Retrieving signers using the retrieveSigners utility at the client



Overview

Clients require signer certificates from the server to communicate with WAS.

To get the signer certificate from a server, run....

In WAS v7, a Java client that does not have access to a stdin console prompt should use the retrieveSigners utility to download the signers from the remote server key store when signers are needed for an SSL handshake. For example, we might interpret the client as failing to respond if an applet client or Java Web Start Client application cannot access the stdin signer exchange prompt.

To retrieve the signers and to avoid running the retrieveSigners utility manually, add the WebSphere Java method call

com.ibm.wsspi.ssl.RetrieveSignersHelper.callRetrieveSigners

...to your client application.

Use the retrieveSigners utility for situations where we cannot verify whether or not the property...

com.ibm.ssl.enableSignerExchangePrompt=

...is enabled or disabled when the application makes a request.

If you cannot see the console, set the property...

com.ibm.ssl.enableSignerExchangePrompt=

...to false in ssl.client.props.


Manually create the server key in the client truststore

  1. Use the retrieveSigners command to get the signer certificate from a server.

    If the client and server are on the same machine, you will need only the parameters...

    • remoteKeyStoreName
    • localKeyStoreName

    The most typical key store to reference on a remote system is CellDefaultTrustStore on a network deployed environment and NodeDefaultTrustStore on an application server.

  2. When retrieving signers from a remote server, add these required connection-related parameters:

    –host host
    –port port
    –conntype {RMI | SOAP}

  3. To enable automation of the signer retrieval, use the parameter...

    –autoAcceptBootstrapSigner

    This parameter automatically adds to the server all the signers that are needed to make the connection.

 

Results

After running, the command displays the SHI-1 digest of the signers added. The output looks similar to the following output:

PROFILE_HOME\AppSrv01\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore

CWPKI0308I: Adding signer alias "default_signer" to local keystore "ClientDefaultTrustStore" with the following SHA digest:

 

Example

Retrieve signers on the same system...

$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore

Retrieve signers on a remote system with a SOAP connection...

$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner

Retrieve signers on a remote system with an RMI connection...

$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 2809 -conntype RMI -autoAcceptBootstrapSigner

Retrieve signers on a remote system that has security enabled...

$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd -autoAcceptBootstrapSigner


Secure installation for client signer retrieval
retrieveSigners