Hi Martin,
Thanks for your feedback and suggestions. To answer your questions, my settings are the same as you indicated below.
I am not using the "s1as" self-signed certificate for my SSL, and it dawned on me this morning that maybe the signing key password wasn't being changed with the change-master-password command. Changing the signing key password for my production certificate to match the new master-password resolved the issue. I googled around a bit, and found a very good article from Sun Glassfish Engineer Kumar Jayanti, that confirms this step. It would be great if Sun incorporated Kumar's blog information into their official documentation. For those interested, here it is...
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html
Best wishes,
Derek
-----Original Message-----
From: Martin Gainty [mailto:mgainty_at_hotmail.com]
Sent: Tue 6/2/2009 6:57 PM
To: Derek Sceats
Subject: RE: Glassfish v2.1 change-master-password Issue -- on Windows 2003 Server
hey derek
can you confirm the location of your keystore.jks take a look in
$GLASSFISH_HOME/domains/domain1/config/domain.xml
<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
startup script for asant.bat and asadmin.bat looks like
-Dcom.sun.aas.instanceRoot=%AS_INSTALL%
my AS_INSTALL environment variable is set to
/GlassFish/Sun/AppServer
I have the same problem with that connector as
$GLASSFISH/Sun/AppServer/config
10/03/2008 10:16 AM <DIR> .
10/03/2008 10:16 AM <DIR> ..
02/16/2009 09:11 PM 283 asadminenv.conf
02/16/2009 05:13 PM 1,265 asenv.bat
here is my location of keystore.jks
Directory of $GF_HOME/Sun/AppServer/domains/domain1/config
10/03/2008 10:16 AM 29,878 cacerts.jks
10/03/2008 10:16 AM 1,435 keystore.jks
so copying the 2 keystore files over to $GLASSFISH/Sun/AppServer/config
solves the problem
does this help?
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Tue, 2 Jun 2009 16:37:58 -0700
> From: dsceats_at_silasg.com
> To: users_at_glassfish.dev.java.net
> Subject: Glassfish v2.1 change-master-password Issue -- on Windows 2003 Server
>
> Glassfish v2.1 change-master-password Issue -- on Windows 2003 Server
>
>
> Hi All,
>
> I have been doing some work on Password Management the last couple of days and have run into an issue with the Glassfish master password. It seems that if this password is changed from its default value of changeit, Glassfish is no longer accessible. Changing it back to changeit resolves the issue. Is this a known issue/bug, or am I missing something?
>
> I am using Glassfish v2.1 on Windows 2003 Server.
>
> Here is what I am doing...
>
> open command window
> change directory into \glassfish\lib
> type asadmin
>
> ... Here is sanitized output from my Command Window...
>
> Microsoft Windows [Version 5.2.3790]
> (C) Copyright 1985-2003 Microsoft Corp.
>
> C:\Documents and Settings\user>cd c:\AppServer\glassfish\lib
> C:\AppServer\glassfish\lib>asadmin
> Use "exit" to exit and "help" for online help.
>
> ... Start domain with existing default master-password...
>
> asadmin> start-domain domain1
> Starting Domain domain1, please wait.
> Default Log location is C:\AppServer\glassfish\domains\domain1\logs\server.log.
> Redirecting output to C:/AppServer/glassfish/domains/domain1/logs/server.log
> Domain domain1 is ready to receive client requests. Additional services are being started in background.
> Domain [domain1] is running [Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)] with its configuration and logs at: [C:\AppServer\glassfish\domains].
> Admin Console is available at [https://localhost:4848].
> Use the same port [4848] for "asadmin" commands.
> User web applications are available at these URLs:
> [http://localhost:8080 https://localhost:8181 ].
> Following web-contexts are available:
> [/web1 /__wstx-services access dumpheaders ].
> Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
> [service:jmx:rmi:///jndi/rmi://myserver:8686/jmxrmi] for domain management purposes.
> Domain listens on at least following ports for connections:
> [8080 8181 4848 3700 3820 3920 8686 ].
> Domain does not support application server clusters and other standalone instances.
>
> ... Things look good. Log into Glassfish Admin Console on port 4848 to validate AppServer is running properly -- all is well...
>
> asadmin> change-master-password
> Please enter the new master password>
> Please enter the new master password again>
> Could not change password for domain domain1. Domain is running.
> CLI137 Command change-master-password failed.
>
> ... Oops, didn't stop the domain before trying to change the password, so stop the domain...
>
> asadmin> stop-domain domain1
> Domain domain1 stopped.
>
> ... Now change the master password...
>
> asadmin> change-master-password
> Please enter the new master password> -- entered my new password
> Please enter the new master password again> -- entered my new password
> Master password changed for domain domain1
>
> ... Looks like all went well, so start Glassfish and try to access the Admin Console...
>
> asadmin> start-domain domain1
> Starting Domain domain1, please wait.
> Default Log location is C:\AppServer\glassfish\domains\domain1\logs\server.log.
> Please enter the master password> -- entered my new password
> Redirecting output to C:/AppServer/glassfish/domains/domain1/logs/server.log
> Domain domain1 failed to startup. Please check the server log for more details.
> CLI156 Could not start the domain domain1.
>
> ... Hmmm, changed master-password and now Glassfish doesn't start up...
>
> asadmin> change-master-password
> Please enter the master password>
> Password entered is invalid
> CLI137 Command change-master-password failed.
>
> ... Oops, I entered "changeit" by accident. Let's try that again...
>
> asadmin> change-master-password
> Please enter the master password> -- entered my new password
> Please enter the new master password> -- entered "changeit"
> Please enter the new master password again> -- entered "changeit"
> Master password changed for domain domain1
>
> ... Looks like all went well, so start Glassfish and try to access the Admin Console...
>
> asadmin> start-domain domain1
> Starting Domain domain1, please wait.
> Default Log location is C:\AppServer\glassfish\domains\domain1\logs\server.log.
> Please enter the master password> -- entered "changeit"
> Redirecting output to C:/AppServer/glassfish/domains/domain1/logs/server.log
> Domain domain1 is ready to receive client requests. Additional services are being started in background.
>
> ... Looks like Glassfish is starting up correctly...
>
> Domain [domain1] is running [Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)] with its configuration and logs at: [C:\AppServer\glassfish\domains].
> Admin Console is available at [https://localhost:4848].
> Use the same port [4848] for "asadmin" commands.
> User web applications are available at these URLs:
> [http://localhost:8080 https://localhost:8181 ].
> Following web-contexts are available:
> [/web1 /__wstx-services access dumpheaders ].
> Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
> [service:jmx:rmi:///jndi/rmi://myserver:8686/jmxrmi] for domain management purposes.
> Domain listens on at least following ports for connections:
> [8080 8181 4848 3700 3820 3920 8686 ].
> Domain does not support application server clusters and other standalone instances.
>
> asadmin>
>
> ... Things look good. Log into Glassfish Admin Console on port 4848 to validate AppServer is running properly -- all is well again...
>
>
> *** SERVER.LOG FILE OUTPUT ***
>
> ... So looking at the Glassfish server.log file...
>
>
> ==>> FAILURE LOOKS LIKE THIS...
>
> C:/AppServer/glassfish/lib/jhall.jar;C:\AppServer\glassfish\lib\appserv-launch.jar
> com.sun.enterprise.server.PELaunch
> start
> [#|2009-06-02T14:44:23.886-0700|INFO|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;Java HotSpot(TM) Client VM;1.5.0_14;Sun Microsystems Inc.;|CORE5076: Using [Java HotSpot(TM) Client VM, Version 1.5.0_14] from [Sun Microsystems Inc.]|#]
>
> [#|2009-06-02T14:44:23.995-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=pool-1-thread-3;|SEC1002: Security Manager is OFF.|#]
>
> [#|2009-06-02T14:44:24.011-0700|INFO|sun-appserver2.1|javax.enterprise.resource.jms|_ThreadID=12;_ThreadName=pool-1-thread-1;|Using MQ RA for Broker lifecycle control|#]
>
> [#|2009-06-02T14:44:26.949-0700|WARNING|sun-appserver2.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=1a6db3ff-f302-44c2-b352-ae1e1f087c22;|java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
> Caused by: java.lang.ExceptionInInitializerError
> at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
> at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:262)
> at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:103)
> at com.sun.enterprise.server.PEMain.run(PEMain.java:399)
> at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
> ... 5 more
> Caused by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Cannot recover key
> at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
> ... 10 more
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> at sun.security.provider.KeyProtector.recover(KeyProtector.java:301)
> at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:120)
> at java.security.KeyStore.getKey(KeyStore.java:731)
> at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:111)
> at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:41)
> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:192)
> at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:320)
> at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:106)
> ... 10 more
> |#]
>
>
> ==>> WHEREAS SUCCESS LOOKS LIKE THIS...
>
> C:/AppServer/glassfish/lib/jhall.jar;C:\AppServer\glassfish\lib\appserv-launch.jar
> com.sun.enterprise.server.PELaunch
> start
> [#|2009-06-02T14:34:01.450-0700|INFO|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;Java HotSpot(TM) Client VM;1.5.0_14;Sun Microsystems Inc.;|CORE5076: Using [Java HotSpot(TM) Client VM, Version 1.5.0_14] from [Sun Microsystems Inc.]|#]
>
> [#|2009-06-02T14:34:01.622-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=pool-1-thread-3;|SEC1002: Security Manager is OFF.|#]
>
> [#|2009-06-02T14:34:01.622-0700|INFO|sun-appserver2.1|javax.enterprise.resource.jms|_ThreadID=12;_ThreadName=pool-1-thread-6;|Using MQ RA for Broker lifecycle control|#]
>
> [#|2009-06-02T14:34:05.012-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=10;_ThreadName=main;com.sun.enterprise.security.provider.PolicyWrapper;|SEC1143: Loading policy provider com.sun.enterprise.security.provider.PolicyWrapper.|#]
>
> [#|2009-06-02T14:34:06.481-0700|INFO|sun-appserver2.1|javax.enterprise.system.container.web|_ThreadID=10;_ThreadName=main;server;|WEB0114: SSO is disabled in virtual server [server]|#]
>
>
> ==>> FAILURE SEEMS TO OCCUR AT THIS POINT...
>
> [#|2009-06-02T14:34:05.012-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=10;_ThreadName=main;com.sun.enterprise.security.provider.PolicyWrapper;|SEC1143: Loading policy provider com.sun.enterprise.security.provider.PolicyWrapper.|#]
>
>
> ... Does anyone have any ideas what is going on here?? Any suggestions welcome. Could the Glassfish team confirm that this isn't a bug?? Thanks!
>
> Derek
>
_________________________________________________________________
Hotmail® has ever-growing storage! Don't worry about storage limits.
http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage_062009