If you are using SSL for communication between Configuration Manager and WebSphere® Application
Server you might receive an SSL
signer error when you test the connection to the application server
or when you run the Deploy Application task. To resolve the issue,
make sure that you have an entry for the SSL signer in the truststore
that Configuration Manager uses.
Procedure
- Identify the serial number
for the SSL certificate on the web application server.
- From the server where Configuration Manager is installed,
browse to the WebSphere administrative
console address.
- In the Security Alert dialog box,
click View Certificate.
- Click the Details tab.
- Record the value for Serial number for
the certificate.
- Click OK to dismiss the Certificate dialog
box.
- Click Yes in the Security
Alert dialog box to proceed.
- Identify the truststore
location and filename.
- Log in to the WebSphere administrative
console.
- Select .
- Select SSL configurations.
- Click the default SSL setting, NodeDefaultSSLSettings.
- Under the Related items link,
click Key stores and certificates.
- Record the filename, such as trust.p12,
in the Path column of the resource to be updated:
Table 1. Resources to be updatedApplication server type |
Name of resource to be updated |
IBM®
WebSphere Application Server |
NodeDefaultTrustStore |
Clusters built on IBM
WebSphere Application Server Network
Deployment |
CellDefaultSSLSettings |
- Start IBM Key Management by entering one of the following
commands from the command line:
Option |
Description |
AIX®, HPUX, HPUXi, Linux, Linux on System z®, Solaris |
WAS-Home/AppServer/bin/ikeyman.sh |
Windows |
WAS-Home\AppServer\bin\ikeyman.bat |
- Select .
- For the Key database type, select PKCS12.
- Click Browse to locate the filename
you recorded in step 2. For example, the File Name field contains the filename, such
as trust.p12. The Location field
contains the absolute path to the truststore, such as C:\Program
Files\IBM\WebSphere\AppServer\profiles\AppSrv01\etc\ for Windows.
- Click OK.
- Enter the password and click OK. The default password is WebAS.
- Locate the signer certificate with the serial number that
matches the serial number that you recorded in step 1.
- Double-click a certificate name other than default_signer to
view the serial number for the certificate.
- Click OK to close the dialog
box.
- Repeat until you have located the correct signer certificate.
- Extract the certificate.
- Select the signer certificate with the correct serial
number, and click Extract.
- Provide a name and location, and then click OK.
- Add the certificate that you extracted to the trust file
for Content Platform Engine.
- Open the DummyClientTrustFile.jks key
database file located in the WebSphere profile
for Content Platform Engine, such
as C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\etc\ for Windows.
- Add the certificate that you extracted in step 6.
- Close IBM Key Management.