Retrieving signers using the retrieveSigners utility at the client

Retrieving signers using the retrieveSigners utility at the client

Overview

Clients require signer certificates from the server to communicate with WAS.
To get the signer certificate from a server, run....
PROFILE_ROOT/bin/retrieveSigners

In WAS v7, a Java client that does not have access to a stdin console prompt should use the retrieveSigners utility to download the signers from the remote server key store when signers are needed for an SSL handshake. For example, we might interpret the client as failing to respond if an applet client or Java Web Start Client application cannot access the stdin signer exchange prompt.
To retrieve the signers and to avoid running the retrieveSigners utility manually, add the WebSphere Java method call
com.ibm.wsspi.ssl.RetrieveSignersHelper.callRetrieveSigners

...to your client application.
Use the retrieveSigners utility for situations where we cannot verify whether or not the property...
com.ibm.ssl.enableSignerExchangePrompt=

...is enabled or disabled when the application makes a request.
If you cannot see the console, set the property...
com.ibm.ssl.enableSignerExchangePrompt=

...to false in ssl.client.props.

Manually create the server key in the client truststore

Use the retrieveSigners command to get the signer certificate from a server.
If the client and server are on the same machine, you will need only the parameters...

remoteKeyStoreName
localKeyStoreName

The most typical key store to reference on a remote system is CellDefaultTrustStore on a network deployed environment and NodeDefaultTrustStore on an application server.
When retrieving signers from a remote server, add these required connection-related parameters:
–host host
–port port
–conntype {RMI | SOAP}

To enable automation of the signer retrieval, use the parameter...
–autoAcceptBootstrapSigner

This parameter automatically adds to the server all the signers that are needed to make the connection.

Results
After running, the command displays the SHI-1 digest of the signers added. The output looks similar to the following output:
PROFILE_HOME\AppSrv01\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
CWPKI0308I: Adding signer alias "default_signer" to local keystore "ClientDefaultTrustStore" with the following SHA digest:

Example

Retrieve signers on the same system...
$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore

Retrieve signers on a remote system with a SOAP connection...
$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner

Retrieve signers on a remote system with an RMI connection...
$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 2809 -conntype RMI -autoAcceptBootstrapSigner

Retrieve signers on a remote system that has security enabled...
$WP_PROFILE\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd -autoAcceptBootstrapSigner

Secure installation for client signer retrieval
retrieveSigners