Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Secure communications > Secure communications using SSL


Use the retrieveSigners command in SSL to enable server to server trust

We can add a signer certificate to a server's trust.p12 file, allowing that server to securely communicate with another server. This can be done using the retrieveSigners command to add a signer to a server's trust.p12 file after making changes to the ssl.client.props file. The server that will be communicating as a client must be identified before the server to server trust can be established. You will make change to the ssl.client.props file and run the retrieveSigners command on the server communicating as a client. If both servers will be acting as a client , these steps will be required for both servers. The ssl.client.props file is setup by default to configure SSL communication for clients. This makes the default behavior of the retrieveSigners command work on the client's trust.p12 file and key.p12 file in the $PROFILE_ROOT/etc directory. We can add a signer certificate to a server's trust.p12 file, allowing that server to act as a client communicating to another server. Using the retrieveSigners command to add a signer to a server's trust.p12 file requires some changes to the ssl.client.props file.


Procedure

  1. Open the ssl.client.props file. The ssl.client.props file is located in $PROFILE_ROOT/properties ditrectory.
  2. Uncomment the section of ssl.client.props that starts with com.ibm.ssl.alias=AnotherSSLSettings property.
  3. Uncomment the section of ssl.client.props that starts with com.ibm.ssl.trustStoreName=AnotherTrustStore property.

  4. Enter the location of the trust store that the signer should be added. If you are using the server trust store for a dmgr then it is located in $PROFILE_ROOT/config/cells/cell name/trust.p12. If using the trust store for an application server, it is located in $PROFILE_ROOT/config/cells/cell name/nodes/node name/trust.p12.
  5. Update the remaining properties in this section with the values associated with the trust store being used. A description of the properties can be found in ssl.client.props client configuration file.

  6. Optional: Uncomment and update section that starts with com.ibm.ssl.trustStoreName=AnotherKeyStore property. Most scenarios only require a signer to be added to the trust store. This example only adds a signer to the trust store, but you can also add a signer to the key store by updating the properties as you did for the trust store in steps 3 through 5.

  7. Save the changes made to ssl.client.props.
  8. Run the retrieveSigners command. For more information see the page about the retrieveSigners command.
    retrieveSigners NodeDefaultTrustStore AnotherTrustStore -host ademyers.austin.ibm.com -port 8879
    

    Example output:

    CWPKI0308I: Adding signer alias "default_1" to local keystore                      "AnotherTrustStore" with the following SHA digest:
                         F4:71:97:79:3E:C1:DC:E7:9F:8F:3D:F0:A0:15:1E:D1:44:73:2C:06
    


Results

After the steps have been successfully completed. the server acting as a client has the signing certificate of the other server. This allows that server to establish an SSL connection to the other server.


Example

The example shows the modified section of the ssl.client.props file assuming that the server's trust.p12 file is being used. Any trust store existing trust store can be used if the properties are provided for that trust store.
#-------------------------------------------------------------------------
com.ibm.ssl.alias=AnotherSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmX509
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=true
#com.ibm.ssl.keyStoreClientAlias=default
#com.ibm.ssl.customTrustManagers=
#com.ibm.ssl.customKeyManager=
#com.ibm.ssl.dynamicSelectionInfo=
#com.ibm.ssl.enabledCipherSuites=

# KeyStore information #com.ibm.ssl.keyStoreName=AnotherKeyStore
#com.ibm.ssl.keyStore=${user.root}/etc/key.p12
#com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
#com.ibm.ssl.keyStoreType=PKCS12
#com.ibm.ssl.keyStoreProvider=IBMJCE
#com.ibm.ssl.keyStoreFileBased=true

# TrustStore information com.ibm.ssl.trustStoreName=AnotherTrustStore
com.ibm.ssl.trustStore=${user.root}/config/cells/localhostCell01/trust.p12
com.ibm.ssl.trustStorePassword={xor}CDo9Hgw=
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true


What to do next

After the signer has been added, edit the ssl.client.props file to comment out the sections that were to used to add the signer certificate.
Secure communications using SSL


Related


retrieveSigners command

+

Search Tips   |   Advanced Search