+

Search Tips   |   Advanced Search

Operating Systems: AIX, HP-UX, Linux, Solaris, Windows, z/OS

 

Adding the signer certificate from the secondary deployment manager to the local trust store


To enable SSL in your high availability deployment manager environment, the local trust store must contain the signer certificate from the secondary deployment manager. If the trust store does not contain the signer certificate, add the certificate to the trust store to prevent errors and enable secure communication among the core group members.

 

About this task

To elect the secondary deployment manager to take over as the primary deployment manager when SSL is enabled in your environment, the signer certificate of the secondary deployment manager must exist in the local trust store. Specifically, the com.ibm.ssl.trustStore value must be set to the cell-level default trust store in the deployment_manager_profile/properties/ssl.client.props file. If the certificate cannot be located in the local trust store, the SSL handshake fails and you might receive the following error message: 
CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=xdblade36b07.rtp.raleigh.ibm.com, O=IBM, C=US" was sent from target host:port "*:9043". 
The extended error message from the SSL handshake exception is: "No trusted certificate found".
Add the signer certificate from the secondary deployment manager to the local trust store to enable secure communication in your high availability deployment manager environment.

 

Procedure

  1. In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.

  2. Define the following general properties to retrieve the signer certificate from the remote SSL port, and click Retrieve signer information:

    Host
    Specifies the host name that you connect to when you retrieve the signer certificate from the SSL port
    Port
    Specifies the SSL port that you connect to when you retrieve the signer certificate
    SSL configuration for outbound connection
    Specifies the configuration that is used to connect to the SSL port

    This configuration is the SSL configuration that contains the signer certificate after you add the certificate to the trust store.

    Alias
    Specifies the certificate alias that is used in the SSL configuration

 

Results

The configuration can connect to and accurately check the status of the secondary deployment manager.


Related tasks

Configure a high availability deployment manager environment
Configure WebSphere Virtual Enterprise for cross-cell communication
Configure communication between core groups that are in the same cell

Related information


Errors configuring Secure Sockets Layer encrypted access