+

Search Tips   |   Advanced Search

Add the signer certificate from the secondary deployment manager to the local trust store

To enable SSL in the high availability deployment manager environment, the local trust store must contain the signer certificate from the secondary deployment manager. If the trust store does not contain the signer certificate, add the certificate to the trust store to prevent errors and enable secure communication among the core group members.

To elect the secondary deployment manager to take over as the primary deployment manager when SSL is enabled in the environment, the signer certificate of the secondary deployment manager must exist in the local trust store. Specifically, the com.ibm.ssl.trustStore value must be set to the cell-level default trust store in the deployment_manager_profile/properties/ssl.client.props file. If the certificate cannot be located in the local trust store, the SSL handshake fails and you might receive the following error message: 

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN  "CN=xdblade36b07.rtp.raleigh.ibm.com, O=IBM, C=US"
was sent from target host:port "*:9043".  The extended error message from the SSL handshake exception is:  "No trusted certificate found".
Add the signer certificate from the secondary deployment manager to the local trust store to enable secure communication in the high availability deployment manager environment.

  1. In the console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.

  2. Define the following general properties to retrieve the signer certificate from the remote SSL port, and click Retrieve signer information:

    Host

    Host name that you connect to when you retrieve the signer certificate from the SSL port

    Port

    SSL port that you connect to when you retrieve the signer certificate

    SSL configuration for outbound connection

    Configuration used to connect to the SSL port

    This configuration is the SSL configuration containing the signer certificate after we add the certificate to the trust store.

    Alias

    Certificate alias used in the SSL configuration


Results

The configuration can connect to and accurately check the status of the secondary deployment manager.


Related concepts

  • Topology Configurations for Multi-Cell Routing


    Related tasks

  • Configure a high availability deployment manager environment
  • Errors configuring Secure Sockets Layer encrypted access (SSL)