Retrieving signers using the retrieveSigners utility at the client
Clients may require the signer certificates from the server to be able to communicate with WebSphere Application Server. To get the signer certificate from a server.
profile_root/bin/retrieveSigners
In this release, a Java client that does not have access to a stdin console prompt should use the retrieveSigners utility to download the signers from the remote server key store when signers are needed for an SSL handshake. For example, we might interpret the client as failing to respond if an applet client or Java Web Start Client application cannot access the stdin signer exchange prompt. Thus, we must WebSphere Java method call...
com.ibm.wsspi.ssl.RetrieveSignersHelper.callRetrieveSigners
...to the client application to retrieve the signers and to avoid running the retrieveSigners utility manually.
Use the retrieveSigners utility for situations where we cannot verify whether or not the com.ibm.ssl.enableSignerExchangePrompt= property is enabled or disabled when the application makes a request. If we cannot see the console, edit ssl.client.props and set the property...
com.ibm.ssl.enableSignerExchangePrompt=false
Alternatively, we can manually create the server key in the client truststore.
Complete the following steps, as required:
Tasks
- Use the retrieveSigners command to get the signer certificate from a server.
- If the client and server are on the same machine, we will need only the remoteKeyStoreName and localKeyStoreName parameters.
The most typical key store to reference on a remote system is CellDefaultTrustStore on a network deployed environment and NodeDefaultTrustStore on an application server.
- When retrieving signers from a remote server, use required connection-related parameters: -host host, -port port, -conntype {RMI | SOAP}.
- Use the -autoAcceptBootstrapSigner parameter to enable automation of the signer retrieval.
This parameter automatically adds to the server all the signers needed to make the connection.
After running, the command displays the SHI-1 digest of the signers added. The output looks similar to the following output:
C:\WebSphere\AppServer\profiles\AppSrv01\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
Example
The following examples illustrate how to call the retrieveSigners.bat file.
To retrieve signers on the same system, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore
To retrieve signers on a remote system with a SOAP connection, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 8879 -conntype SOAP -autoAcceptBootstrapSigner
To retrieve signers on a remote system with an RMI connection, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 2809 -conntype RMI -autoAcceptBootstrapSigner
To retrieve signers on a remote system that has security enabled, enter:
profile_root\bin\retrieveSigners.bat CellDefaultTrustStore ClientDefaultTrustStore -host myRemoteHost -port 8879 -conntype SOAP -user testuser -password testuserpwd -autoAcceptBootstrapSigner
Related:
Secure installation for client signer retrieval in SSL retrieveSigners command