When specifying administrative settings to a secured WebSphere® Application Server,
you can choose to prevent the workbench from automatically accepting
certificates by clearing the Automatically trust server certificate
during SSL handshake check box in the security section of the
server editor. However, if you clear this check box you need to perform
manual steps to establish the initial trust between the workbench
and the secured WebSphere Application
Server. Otherwise, if a trust is not established, the server status
of the Servers view in the workbench displays the server as stopped
and no connection can be made to the server. In this task you will
extract the certificate into a file from the WebSphere Application Server and add this
certificate in the truststore of the development workbench of this
product.
About this task
Each profile
in the WebSphere Application
Server environment contains a unique self-signed certificate that
was created when the profile was created. .
When a profile is federated to a deployment manager, the signer for
that self-signed certificate is added to the common truststore for
the cell. By default, clients (such as the development workbench)
do not trust servers from different profiles in the WebSphere Application Server environment.
That is, they do not contain the signer for these servers.
If
you choose to clear the Automatically trust server certificate
during SSL handshake check box to prevent the workbench from automatically
accepting certificates, complete the following steps to manually establish
the initial trust between the workbench and the administrative secured WebSphere Application Server:
Procedure
- Start the IBM Key Management (ikeyman) utility.
- In a command prompt, go to x:\bin directory,
where x is the installation directory of WebSphere Application Server.
- Type ikeyman
- The IBM® Key Management
utility opens.
- In the IBM Key Management
utility, select .
- The value selected under the Key database type list
depends on your connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, select PKCS12
- For a SOAP connection, select JKS
- The file path specified under the Location field
depends on the connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, specify x:\profiles\<profileName>\etc\trust.p12
file.
- For a SOAP connection, specify x:\profiles\<profileName>\etc\DummyClientTrustFile.jks
Where x is the installation directory for WebSphere Application Server.
- Click OK.
- When prompted for a password, type WebAS.
Click OK.
- Under the Signer Certificates list,
select default_signer certification and click
the Extract button to export the file in your
local file system. The extract certificate to a file wizard
opens.
- In the Certificate file name field
specify a file name for your extracted certificate. For example, cert.arm.
- In the Location field specify a
temporary file location to store your extracted certificate. Click OK.
- Exit the IBM Key
Management utility.
- Take the file where you extracted the certificate in the
previous steps to the machine where the development workbench of this
product is installed. Start the IBM Key
Management utility:
- In a command prompt, go to y:\eclipse\jre\bin
directory, where y is the installation directory of the workbench.
- Type ikeyman
- The IBM Key Management
utility opens.
- In the IBM Key Management
utility, select .
- The value selected under the Key database type list
depends on your connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, select PKCS12
- For a SOAP connection, select JKS
- The file path specified under the Location field
depends on the connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, the truststore
file is located at y:\runtimes\base_v<z>_stub\etc\trust.p12
- For a SOAP connection, the truststore file is located at y:\runtimes\base_v<z>_stub\etc\DummyClientTrustFile.jks
Where y is the installation directory for the workbench
for this product. And <z> is the version-level
of the server.
- Click OK.
- When prompted for a password, type WebAS.
Click OK.
- Under the Signer Certificates list,
click the Add button to add the certificate
extracted from the server to the truststore of the development workbench. The add CA's certificate from a file wizard opens.
- In the Certificate file name field
specify the file name of the extracted certificate from the WebSphere Application Server.
For example, cert.arm.
- In the Location field specify the
file location where you stored your extracted certificate from the WebSphere Application Server.
Click OK.
- In the Enter a Label wizard, specify
any name.
- Exit the IBM Key
Management utility.
- Restart the workbench of this product.