Any comment on this:
Thank you very much for the explanation.
However, I can not understand what will happen if we cofigure the admin
listener to use client cert authentication (mutual ssl authentication).
where I should put the asadmin certificate? is there some file named
asadminkey which I import the asadmin certificate into it ?
Thanks
On Thu, Oct 15, 2009 at 10:11 PM, Sarah kho <sarah.kho_at_gmail.com> wrote:
> Thank you very much for the explanation.
> However, I can not understand what will happen if we cofigure the admin
> listener to use client cert authentication (mutual ssl authentication).
> where I should put the asadmin certificate? is there some file named
> asadminkey which I import the asadmin certificate into it ?
>
> Thanks
>
> On Thu, Oct 15, 2009 at 7:38 PM, <glassfish_at_javadesktop.org> wrote:
>
>> It is very simple ;).
>> All it does is tries to create an https connection (using Java class:
>> HttpsURLConnection) to the server, when it is configured to be secure.
>> The terminology in this entire area is of essence and hence you may
>> want to read the SSL documentation, but it is as follows, in a nutshell:
>> - asadmin is a client. The domain is the server. The domain has its
>> "admin-listener" configured for SSL or not. This question (you have
>> asked) is applicable only when security-enabled on admin-listener
>> is "true" => SSL communication.
>> - According to the SSL protocol, a handshake happens and server sends its
>> "digital certificate" identifying itself. In the "default" case, server
>> is configured with a self-signed certificate (that is there in
>> its own keystore and truststore by the virtue of create-domain).
>> - When this certificate (usually nicknamed "s1as") is received by
>> asadmin it checks it it already trusts it. That happens by checking
>> for its existence (or that of its parent in a cert chain) in
>> its own "truststore" named .asadmintruststore in asadmin user's home
>> folder. This is the part not many people know of ;).
>> - If the cert happens to be there, the communication happens normally.
>> If it is not there, asadmin should (and does) prompt you if you
>> trust the server by showing the signature of the cert it sends.
>> If you accept it (by pressing yes/y), the certificate is then
>> added to ~/.asadmintruststore (for future reference) and then
>> the communication commences.
>> - Your admin password is secure (not put on wire using base64 auth)
>> till the handshake succeeds. That's why to be secure, you need to
>> do admin-listener/security-enabled=true on the server.
>> - After that, it's pretty straightforward and resembles the plaintext
>> connection.
>>
>> Hope this is clear. Maybe I should blog about it.
>>
>> Regards,
>> Kedar
>> [Message sent by forum member 'km' (kedar.mhaswade_at_sun.com)]
>>
>> http://forums.java.net/jive/thread.jspa?messageID=368089
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>