+

Search Tips   |   Advanced Search

Add the signer certificate from the secondary deployment manager to the local trust store

To enable SSL in your high availability deployment manager environment, the local trust store must contain the signer certificate from the secondary deployment manager. If the trust store does not contain the signer certificate, add the certificate to the trust store to prevent errors and enable secure communication among the core group members.

To elect the secondary deployment manager to take over as the primary deployment manager when SSL is enabled in the environment, the signer certificate of the secondary deployment manager must exist in the local trust store. Specifically, the com.ibm.ssl.trustStore value must be set to the cell-level default trust store in the deployment_manager_profile/properties/ssl.client.props file. If the certificate cannot be located in the local trust store, the SSL handshake fails and we might receive the following error message: 

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN 
"CN=xdblade36b07.rtp.raleigh.ibm.com, O=IBM, C=US"
was sent from target host:port "*:9043". 
The extended error message from the SSL handshake exception is: 
"No trusted certificate found".
Add the signer certificate from the secondary deployment manager to the local trust store to enable secure communication in your high availability deployment manager environment.


Tasks

  1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.

  2. Define the following general properties to retrieve the signer certificate from the remote SSL port, and click Retrieve signer information:

    Host

    Host name that you connect to when you retrieve the signer certificate from the SSL port

    Port

    The SSL port that you connect to when you retrieve the signer certificate

    SSL configuration for outbound connection

    Configuration used to connect to the SSL port

    This configuration is the SSL configuration containing the signer certificate after we add the certificate to the trust store.

    Alias

    Certificate alias used in the SSL configuration

The configuration can connect to and accurately check the status of the secondary deployment manager.


Related:

  • Topology Configurations for Multi-Cell Routing
  • Secure communications using SSL
  • Configure a high availability deployment manager environment