The client requires the signer certificates
from the server
to be able to communicate with WebSphere® Application Server. Use the retrieveSigners command
to get the signer certificate
from a server.
Before you begin
The retrieveSigners utility is located
in one of the following
directories, depending on your operating system:
In this release, a Java client
that does not have access to a stdin console prompt should use the
retrieveSigners utility to download the signers from the remote server
key store when signers are needed for a Secure Sockets Layer (SSL)
handshake. For example, you might interpret the client as failing
to respond if an applet client or Java Web
Start Client application cannot access the stdin signer exchange
prompt. Thus, you must add the WebSphere Java method call
com.ibm.wsspi.ssl.RetrieveSignersHelper.callRetrieveSigners to
your client application to retrieve the signers and to avoid running
the retrieveSigners utility manually.
Use the retrieveSigners utility
for situations where you cannot verify whether or not the com.ibm.ssl.enableSignerExchangePrompt=
property is enabled or disabled when the application makes a request.
Set the com.ibm.ssl.enableSignerExchangePrompt= property to false in
the ssl.client.props file if you cannot see the console.
Alternatively,
you can manually create the server key in the client truststore.
About this task
Complete the following steps, as required:
Procedure
- Use the retrieveSigners command to get the signer
certificate from a server. You can find details about
the retrieveSigners parameters in Secure installation for client signer retrieval in SSL.
- If the client and server are on the same machine, you will
need only the remoteKeyStoreName and localKeyStoreName parameters. The most typical key store to reference on a remote system is CellDefaultTrustStore on
a network deployed environment and NodeDefaultTrustStore on
an application server.
- When retrieving signers
from a remote server, add these
required connection-related parameters: –host host, –port port, –conntype {RMI
| SOAP}.
- Use the –autoAcceptBootstrapSigner parameter
if
you want to enable automation of the signer retrieval. This
parameter automatically adds to the server all the signers that are
needed to make the connection.
Results
After
running, the command displays the SHI-1 digest of the
signers added. The output looks similar to the following output:
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
C:\WebSphere\AppServer\profiles\AppSrv01\bin\retrieveSigners.bat
CellDefaultTrustStore ClientDefaultTrustStore
CWPKI0308I: Adding signer alias "default_signer" to local keystore
"ClientDefaultTrustStore" with the following SHA digest:
/QIBM/UserData/WebSphere/AppServer/V85/ND/profiles/AppSrv01/bin/retrieveSigners
CellDefaultTrustStore ClientDefaultTrustStore
CWPKI0308I: Adding signer alias "default_signer" to local keystore
"ClientDefaultTrustStore" with the following SHA digest:
Example
The following examples illustrate how to call the retrieveSigners.bat file.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
To retrieve signers on the same system, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
![[IBM i]](../images/iseries.gif)
To retrieve signers on the same system, enter:
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
To retrieve signers on a remote system with a
SOAP connection, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner
![[IBM i]](../images/iseries.gif)
To retrieve signers on a remote system with a SOAP
connection, enter:
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
To retrieve signers on a remote system with an
RMI connection, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 2809 -conntype RMI -autoAcceptBootstrapSigner
![[IBM i]](../images/iseries.gif)
To retrieve signers on a remote system that has
security enabled, enter:
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd
-autoAcceptBootstrapSigner
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
To retrieve
signers on a remote system that has security enabled, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd
-autoAcceptBootstrapSigner