retrieveSigners command
The retrieveSigners command creates a new client self-signed certificate, keystore, and SSL configuration in the ssl.client.props file. Using this command you can optionally extract the signer to a file.
For more information about where to run this command, see the Using command tools article.
Syntax
The command syntax is as follows:retrieveSigners <remoteKeyStoreName> <localKeyStoreName> [options]where the <remoteKeyStoreName> and <localKeyStoreName> parameters are required. The optional parameters include...[-remoteAlias aliasFromRemoteStore] [-localAlias storeAsAlias] [-listRemoteKeyStoreNames][-listLocalKeyStoreNames] [-autoAcceptBootstrapSigner][-uploadSigners] [-host host] [-port port][-conntype RMI|SOAP][-user user] [-password password] [-trace] [-logfile filename] [-replacelog] [-quiet] [-help]
Parameters
The following parameters are available for the retrieveSigners command:
- -remoteKeyStoreName
- The name of a truststore that is located in the server configuration from which to retrieve the signers. This will typically be the CellDefaultTrustStore file for an managed environment or the NodeDefaultTrustStore file for an unmanaged environment.
- -localKeyStoreName
- The name of the truststore that is located in the ssl.client.props file for the profile to which the retrieved signers is added. This will typically be the ClientDefaultTrustStore file for either a managed or unmanaged environment.
- -remoteAlias <aliasFromRemoteStore>
- Specifies one alias from the remote truststore to retrieve. Otherwise, all signers from the remote truststore will be retrieved.
- -localAlias <storeAsAlias>
- Determines the name of the alias stored in the local truststore. This option is only valid if you specify the –remoteAlias option. If you do not specify the -localAlias option, the alias name from the remote truststore will be used, if possible. If an alias clash occurs, the alias name will be used and it will have an incremented number appended to the end of it until it finds a unique alias.
- -listRemoteKeyStoreNames
- Sends a remote request to the server to list all keystores that you can specify for the remoteKeyStoreName parameter. Use this command when you are unsure of the name of the remote truststore to download the signers from.
- -listLocalKeyStoreNames
- Lists the keystores located in the ssl.client.props file that you can specify for the localKeyStoreName parameter. This truststore will receive the signers from the server. Use this parameter when you are unsure of the name of the local truststore to retrieve the signers into. The default name of the truststore is ClientDefaultTrustStore and is located in the ssl.client.props file.
- -autoAcceptBootstrapSigner
- Automatically adds a signer in order to make a secure connection to the server. The purpose of the option is to allow automation of the command so that you do not need to accept the signer. After the signer is added to the local truststore, a SHA hash will print so that you can verify the certificate.
- -uploadSigners
- Converts the signer download into a signer upload. The signers from the localKeyStoreName parameter will be sent to the remoteKeyStoreName parameter instead.
- -host <host>
- Timearget host from which the signers will be retrieved.
- -port <port>
- Timearget administrative port to which to connect. You must specify the port based on the -conntype parameter. If the conntype is SOAP, the default port is 8879. This can vary for different servers. If the conntype is RMI, the default port is 2809. This can vary for different servers.
- -conntype <RMI|Soap>
- Determines the administrative connector type that is used for the MBean call to retrieve the signers.
- -user <user>
- When the -uploadSigners flag is used, you are required to specify this option to supply the user name that will be authenticated for the MBean operation. If you do not specify this parameter when the -uploadSigners flag is used, you will be prompted for credentials by default.
- -password <password>
- When the -uploadSigners flag is used, you are required to specify this option to supply the password that will be authenticated for the MBean operation. The password goes along with the –user parameter.
- -trace
- When specified, this enables tracing of the trace specification necessary to debug this component. By default, the trace will appear in the profiles/profile/log/retrieveSigners.log. file.
- -logfile <filename>
- Overrides the default trace file. By default, the trace will appear in the profiles/profile/log/retrieveSigners.log. file.
- -replacelog
- Causes the existing trace file to be replaced when the command is executed.
- -quite
- Suppresses most messages from printing out on the console.
- -help
- Prints a usage statement.
- -?
- Prints a usage statement.
Usage scenario
The following examples demonstrate correct syntax:
- The following example lists remote and local keystores:
retrieveSigners.bat -listRemoteKeyStoreNames -listLocalKeyStoreNames -conntype RMI -port 2809 [Windows] retrieveSigners.sh -listRemoteKeyStoreNames -listLocalKeyStoreNames -conntype RMI -port 2809 [Unix]Example outputCWPKI0306I: The following remote keystores exist on the specified server: CMSKeyStore, NodeLTPAKeys, NodeDefaultTrustStore, NodeDefaultKeyStore CWPKI0307I: The following local keystores exist on the client: ClientDefaultKeyStore, ClientDefaultTrustStore
- The following example retrieves all signers from NodeDefaultTrustStore:
retrieveSigners.bat NodeDefault TrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype RMI -port 2809 [Windows] retrieveSigners.sh NodeDefault TrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype RMI -port 2809 [Unix]Example outputCWPKI0308I: Adding signer alias "CN=BIRKT40.austin.ibm.com, O=IBM, C=US" to local keystore "ClientDefaultTrustStore" with the following SHA digest: 40:20:CF:BE:B4:B2:9C:F0:96:4D:EE:E5:14:92:9E:37:8D:51:A5:47
Related tasks
Use command line tools
Use the retrieveSigners command to enable server to server trust
Reference topic