
Ensure the security.xml file is present, the WebSphere server is running, and the user can successfully login to the wsadmin.sh script using the required WebSphere wsadmin credentials.

Note: We currently do not support WebSphere management scopes that lack either cell or node information. Please ensure that all management scopes contain this information.

Onboarding Steps

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 1. Server details - Field description table
Fields	Description
*Server Type	Select the Websphere (Linux) from the dropdown field.
*Server name	Enter the name of the designated websphere server.
*IP address	Enter the IP address of the IBM Server that is to be onboarded.
Data center	Choose the desired data center.
Onboarding Group	Select the onboarding group to assign the device. Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
*SSH Port	Retain the value 22; it is the default port used for the SSH communication mode.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

Table 2. Credentials - Field description table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - AppViewX Credential List - HashiCorp SSH Note: All other vault settings (BeyondTrust, Cyberark, Hashicorp Vault, Thycotic, and so on.) configured in the Credentials will be displayed in the dropdown. If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values. If Credential list - HashiCorp is selected, the *Credentials list dropdown field is displayed with credential type by default. If SSH is selected, enter the *Username, *Upload key file, and optionally enter the Passphrase for authentication.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

In the Service account credentials section, enter the details as indicated below. These credentials are used by the WebSphere application server to perform various tasks, such as accessing files, interacting with the operating system, and communicating with other applications and services.

If the interactive mode is not enabled for the service account on the Linux machine, the configured service account will switch the session from the logged-in SSH account to the service account using the command: su - {serviceUserName}. Once the session is switched, all subsequent commands will execute within the context of the service account session.

Table 3. Service account credentials - Field description table
Fields	Description
*Username	Enter the designated username for authentication.
*Password	Enter the secure password.
*: Mandatory fields

Note: The SSH user, or the service account (if service credentials are enabled), must have read and write access to the WebSphere configuration and cert directory where certificates will be/are deployed.

In the WSadmin credentials section, enter the details as indicated below. These credentials are used to authenticate the wsadmin tool with the WebSphere Application Server so that it can execute administrative commands and access the necessary resources.

Irrespective of the SSH user or service account user configuration, wsadmin credentials are required for us to open an interactive administrative scripting session where we can execute WebSphere management commands. In WebSphere Application Server (WAS), wsadmin is the standard and recommended way to manage configurations like SSL, keystores, and bindings — because these changes are part of the WebSphere configuration repository (config cells, nodes, servers, etc.).

Table 4. WSadmin credentials - Field description table
Fields	Description
WSadmin User name	The administrative user account for IBM WebSphere Application Server that has the privileges to access and interact with the wsadmin interface.
WSadmin Password	The password corresponding to the WebSphere administrative user. This account must have permissions to execute wsadmin commands for configuration and management tasks.
WSadmin directory path	The absolute path to the root directory where IBM WebSphere Application Server is installed. This path is required to locate and run the wsadmin tool. Example path: /opt/IBM/WebSphere/AppServer/

Click Add.
The WSadmin details are listed in the table.
(optional step) Click the delete icon, if you want to delete the WSadmin details from the list.

In the Vendor Specific Details section enter the details as follows.

Table 5. Vendor Specific Details - Field Description Table
Fields	Description
Access Elevation	Select from the following:. None dzdo - to execute with root privileges using dzdo access Note: SSH key-based authentication doesn't support password enabled sudo/dzdo.
Temporary Push Location	Enter the temporary directory/path where certificates or keys are temporarily stored during certificate push actions. If service account credentials are being used, ensure that both the SSH user and Service user have read, write, and execute (RWX) permissions for the specified temporary directory. Example: /tmp/files

In the Certificate details section (optional to discover non-profile certificate), enter the details as indicated below.

Table 6. Certificate Details - Field Description Table
Fields	Description
Key store location	Enter the location of the java keystore that contains the private key and an associated certificate. Example: /tmp/certs/sample.jks
Key store password	Enter the key store password to access the keystore location.
Trust store location	Enter the location of the java keystore that contains the CA certificates. Example: /tmp/certs/sample.jks
Trust store password	Enter the trust store password to access the keystore location.

Click Add.
The certificate details are listed in the table.
(optional step) Click the delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Commands for CLM Operations


Operation	Command	Description	Dzdo Configuration Required?
Session configuration commands (Executed post creation of ssh session for all use-cases)	`bind 'set enable-bracketed-paste off'`	Disable the bracketed-paste configuration for the current session	No
	`export PS1="bash-4.3~"`	Set the ssh session prompt string	No
	`uname -a`	To identify the OS details (AIX OS has some changes in the command fomat)	No
PreConfig fetch	`ps -eaf\|grep 'websphere'"`	This would return all the running WebSphere processes in the device.	No
	`/opt/IBM/WebSphere/AppServer/bin/versionInfo.sh \|grep -w 'Name' --color=never`	To check if the given installation has IBM WebSphere Application Server installed.	No
	`/opt/IBM/WebSphere/AppServer/bin/versionInfo.sh \| grep -w 'Version ' --color=never`	This would return the version details of the installed WebSphere instance.	No
Config fetch (For each installation path)	`./manageprofiles.sh -listProfiles`	This command in WebSphere Application Server is used to display a list of all profiles currently configured on the server	No
	`./wsadmin.sh -lang jython -user USERNAME -password PASSWORD`	Opens an interactive administrative scripting session where we can execute WebSphere management commands.	No
	`print AdminConfig.list('Security')`	Prints the Security configuration object(s) currently defined in WebSphere Application Server.	No
	`cat /opt/IBM/WebSphere/AppServer/profiles/TestServer01/config/cells/TestCell01/security.xml`	Displays the WebSphere Application Server security configuration XML for profile TestServer01 and for the cell `TestCell01`. This is required to identify the keystore locations and assist in framing the profile settings.	No
Discovery	`SFTP Protocol`	SFTP is used to retrieve certificates from the keystore location. When the service account is enabled, the certificate is first copied to a temporary directory. After that, the certificate content is fetched using the SFTP protocol.	No
CSR Generation	`openssl req -nodes -newkey {keyType}:{bitLength} -{hashFuntion} -days {validityInDays} -keyout {keyFileName}.key -out {csrFileName}.csr -subj '/C={country}/ST={state}/L={location}/O={organisation}/OU={organisationUnit}/CN={commonName}/emailAddress={email}/' -config <location>/{csrConfFileName}`	RSA as key type To generate csr and key at Websphere endpoint. DSA as key type To generate csr at Websphere endpoint.	No
	`openssl req -nodes -new -{hashFuntion} -days {validityInDays} -key {keyFileName}.key -out {csrFileName}.csr -subj '/C={country}/ST={state}/L={location}/O={organisation}/OU={organisationUnit}/CN={commonName}/emailAddress={email}/' -config <location>/{csrConfFileName}`	The command used to generate csr for EC or ECDSA as key type.	No
	`openssl dsaparam -out {keyFileName}.key {bitLength}`	Command used to generate key at endpoint if key type is dsa	No
	`openssl ecparam -name {algorithm} -genkey -noout -out {keyFileName}.key`	Command used to generate key at endpoint if key type is ec or ecdsa	No
Push	`find /opt/IBM/WebSphere/AppServer -type f -name keytool 2> /dev/null \| head -1`	Running a command to find the first occurrence of the `keytool` binary inside the WebSphere installation directory.	No
	`SFTP protocol`	We will use SFTP to upload the certificate generated by AppViewX to the temporary directory on the target WebSphere device. After that, we will import the certificate into the target keystore using the keytool command.
	`/opt/IBM/WebSphere/AppServer/jre_8.0.8010.20230917_1318/jre/bin/keytool -changealias -alias 'cn=appviewx123.test.com, sn=be:1b:39:fc:d1:44:ca:59:b9:c2:00:dd:2e:3b:f7:63' -destalias 'webspheredefaultpush' -storepass appviewx@123 -keystore '/tmp/appviewx123.test.comBE1B39FCD144CA59B9C200DD2E3BF763.jks'`	First, we generate the certificate in AppViewX and upload it to the temporary folder. If the user has provided a custom alias name, we then update it using this command. Otherwise, it will have the default alias name framed from the CN	No
	`/opt/IBM/WebSphere/AppServer/jre_8.0.8010.20230917_1318/jre/bin/keytool -importkeystore -noprompt -srckeystore '/tmp//appviewx123.test.comBE1B39FCD144CA59B9C200DD2E3BF763.jks' -destkeystore '/Location/webspheredefaultpush.jks' -srcstorepass appviewx@123 -deststorepass appviewx@123`	Copying certificates, private keys, and other entries from a source keystore to a destination keystore.	No
	`rm -rf`	remove temp files
Bind	`"AdminTask.createKeyStore('[-keyStoreName keyStoreName -scopeName managementScopeName -keyStoreType "keyStoreType -keyStoreLocation keyStoreLocation -keyStorePassword keyStorePassword -keyStorePasswordVerify keyStorePassword -keyStoreIsFileBased true -keyStoreInitAtStartup true -keyStoreReadOnly false]')"`	The AdminTask.createKeyStore command in WebSphere is used to create a new keystore in the server configuration with specified settings	No
	`AdminTask.modifySSLConfig('[-scopeName managementScope -alias storeName -clientKeyAlias " trimmedAliasName -serverKeyAlias trimmedAliasName -keyStoreName keyStoreName -trustStoreName trustStoreName -keyStoreScopeName managementScope -trustStoreScopeName managementScope -securityLevel HIGH]')`	The AdminTask.modifySSLConfig command in WebSphere is used to modify the SSL configuration for a specified management scope. This command allows you to set various SSL properties, including keystore and truststore details	No
	`print AdminConfig.list('Server')"`	The AdminConfig.list('Server') command in WebSphere is used to retrieve a list of all server configuration objects in the WebSphere Application Server environment. This command provides detailed information about each server, such as its name, type, and associated settings.	No
	`"AdminTask.modifyKeyStore(' -keyStoreName keyStoreName -keyStoreLocation keyStoreLocation -keyStoreType type -keyStorePassword keyStorePassword"')`	The command AdminTask.modifyKeyStore is used in IBM WebSphere Application Server to modify the attributes of an existing key store. A key store is a repository of security certificates and private keys used to establish secure communications.	No
	`AdminTask.modifySSLConfigGroup('[-name sslConfigGroupName -direction inbound -certificateAlias trimmedAliasName -scopeName managementScope -sslConfigAliasName storeName -sslConfigScopeName "managementScope]')`	The command AdminTask.modifySSLConfigGroup is used in IBM WebSphere Application Server to modify the settings of an SSL configuration group. SSL configuration groups allow you to manage multiple SSL configurations collectively, making it easier to handle security settings for various applications and services.	No
	`AdminConfig.save()`	The AdminConfig.save() command is used in IBM WebSphere Application Server's administrative scripting environment (wsadmin) to persist any changes made to the configuration.	No
Service Restart	`./startServer.sh SERVERNAME`	This script, located in the bin directory of a WebSphere profile, is the utility for starting WebSphere server instances.	No
Service Restart	`./stopServer.sh -user USERNAME -password PASSWORD`	This script, located in the bin directory of a WebSphere profile, is the utility for stoping WebSphere server instances.	No

Onboarding Websphere (Windows)

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows:

Table 7. Server details - Field Description Table
Fields	Description
*Server Type	Select the Websphere (Windows) from the dropdown field.
*Server name	Enter the name of the designated websphere server.
Communication mode	Select Gateway or SSM protocol to be used for communication between the AppViewX node and the IBM server. Gateway is the preferred communication mode.
*Hostname	Enter the hostname of the IBM Windows server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the Apache server.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

If Communication mode = Gateway the fields are as follows:

Table 8. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown: Manual entry (default) Credential List - AppViewX Credential List - HashiCorp Note: All other vault settings (BeyondTrust, Cyberark, Hashicorp Vault, Thycotic, and so on.) configured in the Credentials will be displayed in the dropdown. If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values. If Credential list - HashiCorp is selected, the *Credentials list dropdown field is displayed with credential type by default.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

If Communication mode = SSM the fields are as follows:

Table 9. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - cloudAccount Note: If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
*Access key	Enter the access key to login to the EC2 instance of the AWS cloud machine.
*Secret key	Enter the secret key to login to the EC2 instance of the AWS cloud machine.
*: Mandatory fields

In the Windows gateway details section, enter the details as indicated below. (This section is displayed only if Communication mode = Gateway)

Table 10. Windows gateway details - Field Description Table
Fields	Description
*Gateway type	Select to use the PowerShell or WMI commands as the gateway communication mode.
*Gateway location	The value Remote is selected by default.
*Select gateway	Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
*Windows gateway name	Enter the new gateway name. (Enabled when New is selected as gateway)
*Windows gateway URL	Enter the URL for the new gateway. (Enabled when New is selected as gateway)
Client authentication certificate	Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway)
*Windows gateway	Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway)
*: Mandatory fields

Table 11. WSadmin credentials - Field description table
Fields	Description
*WSadmin User name	The administrative user account for IBM WebSphere Application Server that has the privileges to access and interact with the wsadmin interface.
*WSadmin Password	The password corresponding to the WebSphere administrative user. This account must have permissions to execute wsadmin commands for configuration and management tasks

Click Add.
The WSadmin details are listed in the table.

In the Vendor Specific Details section, enter the details as indicated below. (This section is displayed only if Communication mode = SSM)

Table 12. Vendor Specific Details - Field Description Table
Fields	Description
*Region	Enter the geographic region of the AWS instance. Example: us-east-2
*Instance id	Enter the unique identifier for an EC2 instance in AWS. It is required to perform actions or execute commands on a specific EC2 instance Example: i-02573cafcftext
*SSM document name	Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance. Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
*SSM document version	Specify the version of the SSM document to be executed. Example: 1
*S3 bucket name	Enter the S3 bucket name used to store command output or logs executed in the EC2 instance. Example: avxdiscoverydocument-c2
Proxy required	Select the checkbox to enable the secure proxy service.
*: Mandatory fields

[Optional] Click the Delete icon, if you want to delete the WSadmin details from the list.

In the Directory section, enter the details as indicated:

Table 13. Directory section - Field description table
Fields	Description
WSadmin directory path	The absolute path to the root directory where IBM WebSphere Application Server is installed. This path is required to locate and run the wsadmin tool. Example path: C:\IBM_WAS9\WebSphere\AppServer

In the Certificate details section (optional to discover non-profile certificate), enter the details as indicated:

Table 14. Certificate Details - Field Description Table
Fields	Description
Key store location	Enter the location of the java keystore that contains the private key and an associated certificate. Example: C:\keystore\samle.jks
Key store password	Enter the key store password to access the keystore location.
Trust store location	Enter the location of the java keystore that contains the CA certificates. Example: C:\keystore\samle.jks
Trust store password	Enter the trust store password to access the keystore location.

Click Add.
The certificate details are listed in the table.
[Optional] Click the Delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Onboarding Data Power

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 15. Server details - Field description table
Fields	Description
*Server Type	Select the Data Power from the dropdown field.
*Server name	Enter the name of the designated Data Power server.
*IP address/FQDN	Enter the IP address or the fully qualified domain name of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
*Rest Port	Retain the value 22; it is the default port used for the communication.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

Table 16. Credentials - Field description table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List- Appviewx Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
*Username	Enter the designated username for authentication. (field displayed for manual entry only)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

In the Vendor Specific Details section enter the details as follows.

Table 17. Vendor Specific Details - Field Description Table
Fields	Description
Is Https?	Select the checkbox to enable the secure mode.

Click Save.
The device is onboarded successfully.

Onboarding Domino

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 18. Server details - Field description table
Fields	Description
*Server Type	Select the Domino from the dropdown field.
*Server name	Enter the name of the designated domino server.
*Hostname	Enter the hostname of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

Table 19. Credentials - Field description table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List- Appviewx Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
*Username	Enter the designated username for authentication. (field displayed for manual entry only)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

In the Vendor Specific Details section enter the details as follows.

Table 20. Vendor Specific Details - Field Description Table
Fields	Description
*Installation directory	Enter the directory/path where the application is installed. Example: </Installation_directory/>/domain-registry.xml

In the Windows gateway details section, enter the details as indicated below.

Table 21. Windows Gateway Details - Field Description Table
Fields	Description
*Gateway type	Select to use the PowerShell or WMI commands as the gateway communication mode.
*Gateway location	The value Remote is selected by default.
*Select gateway	Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
*Windows gateway name	Enter the new gateway name. (Enabled when New is selected as gateway).
*Windows gateway URL	Enter the URL for the new gateway. (Enabled when New is selected as gateway).
Client authentication certificate	Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway).
*Windows gateway	Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway).
*: Mandatory fields

Click Save.
The device is onboarded successfully.

Onboarding MQServer (Linux)

Prerequisites

Ensure that the target MQ Server is reachable from the AppViewX Cloud Connector (SaaS) and Vendors pods of the selected DC (On-Prem), and that the required port is open.
- To establish an SSH connection using a specific port, use the following command:
```
ssh -p <port_number> <username>@<hostname_or_ip_address>
```
AppViewX uses SFTP for certificate file transfers. Ensure that SFTP is properly configured and accessible for the logged-in user from the Cloud Connector/Vendor pods. Test the connection using:
```
sftp <username>@<hostname>
```
To upload files to the remote server, use the put command:
```
put <localfile> /path/to/remote/directory
```
Install GSKit on the MQ Server to enable discovery of KDB certificates. If GSKit or any of the following toolkit binaries are missing, KDB certificates will not be detected — runmqakm, gsk8capicmd, gsk8cmd, gsk7capicmd, gsk7cmd, gskcmd, gsk8capicmd_64.
- One of these toolkits must be installed, but AppViewX recommends using runmqakm for best compatibility.
- Provide the KDB push server certificate label in lowercase.
- Ensure that toolkit commands can be executed globally (i.e., from any directory path).
- To confirm that GSKit or MQ toolkits are properly installed, execute the following commands:
```
dspmqver -p 64
```
```
gsk8capicmd -version | grep FileVersion
```
```
gsk8cmd -version | grep FileVersion
```
```
gsk7capicmd -version | grep FileVersion
```
```
gsk7cmd -version | grep FileVersion
```
```
gskcmd -version | sed 's/version/Version/'
```
```
gsk8capicmd_64 -version | grep FileVersion
```
The GSToolkit is required on the MQ Server for private key and CSR generation. Ensure it is installed and accessible on the target machine.

Supported Linux Features

On-Demand or scheduled Certificate Discovery
CSR Generation at the end device.
Backup of the existing KDB files in the device and AppViewX.
Pushing the KDB certificates to the MQ Server.
Bind the KDB certificate to a QManager.
Roll back to the existing KDB configuration.
Trust certificate push.
Restart QManager after certificate push. (configurable, not mandatory)
Delta discovery to discover only the new or modified certificates.
Nightly config sync job
Authentication support using manual entry, SSH, SSM, and external vaults.
Mapping the certificates to the specific group and applying the discovery filter.

Onboarding Steps

Prerequsites:

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 22. Server details - Field description table
Fields	Description
*Server Type	Select the MQServer (Linux) from the dropdown field.
*Server name	Enter the name of the designated MQServer.
*IP address/FQDN	Enter the IP address or the fully qualified domain name of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
Communication mode	Select the SSH or SSM protocol to be used for communication between the AppViewX node and the IBM server.
*SSH Port	Enter the port number that is used for the SSH communication mode.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

If Communication mode = SSH the fields are as follows:

Table 23. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx Credential List - Thycotic Credential List - HashiCorp Credential List - BeyondTrust Credential List - CyberArk SSH Note: If Credential list - XXX is selected, the Credentials list dropdown field is displayed. Select any of the preconfigured credential values. If SSH is selected, enter the Username, *Upload key file, and enter the Passphrase for authentication.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

If Communication mode = SSM the fields are as follows:

Table 24. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - cloudAccount Note: If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
*Access key	Enter the access key to login to the EC2 instance of the AWS cloud machine.
*Secret key	Enter the secret key to login to the EC2 instance of the AWS cloud machine.
Region	Enter the geographic region of the AWS instance. Example: us-east-2
Instance id	Enter the unique identifier for an EC2 instance in AWS. It is required to perform actions or execute commands on a specific EC2 instance Example: i-02573cafcftext
SSM document name	Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance. Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
SSM document version	Specify the version of the SSM document to be executed. Example: 1
S3 bucket name	Enter the S3 bucket name used to store command output or logs executed in the EC2 instance. Example: avxdiscoverydocument-c2
Proxy required	Select the checkbox to enable the secure proxy service.
*: Mandatory fields

In the Certificate details section, enter the details as indicated below.

Table 25. Certificate Details - Field Description Table
Fields	Description
Certificate location	Enter the directory/path where the certificates are stored. Example: /etc/pki/java/cacerts

Click Add.
The certificate details are listed in the table.
(optional step) Click the delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Commands for CLM Operations


Operation	Command	Description (Used for)
Session Establishment	`bash`	Update the prompt string.
	`bind 'set enable-bracketed-paste off'`	Disable the bracketed paste mode only for the session, if enabled at the system level.
	`whoami`	Know the current logged-in user.
	`export LANG=en_US.UTF-8`	Set the session language to English
Pre-Config Fetch	`source ~/.bashrc;dspmqver`	Fetch version
Config Fetch	`dspmqver -p 64` GsKit ToolName: `runmqakm`	Validate the available GsKit command (all the above commands are executed only if the prior command execution failed/not installed).
	`gsk8capicmd -version \| grep FileVersion` GsKit ToolName: `gsk8capicmd`
	`gsk8cmd -version \| grep FileVersion` GsKit ToolName: `gsk8cmd`
	`gsk7capicmd -version \| grep FileVersion` GsKit ToolName: `gsk7capicmd`
	`gsk7cmd -version \| grep FileVersion` GsKit ToolName: `gsk7cmd`
	`gskcmd -version \| sed 's/version/Version/'` GsKit ToolName: `gskCmd`
	`gsk8capicmd_64 -version \| grep FileVersion` GsKit ToolName: `gsk8capicmd_64`
	`dspmq`	Used to fetch the QNames. Note: A QName is the programmatic identifier for a queue, while the more general term "queue name" can also refer to the external queue name. A queue name must be unique within its queue manager, and can be up to 48 characters long.
Discovery	`echo "DIS QMGR SSLKEYR" \| runmqsc <QManagerName>`	Fetch the certificate path of a Qmanager.
	`find <certificateLocation> -name '.kdb' 2> /dev/null \| xargs cksum` Example: `find /var/ssl -name '.kdb' 2> /dev/null \| xargs cksum`	Find KDB files in the provided certificate location with their checksum.
	`<GsKit-ToolName> -cert -list -db <kdb-File-Location> -stashed` Example of `<kdb-File-Location>`: /var/mqm/qmgrs/SDET/ssl/kdblinux.kdb	List the certificate names in the KDB file.
	`mkdir -p '/tmp/MQServerAvxTempCertDiscovery_<randomInteger>'`	Creation of the temporary directory.
	`uname -a`	A Unix-like command; its response includes details about the kernel, hostname, hardware, and operating system.
	`chmod 700 '/tmp/MQServerAvxTempCertDiscovery_<randomInteger>' && setfacl -m u:<username>:rwx '/tmp/MQServerAvxTempCertDiscovery_<randomInteger>'`	Provide Read, Write, Execute access to the file owner and current system user.
	`chmod 777 '/tmp/MQServerAvxTempCertDiscovery_<randomInteger>'`	Provides full permissions (rwx) to the directory (in case of a fallback).
	`<GsKit-ToolName> -cert -export -db '<kdb-fileName>' -stashed -type cms -target_type pkcs12 -target '<temporary-directory-path>/<fileNameWithoutExtension><RandomTimeStamp>.p12' -target_pw <targetPassword>` Example: `runmqakm -cert -export -db '/var/mqm/qmgrs/SDET/ssl/kdblinux.kdb' -stashed -type cms -target_type pkcs12 -target /tmp/IBMClientAvxTempCertDiscovery_1759756161336/kdblinux1904608375.p12' -target_pw YXZyMw==`	Exports the certificate content to p12 file.
	`output="["; for a in '/tmp/IBMClientAvxTempCertDiscovery_1759756161336/kdblinux1904608375.p12' '/tmp/IBMClientAvxTempCertDiscovery_1759756161336/kdb1linux1904608375.p12' do value=$( base64 "$a" \| tr -d "\n\r" 2>/dev/null); output="${output} {\"file\":\"$a\", \"value\": \"$value\" },"; done; output=${output%,}; output="${output} ]"; echo "$output"'`	Exports the p12 content in base64 format
	`rm -rf '<temporary-directory>'` Example: `rm -rf '/tmp/MQServerAvxTempCertDiscovery_<randomInteger>'`	Removes the temporary directory with p12 certificates.
KDB File Creation (CSR Generation & Push)	`test -e <kdb-CertFile-Location> && echo file exist \|\| echo file not exist`	Checks for the availability of a KDB file with the same name before executing CSR Generation to decide whether to create a KDB File.
	`<GsKit-ToolName> -keydb -create -db <kdb-CertFile-Location> -pw <password> -type cms -stash`	Creates a KDB file (if it does not exist).
	`chmod 640 <kdb-CertFile-Location>`	Update file permission to 640 for the created KDB file.
CSR Generation	`<GsKit-ToolName> -certreq -create -db <kdb-CertFile-Location> -pw <password> -label <kdb-label> -dn '<CsrDetails>' -size <bit-length> -fil <csrLocation>` where, <CsrDetails>: `-CN=<common-Name> +, -C=<country-Name> +, -ST=<stateName> +, -L=<localityName> +, -O=<Organization-Name> +, -OU=<Organization-Unit>` <common-Name> (Mandatory) <country-Name> (Optional, may be required during renewal) <stateName> (Optional) <localityName> (Optional) <Organization-Name> (Optional)	Generates a CSR.
	`test -e <csr-file-Location> && echo file exist \|\| echo file not exist`	Checks if the CSR Generation is completed and stored in a file.
	`cat <csr-file-location>`	Fetches the CSR content for certificate generation.
Backup	`mkdir -p <backupFilePath>`	Creates a backup file path in the device.
	`zip -j <backupFilePath> <certificate-path> <certificate-path-without-extension>.crl <certificate-path-without-extension>.rdb <certificate-path-without-extension>.sth`	Stores a local backup of the KDB files.
	`<GsKit-ToolName> -cert -export -db <certificate-path> -stashed -type cms -target_type pkcs12 -target <export-cert-fileName> -target_pw YXZ4QDEyMw==`	Exports KDB files to p12 format.
	`rm -f <export-cert-path>`	Removes the exported cert file once the content is downloaded from the p12 file using SFTP connection.
Push	`mkdir -p <temporary-cert-upload-path>`	Creates a temporary directory.
	`chmod 700 <temporary-cert-upload-path> && setfacl -m u:<username>:rwx <temporary-cert-upload-path>` Example: `Ex: chmod 700 /etc/MQServerAVXCertPush_1731310636752/ && setfacl -m u:appviewx:rwx /etc/MQServerAVXCertPush_1731310636752/`	Updates rwx access to the current user.
	SFTP upload of certificate content to the pem file (temporary-upload-path)
	`<GsKit-ToolName> -cert -receive -file <pem-file-uploaded-with-cert-content> -db <target-kdb-path> -stashed`	Adds certificates to the KDB file.
	`gsk7capicmd -cert -import -db <p12-file-uploaded-with-cert-content> -pw YXZ4QDEyMw== -label <label_Name> -type pkcs12 -target <target-kdb-path> -stashed -target_type cms`	Command for pushing the server certificate with the `gsk7capicmd` toolkit.
	`<GsKit-ToolName> -cert -import -file <p12-file-uploaded-with-cert-content> -pw YXZ4QDEyMw== -label <label_Name> -type p12 -pfx -target <target-kdb-path> -target_stashed` Note: -label <label_Name> is optional	Command for pushing the server certificate with any toolkit other than the `gsk7capicmd` toolkit.
	`<GsKit-ToolName> -cert -add -db <target-kdb-path> -stashed -label <label_Name> -file <pem-file-uploaded-with-cert-content>`	Command for pushing the Root/Intermediate certificate and label is not mandatory.
	`<GsKit-ToolName> -cert -delete -db <target-kdb-path> -stashed -label <label-Name>`	If the push command fails with the same label entry, we would delete the label and retry push. This command deletes the existing label.
	`rm -f <pem/p12-file-uploaded-with-cert-content>`	Removes the temporary file.
	`echo "REFRESH SECURITY TYPE (SSL)" \| runmqsc <QManagerName>`	Refreshes the QManager if enabled for the trusted CA Push.
Bind	`echo "ALTER QMGR SSLKEYR('<kdbFileName>')" \| runmqsc<QManagerName>`	Executed only for new kdb creation.
Bind	`echo "REFRESH SECURITY TYPE (SSL)" \| runmqsc <QManagerName>`	Executes an SSL security refresh for the specified QManager if SSL refresh is enabled.

Onboarding MQServer (Windows)

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 26. Server details - Field description table
Fields	Description
*Server Type	Select the MQServer (Windows) from the dropdown field.
*Server name	Enter the name of the designated MQServer.
Communication mode	Select the Gateway or SSM protocol to be used for communication between the AppViewX node and the IBM server. Gateway is the preferred communication mode.
*Hostname	Enter the hostname of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

If Communication mode = Gateway the fields are as follows:

Table 27. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

If Communication mode = SSM the fields are as follows:

Table 28. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - cloudAccount Note: If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
*Access key	Enter the access key to login to the EC2 instance of the AWS cloud machine.
*Secret key	Enter the secret key to login to the EC2 instance of the AWS cloud machine.
Region	Enter the geographic region of the AWS instance. Example: us-east-2
Instance id	Enter the unique identifier for an EC2 instance in AWS. It is required to perform actions or execute commands on a specific EC2 instance Example: i-02573cafcftext
SSM document name	Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance. Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
SSM document version	Specify the version of the SSM document to be executed. Example: 1
S3 bucket name	Enter the S3 bucket name used to store command output or logs executed in the EC2 instance. Example: avxdiscoverydocument-c2
Proxy required	Select the checkbox to enable the secure proxy service.
*: Mandatory fields

In the Windows gateway details section, enter the details as indicated below. (This section is displayed only when Communication mode = Gateway).

Table 29. Windows Gateway Details - Field Description Table
Fields	Description
*Gateway type	Select to use the PowerShell or WMI commands as the gateway communication mode.
*Gateway location	The value Remote is selected by default.
*Select gateway	Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
*Windows gateway name	Enter the new gateway name. (Enabled when New is selected as gateway).
*Windows gateway URL	Enter the URL for the new gateway. (Enabled when New is selected as gateway).
Client authentication certificate	Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway).
*Windows gateway	Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway).
*: Mandatory fields

In the Certificate details section, enter the details as indicated below.

Table 30. Certificate Details - Field Description Table
Fields	Description
Certificate location	Enter the directory/path where the certificates are stored. Example: /etc/pki/java/cacerts

Click Add.
The certificate details are listed in the table.
(optional step) Click the delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Onboarding IBMClient (Linux)

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 31. Server details - Field description table
Fields	Description
*Server Type	Select the IBMClient (Linux) from the dropdown field.
*Server name	Enter the name of the designated IBMClient server.
*IP address/FQDN	Enter the IP address or the fully qualified domain name of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
*SSH Port	Retain the value 22; it is the default port used for the SSH communication mode.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

Table 32. Credentials - Field description table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx SSH Note: If Credential list - Appviewx is selected, the Credentials list dropdown field is displayed. Select any of the preconfigured credential values. If SSH is selected, enter the Username, *Upload key file, and enter the Passphrase for authentication.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

In the Certificate details section, enter the details as indicated below.

Table 33. Certificate Details - Field Description Table
Fields	Description
Certificate location	Enter the directory/path where the certificates are stored. Example: /etc/pki/java/cacerts

Click Add.
The certificate details are listed in the table.
(optional step) Click the delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Onboarding IBMClient (Windows)

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 34. Server details - Field description table
Fields	Description
*Server Type	Select the IBMClient (Windows) from the dropdown field.
*Server name	Enter the name of the designated IBMClient server.
*Hostname	Enter the hostname of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

Table 35. Credentials - Field description table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

In the Windows gateway details section, enter the details as indicated below.

Table 36. Windows Gateway Details - Field Description Table
Fields	Description
*Gateway type	Select to use the PowerShell or WMI commands as the gateway communication mode.
*Gateway location	The value Remote is selected by default.
*Select gateway	Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
*Windows gateway name	Enter the new gateway name. (Enabled when New is selected as gateway).
*Windows gateway URL	Enter the URL for the new gateway. (Enabled when New is selected as gateway).
Client authentication certificate	Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway).
*Windows gateway	Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway).
*: Mandatory fields

In the Certificate details section, enter the details as indicated below.

Table 37. Certificate Details - Field Description Table
Fields	Description
Certificate location	Enter the directory/path where the certificates are stored. Example: /etc/pki/java/cacerts

Click Add.
The certificate details are listed in the table.
(optional step) Click the delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Onboarding MQClient (Windows)

Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
Click the (Add) icon.
The Device details page is displayed.
Select IBM from the Vendors list.

In the Server details section, enter the details as follows.

Table 38. Server details - Field description table
Fields	Description
*Server Type	Select the MQClient (Windows) from the dropdown field.
*Server name	Enter the name of the designated MQClient server.
Communication mode	Select the Gateway or SSM protocol to be used for communication between the AppViewX node and the IBM server. Gateway is the preferred communication mode.
*Hostname	Enter the hostname of the IBM Server that is to be onboarded.
Data center	Choose the desired data center. It holds all the SSL What can you do next? that is to be retrieved from the server.
Cert Sync	Choose from any of the following: Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them. Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them. Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
*: Mandatory fields

In the Credentials section, enter the details as indicated below. The credentials entered in this section are used to authenticate the session between the AppViewX node and the IBM server device.

If Communication mode = Gateway the fields are as follows:

Table 39. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - Appviewx Note: If Credential list - Appviewx is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
*Username	Enter the designated username for authentication. (field displayed for manual entry and SSH)
*Password	Enter the secure password. (field displayed for manual entry only)
*: Mandatory fields

If Communication mode = SSM the fields are as follows:

Table 40. Credentials - Field Description Table
Fields	Description
*Credential Type	Select the credential type from the dropdown. Manual entry (default) Credential List - cloudAccount Note: If Credential list - cloudAccount is selected, the *Account name dropdown field is displayed. Select any of the preconfigured credential values.
*Access key	Enter the access key to login to the EC2 instance of the AWS cloud machine.
*Secret key	Enter the secret key to login to the EC2 instance of the AWS cloud machine.
*Region	Enter the geographic region of the AWS instance. Example: us-east-2
*Instance id	Enter the unique identifier for an EC2 instance in AWS. It is required to perform actions or execute commands on a specific EC2 instance Example: i-02573cafcftext
*SSM document name	Enter the name of the SSM document that contains the script or action to be executed on the EC2 instance. Example: AWS-RunShellScript is an SSM document that allows you to execute shell scripts on EC2 instances.
*SSM document version	Specify the version of the SSM document to be executed. Example: 1
*S3 bucket name	Enter the S3 bucket name used to store command output or logs executed in the EC2 instance. Example: avxdiscoverydocument-c2
Proxy required	Select the checkbox to enable the secure proxy service.
*: Mandatory fields

In the Windows gateway details section, enter the details as indicated below. (This section is displayed only when Communication mode = Gateway).

Table 41. Windows Gateway Details - Field Description Table
Fields	Description
*Gateway type	Select to use the PowerShell or WMI commands as the gateway communication mode.
*Gateway location	The value Remote is selected by default.
*Select gateway	Select the New or Existing gateway to be used. The below fields are enabled/disabled according to the selection.
*Windows gateway name	Enter the new gateway name. (Enabled when New is selected as gateway).
*Windows gateway URL	Enter the URL for the new gateway. (Enabled when New is selected as gateway).
Client authentication certificate	Click Browse and upload the client authentication certificate for the new gateway. (Enabled when New is selected as gateway).
*Windows gateway	Select any of the existing configured gateways from the dropdown list. (Enabled when Existing is selected as gateway).
*: Mandatory fields

In the Certificate details section, enter the details as indicated below.

Table 42. Certificate Details - Field Description Table
Fields	Description
Certificate location	Enter the directory/path where the certificates are stored. Example: /etc/pki/java/cacerts

Click Add.
The certificate details are listed in the table.
(optional step) Click the delete icon, if you want to delete the certificate location from the list.
Click Save.
The device is onboarded successfully.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:

Go to ADMINISTRATION > Device Management.
By default, the ADC tab opens.
Click the Server tab.
The Server Inventory page is displayed.
Check that the device name appears in the inventory (Name column) with the specified CertSync status (Status Column).
The status column will have the value Managed/Monitored/Ignored based on the CertSync status if the connection is successful or displays Failed/Unresolved in case of failure.
From the Status column, click the Managed/Monitored.
Device Status Log pop-up is displayed.
Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions:

If you want to discover certificates from the onboarded device, see Managed Devices Scan.
If you want to enroll a new server certificate, see Enrolling a Server Certificate.
If you want to troubleshoot websphere linux, see Troubleshooting Websphere Linux.
If you want to troubleshoot websphere windows, see Troubleshooting Websphere Windows.