IBM Support

How to make WebSphere Application Server's retrieve from port obtain leaf signer vs root signer

Troubleshooting


Problem

With earlier versions of WebSphere Application Server like 6.1 and 7.0.0.0 - 7.0.0.15 the retrieve from port feature would retrieve the signer to the leaf certificate if there was a chain of certificates. WebSphere Application Server versions 7.0.0.17 (and later fixpacks of version 7) and version 8.0 and later, retrieve from port obtains the signer of the root.

Symptom

If you are on the newer versions where retrieve from port obtains the signer to the root but you require the retrieve from port feature to obtain the signer to the leaf certificate you will need to have APAR PM78686. Once you have APAR PM78686 you can set custom property com.ibm.websphere.ssl.retrieveLeafCert to true.

http://www.ibm.com/support/docview.wss?uid=swg1PM78686
PM78686: RETRIEVE FROM PORT SHOULD RETRIEVE LEAF CERTIFICATE INSTEAD OF
THE ROOT CERTIFICATE.

The following fixpacks (And later) have APAR PM78686:

7.0.0.29
8.0.0.6
8.5.0.2

Set the custom property like this on the administrative console:

Security > Global Security > Custom properties.
Click new

Enter com.ibm.websphere.ssl.retrieveLeafCert for the name and true for the value.

For example, this is documented in the 8.5 infocenter:

http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.nd.doc/ae/usec_seccustomprop.html#com.ibm.websphere.ssl.retrieveleafcert

The APAR that implemented obtaining the signer to the root was:

http://www.ibm.com/support/docview.wss?uid=swg1PM37795
PM37795: RETRIEVESIGNERSFROMPORT SHOULD RETRIEVE THE ROOT OF THE
CERTIFICATE CHAIN.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0.0.0;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21651084