When specifying administrative settings to a secured WebSphere® Application
Server v6.1.x, you can choose to prevent the workbench from automatically
accepting certificates by clearing the Automatically trust server certificate
during SSL handshake check box in the security section of the server editor.
However, if you clear this check box you need to perform manual steps to establish
the initial trust between the workbench and the secured WebSphere Application
Server v6.1.x. Otherwise, if a trust is not established, the server status
of the Servers view in the workbench displays the server as stopped and no
connection can be made to the server. In this task you will extract the certificate
into a file from the WebSphere Application Server and add this certificate
in the truststore of the development workbench of this product.
Starting in WebSphere Application Server version
6.1 release, each profile in the WebSphere Application Server environment
contains a unique self-signed certificate that was created when the profile
was created. This certificate replaces the default dummy certificate that
ships with WebSphere Application
Server in releases prior to version 6.1. When a profile is federated to a
deployment manager, the signer for that self-signed certificate is added to
the common truststore for the cell. By default, clients (such as the development
workbench) does not trust servers from different profiles in the WebSphere Application
Server environment. That is, they do not contain the signer for these servers.
If you choose
to clear the Automatically trust server certificate during SSL handshake check
box to prevent the workbench from automatically accepting certificates, complete
the following steps to manually establish the initial trust between the workbench
and the administrative secured WebSphere Application Server v6.1.x:
- Start the IBM Key Management (ikeyman) utility.
- In a command prompt, go to x:\bin directory, where x is
the installation directory of WebSphere Application Server.
- Type ikeyman
- The IBM® Key Management utility opens.
- In the IBM Key Management utility, select .
- The value selected under the Key database type list
depends on your connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, select PKCS12
- For a SOAP connection, select JKS
- The file path specified under the Location field
depends on the connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, specify x:\profiles\<profileName>\etc\trust.p12
file, where x is the installation directory for WebSphere Application Server.
- For a SOAP connection, specify x:\profiles\<profileName>\etc\DummyClientTrustFile.jks
Where x is the installation directory for WebSphere Application Server.
- Click OK.
- When prompted for a password, type WebAS.
Click OK.
- Under the Signer Certificates list, select default_signer certification
and click the Extract button to export the file in
your local file system. The extract certificate to a file wizard
opens.
- In the Certificate file name field specify
a file name for your extracted certificate. For example, cert.arm.
- In the Location field specify a temporary
file location to store your extracted certificate. Click OK.
- Exit the IBM Key Management utility.
- Take the file where you extracted the certificate in the previous
steps to the machine where the development workbench of this product is installed.
Start the IBM Key
Management utility:
- In a command prompt, go to y:\eclipse\jre\bin directory,
where y is the installation directory of the workbench.
- Type ikeyman
- The IBM Key Management utility opens.
- In the IBM Key Management utility, select .
- The value selected under the Key database type list
depends on your connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, select PKCS12
- For a SOAP connection, select JKS
- The file path specified under the Location field
depends on the connection type between the server and the workbench:
- For a remote method invocation (RMI) connection, the truststore file is
located at y:\runtimes\base_v61_stub\etc\trust.p12
- For a SOAP connection, the truststore file is located at y:\runtimes\base_v61_stub\etc\DummyClientTrustFile.jks
Where y is the installation directory for the workbench for this
product.
- Click OK.
- When prompted for a password, type WebAS.
Click OK.
- Under the Signer Certificates list, click
the Add button to add the certificate extracted from
the server to the truststore of the development workbench. The
add CA's certificate from a file wizard opens.
- In the Certificate file name field specify
the file name of the extracted certificate from the WebSphere Application Server. For
example, cert.arm.
- In the Location field specify the file location
where you stored your extracted certificate from the WebSphere Application Server. Click OK.
- In the Enter a Label wizard, specify any
name.
- Exit the IBM Key Management utility.
- Restart the workbench of this product.