+

Search Tips   |   Advanced Search

Change the signer auto-exchange prompt at the client

For clients to communicate with WebSphere Application Server, clients must obtain a signer certificate from the server. Clients can use the retrieveSigners command to connect to a server to obtain the appropriate signer. A prompt displays that asks whether or not we want to add a signer to the truststore. If the SSL configuration uses an automated script that might hang, use the prompt to obtain the certificate.

The com.ibm.ssl.enableSignerExchangePrompt property in the profile_home/properties/ssl.client.props file controls the signer certificate prompt. By default, this property is set to true, meaning the prompt is enabled.


Disable or enable the signer-exchange prompt at the client

  1. Edit profile_home/properties/ssl.client.props

  2. Locate the section containing the SSL configuration information for the client that we are working with.

  3. Change the value of the com.ibm.ssl.enableSignerExchangePrompt property to false if we do not want the signer-exchange prompt, or set it to true to be prompted.

  4. Save and close the file.

When the com.ibm.ssl.enableSignerExchangePrompt property is set to false, no prompt displays if a signer is not trusted. In this case the SSL handshake fails. Once the proper signer for the connection being made is manually installed in the trust store, the SSL handshake can succeed.

When the com.ibm.ssl.enableSignerExchangePrompt property is set to gui or true, a signer-exchange window is displayed, and we are asked to accept or reject the certificate. If we accept the certificate, it is installed in the trust store automatically and the handshake succeeds. If we reject the certificate, it does not get installed in the trust store and the handshake fails since the certificate is not trusted.

When the com.ibm.ssl.enableSignerExchangePrompt property is set to stdin, a signer-exchange ASCII prompt is displayed, and we are asked to accept or reject the certificate. If we accept the certificate, it is installed in the trust store automatically and the handshake succeeds. If we reject the certificate, it does not get installed in the trust store and the handshake fails since the certificate is not trusted.

The prompt looks like the following example:


Example

(Dist) (ZOS)

Verify that the digest value matches what is displayed at the server in the following signer information:


What to do next

Clients can instigate communications for various processes using signer certificates obtained from WAS.


Related:

  • Secure installation for client signer retrieval in SSL
  • ssl.client.props client configuration file