Changing the signer auto-exchange prompt at the client
For clients to communicate with WebSphere® Application Server, clients must obtain a signer certificate from the server. Clients can use the retrieveSigners command to connect to a server to obtain the appropriate signer. A prompt displays that asks whether or not you want to add a signer to the truststore. If the Secure Sockets Layer (SSL) configuration uses an automated script that might hang, use the prompt to obtain the certificate.
Before you begin
About this task
Procedure
- Open the profile_home/properties/ssl.client.props file using an editor.
- Locate the section containing the SSL configuration information for the client that you are working with.
- Change the value of the com.ibm.ssl.enableSignerExchangePrompt property to false if you do not want the signer-exchange prompt, or set it to true if you want to be prompted.
- Save and close the file.
Results
When the com.ibm.ssl.enableSignerExchangePrompt property is set to gui or true, a signer-exchange window is displayed, and you are asked to accept or reject the certificate. If you accept the certificate, it is installed in the trust store automatically and the handshake succeeds. If you reject the certificate, it does not get installed in the trust store and the handshake fails since the certificate is not trusted.
When the com.ibm.ssl.enableSignerExchangePrompt property is set to stdin, a signer-exchange ASCII prompt is displayed, and you are asked to accept or reject the certificate. If you accept the certificate, it is installed in the trust store automatically and the handshake succeeds. If you reject the certificate, it does not get installed in the trust store and the handshake fails since the certificate is not trusted.
The prompt looks like the following example:
Example
C:\WebSphere\AppServer\profiles\dmgr\bin>serverStatus -all
ADMU0116I: Tool information is being logged in file
C:\WebSphere\AppServer\profiles\Dmgr\logs\serverStatus.log
ADMU0128I: Starting tool with the dmgr profile
ADMU0503I: Retrieving server status for all servers
ADMU0505I: Servers found in configuration:
ADMU0506I: Server name: dmgr
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 192.174.1.5 is not found in truststore
C:/WebSphere/AppServer/profiles/Dmgr/etc/trust.p12.
/QIBM/UserData/WebSphere/AppServer/V85/Base/profiles/default/bin/serverStatus -all
ADMU0116I: Tool information is being logged in file
/QIBM/UserData/WebSphere/AppServer/V85/Base/profiles/default/logs/serverStatus.log
ADMU0128I: Starting tool with the default profile
ADMU0503I: Retrieving server status for all servers
ADMU0505I: Servers found in configuration:
ADMU0506I: Server name: server1
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 192.174.1.5 is not found in truststore
/QIBM/UserData/WebSphere/AppServer/V85/Base/profiles/default/etc/trust.p12.
Verify that the digest value matches what is displayed at the server in the following signer information:
Subject DN: CN=hostname.austin.ibm.com, O=IBM, C=US
Issuer DN: CN=hostname.austin.ibm.com, O=IBM, C=US
Serial number: 1128544457
Expires: Thu Oct 20 15:34:17 CDT 2006
SHA-1 Digest: 91:A1:A9:2D:F2:7D:70:0F:04:06:73:A3:B4:A4:9C:56:9D:A8:A3:BA
MD5 Digest: 88:72:C5:88:00:1C:A7:FA:D6:EB:04:88:AC:A1:C9:13
Add signer to the truststore now? (y/n) y
A retry of the request might need to occur.
ADMU0508I: The Application Server "server1" is STARTED.