users@glassfish.java.net

Re: Proper SSL Implentation

From: <glassfish_at_javadesktop.org>
Date: Thu, 25 Oct 2007 09:07:47 PDT

Naturally, it didn't work, but I appreciate your help, anyhow.

Here are the steps I performed in detail, per your instructions:

1. Import the existing keystore into Glassfish:

[code]
C:\>keytool -importkeystore -srckeystore myks.keystore -srcstorepass mypassword -destkeystore "C:\glassfish\domains\domain1\config\keystore.jks" -deststorepass changeit
Entry for alias root2 successfully imported.
Entry for alias root successfully imported.
Entry for alias myalias successfully imported.
Import command completed: 3 entries successfully imported, 0 entries failed or cancelled
[/code]

2. Check to see if it's there (which it is...):

[code]
C:\>keytool -list -keystore "C:\glassfish\domains\domain1\config\keystore.jks"
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

root2, Oct 25, 2007, trustedCertEntry,
Certificate fingerprint (MD5): BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
root, Oct 25, 2007, trustedCertEntry,
Certificate fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
myalias, Oct 25, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
s1as, Oct 3, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 9B:4A:54:C0:C0:3B:71:8A:3B:03:49:98:6C:A7:EA:CE
[/code]

3. Log into Glassfish admin, select http-listener-2, then the "SSL" tab.

4. Enter "myalias" into the key name box, hit Save (was successful).

5. Restart Glassfish.

During the restart, it "crashes" after about 3 seconds while starting up. The log contains the following exception stack:

[code]
[#|2007-10-25T09:10:32.586-0600|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=72852e8f-20e4-4bbc-b631-8e834338540b;|java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412)
Caused by: java.lang.ExceptionInInitializerError
        at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
        at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:262)
        at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:101)
        at com.sun.enterprise.server.PEMain.run(PEMain.java:401)
        at com.sun.enterprise.server.PEMain.main(PEMain.java:338)
        ... 5 more
Caused by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Cannot recover key
        at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
        ... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
        at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
        at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
        at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
        at java.security.KeyStore.getKey(KeyStore.java:763)
        at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
        at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
        at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:320)
        at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:106)
        ... 10 more
|#]
[/code]

Now, I'm positive this is a valid, working keystore - I copied it directly from production where it works, in JBoss 4.0.5!

To make matters worse, I now can't boot the app server at all. I've tried replacing "myalias" with "s1as" or just a blank value in the "http-listener-2" configuration in domain.xml - but the server now refuses to start, throwing the same stack trace I listed above.

I won't go through the trouble (and $100 charge) of re-issuing the SSL cert and doing this from scratch because I'm not confident that it would work...and it would leave us without a working certificate.

Any ideas? Are there any files I might be forgetting? What about the .cer file that Verisign generated from the CSR? Did I need to place that anywhere? Do I need to place the myks.keystore file anywhere?

Thanks again...
[Message sent by forum member 'zambizzi' (zambizzi)]

http://forums.java.net/jive/thread.jspa?messageID=242162
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.