You can add a signer certificate to
a server's trust.p12 file,
allowing that server to securely communicate with another server.
This can be done using the retrieveSigners command to add
a signer to a server's trust.p12 file after making
changes to the ssl.client.props file.
Before you begin
The
server that
will be communicating as a client must be identified before the server
to server trust can be established. You will make change to the ssl.client.props file
and run the retrieveSigners command on the server communicating
as a client. If both servers will be acting as a client , these steps
will be required for both servers.
About this task
The
ssl.client.props file
is setup by default
to configure Secure Socket Layer (SSL) communication for clients.
This makes the default behavior of the
retrieveSigners command
work on the client's
trust.p12 file and
key.p12 file
in the
profile_root/etc directory.
You can add a signer certificate to a server's
trust.p12 file,
allowing that server to act as a client communicating to another server.
Using the
retrieveSigners command to add a signer to a server's
trust.p12 file
requires some changes to the
ssl.client.props file.
Procedure
- Open the ssl.client.props file.
The ssl.client.props file
is located in profile_root/properties ditrectory.
- Uncomment the section of ssl.client.props that
starts with com.ibm.ssl.alias=AnotherSSLSettings property.
- Uncomment the section of ssl.client.props that
starts with com.ibm.ssl.trustStoreName=AnotherTrustStore property.
- Enter the location of the trust store that the signer
should
be added. If you are using the server trust store for
a deployment manager then it is located in profile_root/config/cells/cell
name/trust.p12. If using the trust store for an
application server, it is located in profile_root/config/cells/cell
name/nodes/node name/trust.p12.
- Update the remaining properties in this section
with the
values associated with the trust store being used. A description
of the properties can be found in ssl.client.props
client configuration file.
- Optional: Uncomment and update section that
starts with com.ibm.ssl.trustStoreName=AnotherKeyStore property.
Most scenarios only require a signer to be added to the trust
store. This example only adds a signer to the trust store, but you
can also add a signer to the key store by updating the properties
as you did for the trust store in steps 3 through 5.
-
Save the changes made to ssl.client.props.
- Run the retrieveSigners command. For
more information see the page about the retrieveSigners command.
retrieveSigners NodeDefaultTrustStore AnotherTrustStore -host ademyers.austin.ibm.com -port 8879
Example
output: CWPKI0308I: Adding signer alias "default_1" to local keystore
"AnotherTrustStore" with the following SHA digest:
F4:71:97:79:3E:C1:DC:E7:9F:8F:3D:F0:A0:15:1E:D1:44:73:2C:06
Results
After the steps have been successfully completed.
the server
acting as a client has the signing certificate of the other server.
This allows that server to establish a SSL connection to the other
server.
Example
The example shows the modified section of
the
ssl.client.props file
assuming that the server's
trust.p12 file is being
used. Any trust store existing trust store can be used if the properties
are provided for that trust store.
#-------------------------------------------------------------------------
com.ibm.ssl.alias=AnotherSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmX509
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=true
#com.ibm.ssl.keyStoreClientAlias=default
#com.ibm.ssl.customTrustManagers=
#com.ibm.ssl.customKeyManager=
#com.ibm.ssl.dynamicSelectionInfo=
#com.ibm.ssl.enabledCipherSuites=
# KeyStore information
#com.ibm.ssl.keyStoreName=AnotherKeyStore
#com.ibm.ssl.keyStore=${user.root}/etc/key.p12
#com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
#com.ibm.ssl.keyStoreType=PKCS12
#com.ibm.ssl.keyStoreProvider=IBMJCE
#com.ibm.ssl.keyStoreFileBased=true
# TrustStore information
com.ibm.ssl.trustStoreName=AnotherTrustStore
com.ibm.ssl.trustStore=${user.root}/config/cells/localhostCell01/trust.p12
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
What to do next
After
the signer has been added, edit the ssl.client.props file
to comment out the sections that were to used to add the signer certificate.