retrieveSigners command

retrieveSigners command

The retrieveSigners command creates a new client self-signed certificate, keystore, and SSL configuration in the ssl.client.props file. Using this command we can optionally extract the signer to a file.

For more information about where to run this command, read about Use command tools.

Syntax

Use the following command syntax to create a new client self-signed certificate, keystore, and SSL configuration in the ssl.client.props file.
retrieveSigners <CellDefaultTrustStore> <ClientDefaultTrustStore> [options]

The <remoteKeyStoreName> and <localKeyStoreName> parameters are required. The following optional parameters are available:
[-remoteAlias aliasFromRemoteStore]
[-localAlias storeAsAlias]
[-listRemoteKeyStoreNames][-listLocalKeyStoreNames]
[-autoAcceptBootstrapSigner][-uploadSigners] [-host host]
[-port port][-conntype JSR160RMI|RMI|SOAP|IPC][-user user]
[-password password]
[-trace] [-logfile filename]
[-replacelog] [-quiet] [-help]

Parameters

The following parameters are available for the retrieveSigners command:

remoteKeyStoreName The name of a truststore located in the server configuration from which to retrieve the signers. This positional parameter is typically the CellDefaultTrustStore file for a managed environment or the NodeDefaultTrustStore file for an unmanaged environment.
localKeyStoreName The name of the truststore located in the ssl.client.props file for the profile to which the retrieved signers is added. This positional parameter is typically the ClientDefaultTrustStore file for either a managed or unmanaged environment.
-remoteAlias <aliasFromRemoteStore> One alias from the remote truststore to retrieve. Otherwise, all signers from the remote truststore are retrieved.
-localAlias <storeAsAlias> Determines the name of the alias stored in the local truststore. This option is only valid if we specify the -remoteAlias option. If we do not specify the -localAlias option, then the alias name from the remote truststore is used, if possible. If an alias clash occurs, then the alias name is used and has an incremented number appended to the end of it until a unique alias is found.
-listRemoteKeyStoreNames Sends a remote request to the server to list all keystores that we can specify for the remoteKeyStoreName parameter. Use this command when we are unsure of the name of the remote truststore from which we want to download the signers.
-listLocalKeyStoreNames Lists the keystores located in the ssl.client.props file that we can specify for the localKeyStoreName parameter. This truststore receives the signers from the server. Use this parameter when we are unsure of the name of the local truststore into which we want to retrieve the signers. The default name of the truststore is ClientDefaultTrustStore and is located in the ssl.client.props file.
-autoAcceptBootstrapSigner Automatically adds a signer to make a secure connection to the server. The purpose of the option is to support automation of the command so that we do not need to accept the signer. After the signer is added to the local truststore, an SHA hash prints so that we can verify the certificate.
-uploadSigners Converts the signer download into a signer upload. The signers from the localKeyStoreName parameter is sent to the remoteKeyStoreName parameter instead.
-host <host> Target host from which the signers are retrieved.
-port <port> Target administrative port to which we want to connect. Specify the port based on the -conntype parameter. If the conntype is SOAP, the default port is 8879. This value can vary for different servers. If the conntype is RMI, the default port is 2809.
-conntype <JSR160RMI|IPC|RMI|Soap> Determines the administrative connector type used for the MBean call to retrieve the signers.
Eventually switch from the RMI connector to the JSR160RMI connector because support for the RMI connector is deprecated.
-user <user> When the -uploadSigners flag is used, we are required to specify this option to supply the user name that is authenticated for the Bean operation. If not specified when the -uploadSigners flag is used, then we are prompted for credentials by default.
-password <password> When the -uploadSigners flag is used, we are required to specify this option to supply the password that is authenticated for the MBean operation. The password goes along with the -user parameter.
-trace When specified, this parameter enables tracing of the trace specification necessary to debug this component. By default, the trace is located in the profiles/profile/log/retrieveSigners.log file.
-logfile <filename> Overrides the default trace file. By default, the trace will appear in the profiles/profile/log/retrieveSigners.log file.
-replacelog Causes the existing trace file to be replaced when the command runs.
-quiet Suppresses most messages from printing to the console.
-help Prints a usage statement.
-? Prints a usage statement.

Usage scenario

List remote and local keystores

retrieveSigners.bat -listRemoteKeyStoreNames -listLocalKeyStoreNames -conntype RMI -port 2809

Example output
CWPKI0306I: The following remote keystores exist on the specified server: CMSKeyStore, NodeLTPAKeys, NodeDefaultTrustStore, NodeDefaultKeyStore CWPKI0307I: The following local keystores exist on the client: ClientDefaultKeyStore, ClientDefaultTrustStore

Retrieve all signers from NodeDefaultTrustStore

retrieveSigners.bat NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner -conntype RMI -port 2809

Example output
CWPKI0308I: Adding signer alias "CN=BIRKT40.austin.ibm.com, O=IBM, C=US" to local keystore "ClientDefaultTrustStore" with the following SHA digest: 40:20:CF:BE:B4:B2:9C:F0:96:4D:EE:E5:14:92:9E:37:8D:51:A5:47

Use command-line tools
Use the retrieveSigners command in SSL to enable server to server trust

remoteKeyStoreName	The name of a truststore located in the server configuration from which to retrieve the signers. This positional parameter is typically the CellDefaultTrustStore file for a managed environment or the NodeDefaultTrustStore file for an unmanaged environment.
localKeyStoreName	The name of the truststore located in the ssl.client.props file for the profile to which the retrieved signers is added. This positional parameter is typically the ClientDefaultTrustStore file for either a managed or unmanaged environment.
-remoteAlias <aliasFromRemoteStore>	One alias from the remote truststore to retrieve. Otherwise, all signers from the remote truststore are retrieved.
-localAlias <storeAsAlias>	Determines the name of the alias stored in the local truststore. This option is only valid if we specify the -remoteAlias option. If we do not specify the -localAlias option, then the alias name from the remote truststore is used, if possible. If an alias clash occurs, then the alias name is used and has an incremented number appended to the end of it until a unique alias is found.
-listRemoteKeyStoreNames	Sends a remote request to the server to list all keystores that we can specify for the remoteKeyStoreName parameter. Use this command when we are unsure of the name of the remote truststore from which we want to download the signers.
-listLocalKeyStoreNames	Lists the keystores located in the ssl.client.props file that we can specify for the localKeyStoreName parameter. This truststore receives the signers from the server. Use this parameter when we are unsure of the name of the local truststore into which we want to retrieve the signers. The default name of the truststore is ClientDefaultTrustStore and is located in the ssl.client.props file.
-autoAcceptBootstrapSigner	Automatically adds a signer to make a secure connection to the server. The purpose of the option is to support automation of the command so that we do not need to accept the signer. After the signer is added to the local truststore, an SHA hash prints so that we can verify the certificate.
-uploadSigners	Converts the signer download into a signer upload. The signers from the localKeyStoreName parameter is sent to the remoteKeyStoreName parameter instead.
-host <host>	Target host from which the signers are retrieved.
-port <port>	Target administrative port to which we want to connect. Specify the port based on the -conntype parameter. If the conntype is SOAP, the default port is 8879. This value can vary for different servers. If the conntype is RMI, the default port is 2809.
-conntype <JSR160RMI\|IPC\|RMI\|Soap>	Determines the administrative connector type used for the MBean call to retrieve the signers. Eventually switch from the RMI connector to the JSR160RMI connector because support for the RMI connector is deprecated.
-user <user>	When the -uploadSigners flag is used, we are required to specify this option to supply the user name that is authenticated for the Bean operation. If not specified when the -uploadSigners flag is used, then we are prompted for credentials by default.
-password <password>	When the -uploadSigners flag is used, we are required to specify this option to supply the password that is authenticated for the MBean operation. The password goes along with the -user parameter.
-trace	When specified, this parameter enables tracing of the trace specification necessary to debug this component. By default, the trace is located in the profiles/profile/log/retrieveSigners.log file.
-logfile <filename>	Overrides the default trace file. By default, the trace will appear in the profiles/profile/log/retrieveSigners.log file.
-replacelog	Causes the existing trace file to be replaced when the command runs.
-quiet	Suppresses most messages from printing to the console.
-help	Prints a usage statement.
-?	Prints a usage statement.