Manually exchanging signer certificates to establish a trust between the workbench and the server

When specifying administrative settings to a secured WebSphere® Application Server v6.1 or later, you can choose to prevent the workbench from automatically accepting certificates by clearing the Automatically trust server certificate during SSL handshake check box in the security section of the server editor. However, if you clear this check box you need to perform manual steps to establish the initial trust between the workbench and the secured WAS v6.1 or later. Otherwise, if a trust is not established, the server status of the Servers view in the workbench displays the server as stopped and no connection can be made to the server. In this task you will extract the certificate into a file from the WAS and add this certificate in the truststore of the development workbench of this product.

Starting in WAS v6.1 release, each profile in the WAS environment contains a unique self-signed certificate that was created when the profile was created. This certificate replaces the default dummy certificate that ships with WAS in releases prior to v6.1. When a profile is federated to a deployment manager, the signer for that self-signed certificate is added to the common truststore for the cell. By default, clients (such as the development workbench) does not trust servers from different profiles in the WAS environment. That is, they do not contain the signer for these servers.

If you choose to clear the Automatically trust server certificate during SSL handshake check box to prevent the workbench from automatically accepting certificates, complete the following steps to manually establish the initial trust between the workbench and the administrative secured WAS v6.1 or later:

  1. Start the IBM Key Management (ikeyman) utility.

    1. In a command prompt, go to x:\bin directory, where x is the installation directory of WAS.

    2. Type ikeyman

    3. The IBM® Key Management utility opens.

  2. In the IBM Key Management utility, select

    Key Database File | Open.

  3. The value selected under the

    Key database type list depends on your connection type between the server and the workbench:

    • For a remote method invocation (RMI) connection, select

      PKCS12

    • For a SOAP connection, select

      JKS

  4. The file path specified under the

    Location field depends on the connection type between the server and the workbench:

    • For a remote method invocation (RMI) connection, specify x:\profiles\<profileName>\etc\trust.p12 file, where x is the installation directory for WAS.

    • For a SOAP connection, specify x:\profiles\<profileName>\etc\DummyClientTrustFile.jks
    Where x is the installation directory for WAS.

  5. Click OK.

  6. When prompted for a password, type WebAS. Click OK.

  7. Under the

    Signer Certificates list, select

    default_signer certification and click the

    Extract button to export the file in your local file system. The extract certificate to a file wizard opens.

  8. In the

    Certificate file name field specify a file name for your extracted certificate. For example, cert.arm.

  9. In the

    Location field specify a temporary file location to store your extracted certificate. Click OK.

  10. Exit the IBM Key Management utility.

  11. Take the file where you extracted the certificate in the previous steps to the machine where the development workbench of this product is installed. Start the IBM Key Management utility:

    1. In a command prompt, go to y:\eclipse\jre\bin directory, where y is the installation directory of the workbench.

    2. Type ikeyman

    3. The IBM Key Management utility opens.

  12. In the IBM Key Management utility, select

    Key Database File | Open.

  13. The value selected under the

    Key database type list depends on your connection type between the server and the workbench:

    • For a remote method invocation (RMI) connection, select

      PKCS12

    • For a SOAP connection, select

      JKS

  14. The file path specified under the

    Location field depends on the connection type between the server and the workbench:

    • For a remote method invocation (RMI) connection, the truststore file is located at y:\runtimes\base_v61_stub\etc\trust.p12

    • For a SOAP connection, the truststore file is located at y:\runtimes\base_v61_stub\etc\DummyClientTrustFile.jks
    Where y is the installation directory for the workbench for this product.

  15. Click OK.

  16. When prompted for a password, type WebAS. Click OK.

  17. Under the

    Signer Certificates list, click the

    Add button to add the certificate extracted from the server to the truststore of the development workbench. The add CA's certificate from a file wizard opens.

  18. In the

    Certificate file name field specify the file name of the extracted certificate from the WAS. For example, cert.arm.

  19. In the

    Location field specify the file location where you stored your extracted certificate from the WAS. Click OK.

  20. In the

    Enter a Label wizard, specify any name.

  21. Exit the IBM Key Management utility.

  22. Restart the workbench of this product.