Using your SSL certificate on Glassfish 3
June 4, 2011 14 Comments
This was kind of problematic for me and my colleagues, so after I manage to set our SSL certificate, I decided to share the story.
Before doing anything, back up the files under $GFHOME/domains/yourdomain/config.
Steps are:
- Generating a private key
- Creating a Certification Signing Request (CSR)
- Sending the CSR to a certificate authority
- Importing your signed certificate
- Setting necessary Glassfish configuration
cd ~ mkdir ssl-stuff cd ssl-stuff
keytool -keysize 2048 -genkey -alias yourdomain.com -keyalg RSA -dname "CN=www.yourdomain.com,O=Your Organization,L=Your City,S=Your State,C=Your Country Code like US, CH or TR" -keystore keystore.jks -keypass changeit -storepass changeit
Now our private key is generated in keystore.jks file. I used keypass ‘changeit’ as key password and keystore password for now.
keytool -certreq -alias yourdomain.com -keystore keystore.jks -storepass changeit -keypass changeit -file server.csr
This results in a certificate signing request, server.csr. Now we have two files : keystore.jks server.csr
Next step is uploading server.csr file to one of the certificate authorities (I used Godaddy and I was pretty happy with their service) and receiving signed certificate. Certificate authorities looks for the “whois” record of your domain and if they find a technical representative email address, they send the signed certificate to that email. If there is no email address (like one of the domains I set the SSL up), they give you a code (like abcd123) and require you to either add a subdomain with that code or add a html page named with the code (and also with the content filled with the code).
From certificate authority, you should generally receive two files
- Your signed certificate : generally named as “yourdomain.com.crt”
- Root certificate of your certificate (you might receive more than one. In some cases certification authority sends the intermediate certificates) : Godaddy names it “gd_bundle.crt”
keytool -importkeystore -srckeystore ~/ssl-stuff/keystore.jks -destkeystore $GLASSFISHHOME/domains/yourdomain/config/keystore.jks
cd $GLASSFISH_HOME/domains/yourdomain/config keytool -import -v -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias yourdomain.com -file yourdomain.com.crt -keystore keystore.jks -keypass changeit -storepass changeit
keytool -list -keystore keystore.jks Keystore-Typ: JKS Keystore-Provider: SUN .... root, 03.06.2011, trustedCertEntry, Zertifikatsfingerabdruck (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX yourdomain.com, 03.06.2011, PrivateKeyEntry, Zertifikatsfingerabdruck (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Final step of the whole process is using our domain alias as the “certificate nickname” on GlassFish:
I configured SSL. When try to connect to the SSL enabled port, I see the following in the server.log file:
[#|2012-05-07T08:40:17.453-0400|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|SSL support could not be configured!
java.io.IOException: Keystore was tampered with, or password was incorrect
I presume this means that my master and key store passwords are different. What do I do to rectify this?
That happened to me too once. I believe Glassfish doesn’t support it.
I couldn’t find it in Glassfish documentation that time. I had to change my keystore’s password to my master password.
However, you could try passing “-Djavax.net.ssl.keyStorePassword” property to your Glassfish instance. Haven’t tried though.
How do I change the keystore’s password to match the master? What is the master password – is this the Admin console password? Glassfish is 3.0.1.
Yes, it is admin console password.
This should change the keystore password :
keytool -storepasswd -new new_storepass -keystore keystore.jks
When I built the keystore I DID use the Admin console password. I have seen some information that the glassfish password is changeit. Does my keystore have to be “changeit”?
I changed the master password to match my keystore password and now it works.
Thanks for the info.
Excellent description. Simply works. Thanks a ton !
Quick addition (for GF 3.1) is :
1. In the domain.xml file : set -> allow-lazy-init=”false”
(This avoids exceptions at startup. )
2. I deleted the “s1as” alias and key from the keystore completely:
“keytool -delete -alias s1as -keystore keystore.jks”
and replaced all references to it in the domain.xml with the alias “yourdomain.com”, because the admin console does not update all the aliases, and exceptions continue to be thrown.
Pingback: Delicious Bookmarks for October 30th from 13:56 to 23:07 « Lâmôlabs
I keep getting a “Connection was reset” when trying to access in browser
Pingback: Glassfish – no admin page at Carl's notes - Things I need to get out of my head
Pingback: HTTPS for Glassfish at Carl's notes - Things I need to get out of my head
Pingback: Glassfish SSL error – SSL connection error | Code and Programming
I had some Problems, that the Certificate chain length was 1 insted of 3…
This post solved my Problem:
http://i-cat.blogspot.ch/2009/02/glassfish-and-intermediate-ssl.html