users@glassfish.java.net

Re: how does --secure works in asadmin utility?

From: Sarah kho <sarah.kho_at_gmail.com>
Date: Thu, 15 Oct 2009 22:11:44 +0330

Thank you very much for the explanation.
However, I can not understand what will happen if we cofigure the admin
listener to use client cert authentication (mutual ssl authentication).
where I should put the asadmin certificate? is there some file named
 asadminkey which I import the asadmin certificate into it ?

Thanks

On Thu, Oct 15, 2009 at 7:38 PM, <glassfish_at_javadesktop.org> wrote:

> It is very simple ;).
> All it does is tries to create an https connection (using Java class:
> HttpsURLConnection) to the server, when it is configured to be secure.
> The terminology in this entire area is of essence and hence you may
> want to read the SSL documentation, but it is as follows, in a nutshell:
> - asadmin is a client. The domain is the server. The domain has its
> "admin-listener" configured for SSL or not. This question (you have
> asked) is applicable only when security-enabled on admin-listener
> is "true" => SSL communication.
> - According to the SSL protocol, a handshake happens and server sends its
> "digital certificate" identifying itself. In the "default" case, server
> is configured with a self-signed certificate (that is there in
> its own keystore and truststore by the virtue of create-domain).
> - When this certificate (usually nicknamed "s1as") is received by
> asadmin it checks it it already trusts it. That happens by checking
> for its existence (or that of its parent in a cert chain) in
> its own "truststore" named .asadmintruststore in asadmin user's home
> folder. This is the part not many people know of ;).
> - If the cert happens to be there, the communication happens normally.
> If it is not there, asadmin should (and does) prompt you if you
> trust the server by showing the signature of the cert it sends.
> If you accept it (by pressing yes/y), the certificate is then
> added to ~/.asadmintruststore (for future reference) and then
> the communication commences.
> - Your admin password is secure (not put on wire using base64 auth)
> till the handshake succeeds. That's why to be secure, you need to
> do admin-listener/security-enabled=true on the server.
> - After that, it's pretty straightforward and resembles the plaintext
> connection.
>
> Hope this is clear. Maybe I should blog about it.
>
> Regards,
> Kedar
> [Message sent by forum member 'km' (kedar.mhaswade_at_sun.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=368089
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>