With earlier versions of WebSphere Application Server like 6.1 and 188.8.131.52 - 184.108.40.206 the retrieve from port feature would retrieve the signer to the leaf certificate if there was a chain of certificates. WebSphere Application Server versions 220.127.116.11 (and later fixpacks of version 7) and version 8.0 and later, retrieve from port obtains the signer of the root.
If you are on the newer versions where retrieve from port obtains the signer to the root but you require the retrieve from port feature to obtain the signer to the leaf certificate you will need to have APAR PM78686. Once you have APAR PM78686 you can set custom property com.ibm.websphere.ssl.retrieveLeafCert to true.
PM78686: RETRIEVE FROM PORT SHOULD RETRIEVE LEAF CERTIFICATE INSTEAD OF
THE ROOT CERTIFICATE.
The following fixpacks (And later) have APAR PM78686:
Set the custom property like this on the administrative console:
Security > Global Security > Custom properties.
Enter com.ibm.websphere.ssl.retrieveLeafCert for the name and true for the value.
For example, this is documented in the 8.5 infocenter:
The APAR that implemented obtaining the signer to the root was:
PM37795: RETRIEVESIGNERSFROMPORT SHOULD RETRIEVE THE ROOT OF THE
Was this topic helpful?
15 June 2018