Retrieving signers using the retrieveSigners utility at the client
The client requires the signer certificates from the server to be able to communicate with WebSphere® Application Server. Use the retrieveSigners command to get the signer certificate from a server.
Before you begin
profile_root\bin . For example: C:\WebSphere\AppServer\profiles\AppSrv01\bin
../profile_root/bin
profile_root/bin
Use the retrieveSigners utility for situations where you cannot verify whether or not the com.ibm.ssl.enableSignerExchangePrompt= property is enabled or disabled when the application makes a request. Set the com.ibm.ssl.enableSignerExchangePrompt= property to false in the ssl.client.props file if you cannot see the console.
Alternatively, you can manually create the server key in the client truststore.
About this task
Procedure
- Use the retrieveSigners command to get the signer certificate from a server. You can find details about the retrieveSigners parameters in Instalação segura para recuperação de assinante do cliente em SSL.
- If the client and server are on the same machine, you will need only the remoteKeyStoreName and localKeyStoreName parameters. The most typical key store to reference on a remote system is CellDefaultTrustStore on a network deployed environment and NodeDefaultTrustStore on an application server.
- When retrieving signers from a remote server, add these required connection-related parameters: –host host, –port port, –conntype {RMI | SOAP}.
- Use the –autoAcceptBootstrapSigner parameter if you want to enable automation of the signer retrieval. This parameter automatically adds to the server all the signers that are needed to make the connection.
Results
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
C:\WebSphere\AppServer\profiles\AppSrv01\bin\retrieveSigners.bat
CellDefaultTrustStore ClientDefaultTrustStore
CWPKI0308I: Adding signer alias "default_signer" to local keystore
"ClientDefaultTrustStore" with the following SHA digest:
![[IBM i]](../images/iseries.gif)
/QIBM/UserData/WebSphere/AppServer/V85/ND/profiles/AppSrv01/bin/retrieveSigners
CellDefaultTrustStore ClientDefaultTrustStore
CWPKI0308I: Adding signer alias "default_signer" to local keystore
"ClientDefaultTrustStore" with the following SHA digest:
Example
The following examples illustrate how to call the retrieveSigners.bat file.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
![[IBM i]](../images/iseries.gif)
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner
![[IBM i]](../images/iseries.gif)
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 2809 -conntype RMI -autoAcceptBootstrapSigner
![[IBM i]](../images/iseries.gif)
profile_root/bin/retrieveSigners CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd
-autoAcceptBootstrapSigner
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
-host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd
-autoAcceptBootstrapSigner