Hey all,
I recently did a job where I set a company up to run SJAS91u2 using the enterprise profile as a
standalone server with SSL. The experience was much harder than it needed to be, and luckily I
was running Linux which helped me to actually be able to solve this sooner for their Windows
installation.
First, I couldn't get the Glassfish version of an enterprise profile running period as there was
no certutil nor pk12util. SJAS91u2 was easier to get going, but not as easy as one would think. I
had to first figure out what to do about NSS and NSPR4, and luckily I have Firefox and
Thunderbird installed on my Linux installation (openSuSE10.3) which both use this library which
meant I just needed to figure out more about the NSPR project using RPM and the .rpm
descriptions. This led me to the idea to install Firefox and use that on Windows, but then on
Windows the GF/SJAS91 libraries look for the wrote format library names on windows, and expect
libraries to be prepended with lib, thus look for libnspr4.dll instead of nspr4.dll which is the
normal naming convention for Windows.
Second, looking through the documentation there seemed to be no good explanation of how to do any
of this, and NSS seems to not be explained any where. I didn't even see where certutil and
pk12util were discussed nor their options documented in the AS documentation except by using
their help functions.
Anyways, attached is a document with what I had to do to get this going. Again, Linux was easier
just because the binaries were readily available, and of course there is the issue with the bug
in the Windows asadmin.bat script where the correct paths are not setup. This writeup should help
to make enterprise profiles easier to use, but it would seem that on Windows the NSPR4 libraries
need to be included with the installation at a minimum, and it would be good if they were some
how easier to setup through the command line options at install...maybe it asked for this folder
or where the libraries are located, or maybe the default domain has a place to set this up
visually and explains what it is used for in the administration web application.
See attached...thanks,
Wade
==================
Wade Chandler, CCE
Software Engineer and Developer, Certified Forensic Computer Examiner, NetBeans Dream Team Member, and NetBeans Board Member
http://www.certified-computer-examiner.com
http://wiki.netbeans.org/wiki/view/NetBeansDreamTeam
http://www.netbeans.org
Sun Application Server 9.1 Update 2 - Enterprise Profile, SSL, and NSPR4 Configuration Writeup
Configuring Sun Application Server 9.1 with an Enterprise Profile and SSL as a standalone server using an already existing .pfx file
There are some issues which need to be fixed before proceeding:
On Windows and Linux:
The Netscape Portable Runtime is needed.
On most Linux distributions this is installed as a required dependency library of a Firefox installation and will reside in /usr/lib or /usr/share/lib or some other common lib folder and will actually be a separately installed library or .rpm or other installation package type.
On Windows the task is a little harder because of a lack of a sole binary distribution of the NS portable runtime and the need to have a 3rd party application built on top of the portable runtime to get the libraries.
The easiest way is to get Firefox, install it, make a folder named nss under the ${asinstall} folder/directory, and then go into the Firefox installation directory and copy everything into this nss folder. You'll need it all because it is hard to weed out all the little dependencies.
Then, on Windows, there is one more issue to address. The AS will expect the library names to literally contain a prefix "lib", so one must rename:
nspr4.dll
plc4.dll
plds4.dll
to
libnspr4.dll
libplc4.dll
libplds4.dll
and then NSS will be configured for Windows.
On Windows and Linux:
There is a variable which needs to be set in the configuration file ${asinstall}\config\asenv.bat. Locate in this file the variable AS_NSS, and set it to the path to the folder containing the NSPR libraries. On Linux this will probably be /usr/lib, but it can depend on the distribution used. On Windows this will be the ${asinstall}\nss folder created in the above section.
There is another variable AS_NSS_BIN, but this should be left as is. There are scripts which come with the AS which reside in the directory it points to by default, so it does not need changed.
On Windows Only
The AS scripts are not 100% correct for enterprise profiles/deployments which require NSS certificate databases. The file ${asinstall}\bin\asadmin.bat will need to be modified.
First, locate where the path variable is being "reset". AS_NSS and AS_NSS_BIN will need to be prepended. For instance, if the variable were being set like:
set PATH=%PATH%
then you'll need:
set PATH=%AS_NSS%;%AS_NSS_BIN%;%PATH%
and this will make sure that the PATH is updated so other tools and libraries which may be run by the AS can find the correct libraries and applications/scripts they need when they need to run specific NSS commands and use the NSPR libraries.
Second, locate where %AS_JAVA%\bin\java is being called in the file. Notice that a Java property java.library.path is being set using:
-Djava.library.path=...
where ... are some values and paths to directories. AS_NSS, AS_NSS_BIN, and AS_INSTALL will need to be added to the java.library.path, and these should be prepended again using the same notation such as:
-Djava.library.path=%AS_NSS%;%AS_NSS_BIN%;%AS_INSTALL%;...
where ... is the rest of what was already being added to the java.library.path property.
Once all of the above steps are out of the way, you should be ready to:
1) Create the domain using the enterprise profile
2) Import the .pfx file into the NSS certificate database
Remember for Linux that unless a program is on the path it must be called using ./appname even when in the same directory as the application you would like to run.
Open a command prompt and go the ${asinstall}\bin folder:
1) Create the domain using (note some values may be whatever you want):
asadmin create-domain --user admin --adminport 7070 --instanceport 7071 --profile enterprise --domainproperties http.ssl.port=7171 production-domain
You'll be asked to provide the administrators password and a master password. You can accept the default for the master so you will not have to enter it constantly. If you have to enter it, you'll have to enter it and the admin password for certain operations instead of just one password, and that can get very hard to manage.
Once this process finishes you should:
asadmin start-domain production-domain
to be sure it will run correctly.
2) Import your SSL certificate (.pfx file) and configure it to be used
Export some certificate to a .pfx file using which ever method you need to use. This can be done in IIS or on the command line using openssl, but will depend on the certificate and key stores used by specific applications.
On the command prompt go to ${asinstall}\lib or the AS_NSS_BIN folder.
Assuming a .pfx file, which should have the SSL certificate signed and ready to go, exists, run:
pk12util -i ${pathto.pfx} -d ${pathto.cert.db.directory}
or based on the command above where we created the domain
pk12util -i ${pathto.pfx} -d ${asinstall}\domains\production-domain\config
Then run:
certutil -L -d ${pathto.cert.db.directory}
or based on the command above where we created the domain
certutil -L -d ${asinstall}\domains\production-domain\config
And then try to figure out the alias/key which matches your certificate. Often this will be a domain. Once you have the key, edit the file:
${asinstall}\domains\production-domain\config\domain.xml
locating all the <ssl> subelements and changing their alias to your key/alias. The easiest way to locate them is to search for <ssl using a text editor, and a good text editor with a replace function can help make this faster and less error prone.
Once this file is edited, as we have already started the domain, cd to the ${asinstall}\bin folder/directory then run:
asadmin stop-domain production-domain
asadmin start-domain production-domain
The domain should start and should be accessible on the defined ports.