Using the retrieveSigners command in SSL to enable server to server trust
You can add a signer certificate to a server's trust.p12
file,
allowing that server to securely communicate with another server.
This can be done using the retrieveSigners command to add
a signer to a server's trust.p12
file after making
changes to the ssl.client.props
file.
Before you begin
ssl.client.props
file
and run the retrieveSigners command on the server communicating
as a client. If both servers will be acting as a client , these steps
will be required for both servers.About this task
ssl.client.props
file is setup by default
to configure Secure Socket Layer (SSL) communication for clients.
This makes the default behavior of the retrieveSigners command
work on the client's trust.p12
file and key.p12
file
in the profile_root/etc
directory.
You can add a signer certificate to a server's trust.p12
file,
allowing that server to act as a client communicating to another server.
Using the retrieveSigners command to add a signer to a server's trust.p12
file
requires some changes to the ssl.client.props
file.Procedure
Results
Example
ssl.client.props
file
assuming that the server's trust.p12
file is being
used. Any trust store existing trust store can be used if the properties
are provided for that trust store. #-------------------------------------------------------------------------
com.ibm.ssl.alias=AnotherSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmX509
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=true
#com.ibm.ssl.keyStoreClientAlias=default
#com.ibm.ssl.customTrustManagers=
#com.ibm.ssl.customKeyManager=
#com.ibm.ssl.dynamicSelectionInfo=
#com.ibm.ssl.enabledCipherSuites=
# KeyStore information
#com.ibm.ssl.keyStoreName=AnotherKeyStore
#com.ibm.ssl.keyStore=${user.root}/etc/key.p12
#com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
#com.ibm.ssl.keyStoreType=PKCS12
#com.ibm.ssl.keyStoreProvider=IBMJCE
#com.ibm.ssl.keyStoreFileBased=true
# TrustStore information
com.ibm.ssl.trustStoreName=AnotherTrustStore
com.ibm.ssl.trustStore=${user.root}/config/cells/localhostCell01/trust.p12
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
What to do next
ssl.client.props
file
to comment out the sections that were to used to add the signer certificate.