users@glassfish.java.net

Re: how does --secure works in asadmin utility?

From: <glassfish_at_javadesktop.org>
Date: Thu, 15 Oct 2009 09:08:02 PDT

It is very simple ;).
All it does is tries to create an https connection (using Java class: HttpsURLConnection) to the server, when it is configured to be secure.
The terminology in this entire area is of essence and hence you may
want to read the SSL documentation, but it is as follows, in a nutshell:
- asadmin is a client. The domain is the server. The domain has its
  "admin-listener" configured for SSL or not. This question (you have
  asked) is applicable only when security-enabled on admin-listener
  is "true" => SSL communication.
- According to the SSL protocol, a handshake happens and server sends its
  "digital certificate" identifying itself. In the "default" case, server
  is configured with a self-signed certificate (that is there in
  its own keystore and truststore by the virtue of create-domain).
- When this certificate (usually nicknamed "s1as") is received by
  asadmin it checks it it already trusts it. That happens by checking
  for its existence (or that of its parent in a cert chain) in
  its own "truststore" named .asadmintruststore in asadmin user's home
  folder. This is the part not many people know of ;).
- If the cert happens to be there, the communication happens normally.
  If it is not there, asadmin should (and does) prompt you if you
  trust the server by showing the signature of the cert it sends.
  If you accept it (by pressing yes/y), the certificate is then
  added to ~/.asadmintruststore (for future reference) and then
  the communication commences.
- Your admin password is secure (not put on wire using base64 auth)
  till the handshake succeeds. That's why to be secure, you need to
  do admin-listener/security-enabled=true on the server.
- After that, it's pretty straightforward and resembles the plaintext
  connection.

Hope this is clear. Maybe I should blog about it.

Regards,
Kedar
[Message sent by forum member 'km' (kedar.mhaswade_at_sun.com)]

http://forums.java.net/jive/thread.jspa?messageID=368089