The stskeyutil install command creates a new STS client key file from an STS server key file.
stskeyutil install -url sts-url 
  [ -keystorepath path ]
  [ -file filename ]
  [ -overwrite ]
  [ -keydist ]
  [ -node node-name ]  
  [ -dlcpath oeinstalldir ] 
  [ -sslprotocol sslprotocol ] 
  [ -sslciphers sslciphers ]
  [ -certstorepath certstorepath ] 
  [ -servername servername ]
  [ -nohostverify ]
  [ -onlyifmodified ]
  [ -v ]
  [ -silent ]

-url sts-url
Specifies the STS server's URL in the format: https://hostname[:port]/[web-app].
-keystorepath path
Specifies access to the STS server key file in this directory. The default is $DLC/keys.
-file filename
Specifies the STS server key filename (for example, oests-key.ecp) from the -keystorepath directory. This option is required when manually managing STS client keys. This option is not required when
-overwrite
Overwrites an existing key file. By default, an existing key file is not overwritten.
-node node-name
Specifies the cluster node named node-name.
-dlcpath oeinstalldir
Path to OpenEdge installation directory. The default is $DLC.
-sslprotocol sslprotocol
Specifies the SSL protocol name. The default is TLSv1.3.
-sslciphers sslciphers
Specifies the SSL cipher.
-certstorepath certstorepath
Path to certificate store. The default is $DLC/certs.
-servername servername
Hostname that supports the server name indicator (SNI).
-keydist
In OpenEdge 12.3 and above, the -keydist option accesses the STS server key from the OpenEdge Authentication Gateway server specified in -url. The server must have the Key Distribution application installed to enable this functionality. For more information, see About STS client key management.
-nohostverify
Does not verify the hostname's server certificate. Do not use this option in production.
-onlyifmodified
Generates a new STS client key only if the STS server key is newer.
-v
Generates verbose output.
-silent
Utility does not prompt for password, access-codes, or filepaths.

About syskeyutil install

The stskeyutil install command creates and installs an STS client key that corresponds to a specific OpenEdge STS server key. The resulting STS client key is encrypted and stored inside the OpenEdge installation's (default) %DLC%/keys directory.

Note: Each OpenEdge STS server used by an OpenEdge installation's products requires that a separate STS client key be created and installed using the STS server key. Having a separate STS client key requires the administrator to create the key by running stskeyutil install on the host where the STS client key file will be written and from within the OpenEdge installation the STS client key is generated for.

Each installed STS client key file is bound to a single OpenEdge installation, on a single server, and to the OpenEdge STS (URL) used for access. The URL must match the setup on the database configuration. This binding is reflected by the hashed file name of the STS client key file.

When the OpenEdge STS server is running in a clustered environment, it may not always be possible to generate each node's STS client key by logging directly into each node and executing the stskeyutil install command. To enable generating a STS client key for each cluster node, follow this process:
  • Ensure that each cluster node uses the same absolute path to the OpenEdge installation.
    Warning: If this is not true, stop now!
  • Obtain each cluster node's nodename (found using the UNIX uname -n).
  • Log in to the active cluster node as the OpenEdge administrator, and execute stskeyutil install for the current cluster node.
  • Execute stskeyutil install for each additional cluster node, adding -node node-name to the command line.