A very quick way to get wsadmin to reference a different SSL truststore

There may be occasion when you want to run wsadmin from a single host and connect to multiple remote Cells to gather stats or run-time data. If you do this you'll need to trust the SSL certificates of these other Cells.

All pretty straight forward but if you're OCD (like me) you won't want to add all of those signer certificates to the CellDefaultTrustStore of the environment where you're running wsadmin..... it's far too untidy.  Much better to have a custom truststore that you create yourself and add the signers to that.. nice and tidy :)

Of course you'll need to point wsadmin at this new SSL truststore and here's how to do it

• Make a copy of wsadmin.sh - ( I just copied it to my scripts directory /opt/bpm/scripts/inventory)
• As above for setupCmdLine.sh
• Edit the copy of wsadmin.sh to overide the CLIENTSSL var. I advise you insert this just above the line where java get's invoked as follows ...

CLIENTSSL=-Dcom.ibm.SSL.ConfigURL=file:/opt/bpm/scripts/inventory2/props/ssl.client.props

"$JAVA_EXE" \
-Xbootclasspath/p:"$WAS_BOOTCLASSPATH" \
$EXTRA_X_ARGS \
$CONSOLE_ENCODING \
$javaOption \
$WAS_DEBUG \
"$OSGI_INSTALL" "$OSGI_CFG" \
"$CLIENTSAS" \
"$CLIENTSSL" \


The new line is the CLIENTSSL one. This points to your custom ssl.client.props file (you need to create this) which in turn points to your custom SSL truststore

Here's my ssl.client.props file

com.ibm.ssl.performURLHostNameVerification=false
com.ibm.ssl.validationEnabled=false
com.ibm.security.useFIPS=false
com.ibm.ssl.defaultCertReqAlias=default
com.ibm.ssl.defaultCertReqSubjectDN=cn=${hostname},o=IBM,c=US
com.ibm.ssl.defaultCertReqDays=365
com.ibm.ssl.defaultCertReqKeySize=1024
com.ibm.jsse2.checkRevocation=false
com.ibm.security.enableCRLDP=false
com.ibm.ssl.alias=DefaultSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmPKIX
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=gui
com.ibm.ssl.keyStoreProvider=IBMJCE
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.trustStore=/opt/bpm/scripts/inventory2/certs/myTrust.p12
com.ibm.ssl.trustStorePassword={xor}Not included for security reasons
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreReadOnly=false
#-------------------------------------------------------------------------
# Additional stuff for getting thin client to work
#-------------------------------------------------------------------------
ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory


The important line is com.ibm.ssl.trustStore which points at my SSL truststore which contains signers for all of the environments I need to connect to (I imported these manually using ikeycmd)

Lastly, in setupCmdLine.sh you need to force $WAS_HOME to point at your WAS install dir (it tries to work it out intelligently based on where you're running it from but becasue you've made a copy you need to overide this) .. and you're done