The retrieveSigners command creates a new client self-signed
certificate, keystore, and SSL configuration in the ssl.client.props
file. Using this command you can optionally extract the signer to
a file.
For more information about where to run this command, read about Using command tools.
Syntax
Use the following command syntax
to create a new client self-signed certificate, keystore, and SSL
configuration in the ssl.client.props file.
retrieveSigners <CellDefaultTrustStore> <ClientDefaultTrustStore> [options]
The <remoteKeyStoreName>
and <localKeyStoreName> parameters are required. The following
optional parameters are available:
[-remoteAlias aliasFromRemoteStore]
[-localAlias storeAsAlias]
[-listRemoteKeyStoreNames][-listLocalKeyStoreNames]
[-autoAcceptBootstrapSigner][-uploadSigners] [-host host]
[-port port][-conntype JSR160RMI|RMI|SOAP|IPC][-user user]
[-password password]
[-trace] [-logfile filename]
[-replacelog] [-quiet] [-help]
Parameters
The following parameters are
available for the retrieveSigners command:
- remoteKeyStoreName
- The name of a truststore that is located in the server configuration
from which to retrieve the signers. This positional parameter is
typically the CellDefaultTrustStore file for a managed environment
or the NodeDefaultTrustStore file for an unmanaged environment.
- localKeyStoreName
- The name of the truststore that is located in the ssl.client.props
file for the profile to which the retrieved signers is added. This
positional parameter is typically the ClientDefaultTrustStore file
for either a managed or unmanaged environment.
- -remoteAlias <aliasFromRemoteStore>
- Specifies one alias from the remote truststore that you want to
retrieve. Otherwise, all signers from the remote truststore are retrieved.
- -localAlias <storeAsAlias>
- Determines the name of the alias stored in the local truststore.
This option is only valid if you specify the –remoteAlias option.
If you do not specify the -localAlias option, then the alias name
from the remote truststore is used, if possible. If an alias clash
occurs, then the alias name is used and has an incremented number
appended to the end of it until a unique alias is found.
- -listRemoteKeyStoreNames
- Sends a remote request to the server to list all keystores that
you can specify for the remoteKeyStoreName parameter. Use this command
when you are unsure of the name of the remote truststore from which
you want to download the signers.
- -listLocalKeyStoreNames
- Lists the keystores located in the ssl.client.props file that
you can specify for the localKeyStoreName parameter. This truststore
receives the signers from the server. Use this parameter when you
are unsure of the name of the local truststore into which you want
to retrieve the signers. The default name of the truststore is ClientDefaultTrustStore
and is located in the ssl.client.props file.
- -autoAcceptBootstrapSigner
- Automatically adds a signer to make a secure connection to the
server. The purpose of the option is to support automation of the
command so that you do not need to accept the signer. After the signer
is added to the local truststore, an SHA hash prints so that you can
verify the certificate.
- -uploadSigners
- Converts the signer download into a signer upload. The signers
from the localKeyStoreName parameter is sent to the remoteKeyStoreName
parameter instead.
- -host <host>
- Specifies the target host from which the signers are retrieved.
- -port <port>
- Specifies the target administrative port to which you want to
connect. You must specify the port based on the -conntype parameter.
If the conntype is SOAP, the default port is 8879. This value can
vary for different servers. If the conntype is RMI, the default
port is 2809.
- -conntype <JSR160RMI|IPC|RMI|Soap>
- Determines the administrative connector type that is used for
the MBean call to retrieve the signers.
Note: Eventually
switch from the RMI connector to the JSR160RMI connector because support
for the RMI connector is deprecated.
- -user <user>
- When the -uploadSigners flag is used, you are required to specify
this option to supply the user name that is authenticated for the
MBean operation. If you do not specify this parameter when the -uploadSigners
flag is used, then you are prompted for credentials by default.
- -password <password>
- When the -uploadSigners flag is used, you are required to specify
this option to supply the password that is authenticated for the MBean
operation. The password goes along with the –user parameter.
- -trace
- When specified, this parameter enables tracing of the trace specification
necessary to debug this component. By default, the trace is located
in the profiles/profile_name/log/retrieveSigners.log
file.
- -logfile <filename>
- Overrides the default trace file. By default, the trace will
appear in the profiles/profile_name/log/retrieveSigners.log
file.
- -replacelog
- Causes the existing trace file to be replaced when the command
runs.
- -quiet
- Suppresses most messages from printing to the console.
- -help
- Prints a usage statement.
- -?
- Prints a usage statement.
Usage scenario
The following examples demonstrate
correct syntax for using the retrieveSigners command:
![[IBM i]](../images/iseries.gif)
The following example lists remote and local keystores:
retrieveSigners -listRemoteKeyStoreNames -listLocalKeyStoreNames -conntype RMI -port 2809
Example
output
CWPKI0306I: The following remote keystores exist on the specified server:
CMSKeyStore, NodeLTPAKeys, NodeDefaultTrustStore, NodeDefaultKeyStore
CWPKI0307I: The following local keystores exist on the client:
ClientDefaultKeyStore, ClientDefaultTrustStore
![[IBM i]](../images/iseries.gif)
The
following example retrieves all signers from NodeDefaultTrustStore:
retrieveSigners NodeDefaultTrustStore ClientDefaultTrustStore -autoAcceptBootstrapSigner
-conntype RMI -port 2809
Example output
CWPKI0308I: Adding signer alias "CN=BIRKT40.austin.ibm.com, O=IBM, C=US" to
local keystore "ClientDefaultTrustStore" with the following SHA
digest: 40:20:CF:BE:B4:B2:9C:F0:96:4D:EE:E5:14:92:9E:37:8D:51:A5:47