Operating Systems: AIX, HP-UX, Linux, Solaris, Windows, z/OS
Adding the signer certificate from the secondary deployment manager to the local trust store
To enable SSL in your high availability deployment manager environment, the local trust store must contain the signer certificate from the secondary deployment manager. If the trust store does not contain the signer certificate, add the certificate to the trust store to prevent errors and enable secure communication among the core group members.
About this task
To elect the secondary deployment manager to take over as the primary deployment manager when SSL is enabled in your environment, the signer certificate of the secondary deployment manager must exist in the local trust store. Specifically, the com.ibm.ssl.trustStore value must be set to the cell-level default trust store in the deployment_manager_profile/properties/ssl.client.props file. If the certificate cannot be located in the local trust store, the SSL handshake fails and you might receive the following error message:CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=xdblade36b07.rtp.raleigh.ibm.com, O=IBM, C=US" was sent from target host:port "*:9043". The extended error message from the SSL handshake exception is: "No trusted certificate found".Add the signer certificate from the secondary deployment manager to the local trust store to enable secure communication in your high availability deployment manager environment.
Procedure
- In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.
- Define the following general properties to retrieve the signer certificate from the remote SSL port, and click Retrieve signer information:
- Host
- Specifies the host name that you connect to when you retrieve the signer certificate from the SSL port
- Port
- Specifies the SSL port that you connect to when you retrieve the signer certificate
- SSL configuration for outbound connection
- Specifies the configuration that is used to connect to the SSL port
This configuration is the SSL configuration that contains the signer certificate after you add the certificate to the trust store.
- Alias
- Specifies the certificate alias that is used in the SSL configuration
Results
The configuration can connect to and accurately check the status of the secondary deployment manager.
Related tasks
Configure a high availability deployment manager environment
Configure WebSphere Virtual Enterprise for cross-cell communication
Configure communication between core groups that are in the same cellRelated information
Errors configuring Secure Sockets Layer encrypted access