Troubleshooting
Problem
With earlier versions of WebSphere Application Server like 6.1 and 7.0.0.0 - 7.0.0.15 the retrieve from port feature would retrieve the signer to the leaf certificate if there was a chain of certificates. WebSphere Application Server versions 7.0.0.17 (and later fixpacks of version 7) and version 8.0 and later, retrieve from port obtains the signer of the root.
Symptom
If you are on the newer versions where retrieve from port obtains the signer to the root but you require the retrieve from port feature to obtain the signer to the leaf certificate you will need to have APAR PM78686. Once you have APAR PM78686 you can set custom property com.ibm.websphere.ssl.retrieveLeafCert to true.
http://www.ibm.com/support/docview.wss?uid=swg1PM78686
PM78686: RETRIEVE FROM PORT SHOULD RETRIEVE LEAF CERTIFICATE INSTEAD OF
THE ROOT CERTIFICATE.
The following fixpacks (And later) have APAR PM78686:
7.0.0.29
8.0.0.6
8.5.0.2
Set the custom property like this on the administrative console:
Security > Global Security > Custom properties.
Click new
Enter com.ibm.websphere.ssl.retrieveLeafCert for the name and true for the value.
For example, this is documented in the 8.5 infocenter:
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.doc/ae/usec_seccustomprop.html#com.ibm.websphere.ssl.retrieveleafcert
The APAR that implemented obtaining the signer to the root was:
http://www.ibm.com/support/docview.wss?uid=swg1PM37795
PM37795: RETRIEVESIGNERSFROMPORT SHOULD RETRIEVE THE ROOT OF THE
CERTIFICATE CHAIN.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21651084