Retrieving signers using the retrieveSigners utility at the client

The client requires the signer certificates from the server to be able to communicate with WebSphere® Application Server. Use the retrieveSigners command to get the signer certificate from a server.

Before you begin

The retrieveSigners utility is located in one of the following directories, depending on your operating system: In this release, a Java client that does not have access to a stdin console prompt should use the retrieveSigners utility to download the signers from the remote server key store when signers are needed for a Secure Sockets Layer (SSL) handshake. For example, you might interpret the client as failing to respond if an applet client or Java Web Start Client application cannot access the stdin signer exchange prompt. Thus, you must add the WebSphere Java method call com.ibm.wsspi.ssl.RetrieveSignersHelper.callRetrieveSigners to your client application to retrieve the signers and to avoid running the retrieveSigners utility manually.

Use the retrieveSigners utility for situations where you cannot verify whether or not the com.ibm.ssl.enableSignerExchangePrompt= property is enabled or disabled when the application makes a request. Set the com.ibm.ssl.enableSignerExchangePrompt= property to false in the ssl.client.props file if you cannot see the console.

Alternatively, you can manually create the server key in the client truststore.

About this task

Complete the following steps, as required:

Procedure

  1. Use the retrieveSigners command to get the signer certificate from a server. You can find details about the retrieveSigners parameters in Secure installation for client signer retrieval in SSL.
  2. If the client and server are on the same machine, you will need only the remoteKeyStoreName and localKeyStoreName parameters. The most typical key store to reference on a remote system is CellDefaultTrustStore on a network deployed environment and NodeDefaultTrustStore on an application server.
  3. When retrieving signers from a remote server, add these required connection-related parameters: –host host, –port port, –conntype {RMI | SOAP}.
  4. Use the –autoAcceptBootstrapSigner parameter if you want to enable automation of the signer retrieval. This parameter automatically adds to the server all the signers that are needed to make the connection.

Results

After running, the command displays the SHI-1 digest of the signers added. The output looks similar to the following output:
/QIBM/UserData/WebSphere/AppServer/V8/Base/profiles/AppSrv01/bin/retrieveSigners


CellDefaultTrustStore ClientDefaultTrustStore 

CWPKI0308I: Adding signer alias "default_signer" to local keystore
           "ClientDefaultTrustStore" with the following SHA digest:

Example

The following examples illustrate how to call the retrieveSigners.bat file.

To retrieve signers on the same system, enter:
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
To retrieve signers on a remote system with a SOAP connection, enter:
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore 
-host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner
To retrieve signers on a remote system that has security enabled, enter:
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore 
-host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd 
-autoAcceptBootstrapSigner



In this information ...


Related reference

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms of Use | Feedback

Last updatedLast updated: Sep 19, 2011 5:16:49 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-base-iseries&topic=tsec_sslretrievesignclient
File name: tsec_sslretrievesignclient.html