You must follow the steps in this topic if you want to
use the web services wizard to retrieve an HTTPS WSDL or if you want
to use the Web Services Explorer against a secured WebSphere® Application Server. If you encounter
an error similar to Error opening socket: javax.net.ssl.SSLHandshakeException:
unknown certifcate this task will resolve the issue. This
occurs because WebSphere Application
Server uses a security certificate for negotiating secured connections
that other JRE-based applications do not normally share.
About this task
To configure your JRE to accept the WebSphere Application Server certificate:
Procedure
- Launch the ikeyman tool from your eclipse JRE. This is
located in the following location within your WebSphere Application Server install directory: install_dir\java\jre\bin\ikeyman.exe.
The default install locations for the servers are:
- WebSphere Application
Server v6.x: Rational_install_dir\runtimes\base_v6x
- WebSphere Application
Server v7.0: Rational_install_dir\runtimes\base_v7
- Click the Open a key database file icon:
- In the window that opens, click Browse and
locate the DummyClientTrustFile.jks in your WebSphere Application Server profile. The
default location may be similar to . install_dir\profiles\profile_name\etc\DummyClientTrustFile.jks Click OK when you have found the file.
- You will be prompted for a password. Enter WebAS.
- Select Signer Certificates from
the drop-down list, and then select default_signer and
click Extract.
- Note the location and name of the certificate because it
will be required in later steps. Click OK to
save the file.
- Click the Open a key database file icon
again, and browse to the Eclipse JRE cacerts. This file is located
here: install_dir\java\jre\lib\security\cacerts.
- When prompted for a password enter changeit.
- Click Add, and browse to the file
that you saved earlier. You may have to set the file types field to
All Files. Click OK when the correct file has
been selected in the Open window.
- Enter a label for the certificate.
Results
The JRE can now accept the server certificate automatically.
Note that the certificate might restrict to the same host name on
the certificate (this would be the host name including domain).