users@glassfish.java.net

Re: Clean install, import key help requested *2nd*

From: Lance Raymond <lraymond_at_weatherflow.com>
Date: Wed, 28 Oct 2009 14:44:38 -0400

1st all can ignore the new post (sorry for the dup as it came from namble)
and I am just mentally shot!
Next;
"If you used mystore.jks as the keystore where you created your original
certificate request for alias" well unfortunatly I didn't create the request
someone else did who left. I have just the .csr and .cert

I have since wiped the app server again, so sitting idle with the following;
default keystore.jks
folder in my home with; trustedroot.crt, wfgfcert.csr, wfgfcert.cert

I can access the normal app server on 8080, 8181 is the ssl port and the
admin on 4848.

So starting from step 1, can I simply import the wfgfcert into the existing
keystore using wflow (I assume there can be multiple) since other things use
that s1as alias, then change ssl to use that wflow alias?

You threw alot out there (better than anything I have read) but dont want to
screw up again!

Thanks


On Wed, Oct 28, 2009 at 2:35 PM, <bamoss_at_sceats.com> wrote:

> So with the original keystore.jks, which contains alias s1as, you are able
> to access the glassfish admin console on port 4848, correct?
>
> If you used mystore.jks as the keystore where you created your original
> certificate request for alias, then imported back the signed certificate and
> the class and root certificate, you should see three entries, a chained
> signing key and the two imported certificates (class and root certs) in the
> mystore.jks keystore. However you won't have the s1as self-signed
> certificate, that is in the original keystore, since this is created when
> glassfish is built.
>
> If the above is true, create alias s1as using genkey in mystore.jks. Then
> rename the keystore.jks to keystore.old and copy and rename mystore.jks to
> keystore.jks. You should be able to log into the glassfish admin console.
> I have enabled SSL on port 4848 and 8181, leaving 8080 for HTTP. If you
> enable SSL on these ports, the default certificate nickname will be "s1as".
> If you change this to "wflow", you should now be using your signed
> certificate. This would be done by going to Configuration tab > HTTP
> Services > HTTP Listeners > SSL tab. After this change, you need to restart
> Glassfish.
>
> Does this make sense?
>
> Note that you need to have alias s1as in your active keystore, as other
> glassfish services use this certificate nickname. I suspect this is why the
> blog entry recommends deleting the original s1as and generating a new s1as
> alias for the certificate request. The other option if you don't have s1as
> in the active keystore is to make the change in the domain.xml file
> replacing all s1as certificate aliases with your alias, however, editing the
> domain.xml file is not recommended.
>
> Hope this helps.
>
> Derek
>
> -------- Original Message --------
> Subject: RE: Clean install, import key help requested *2nd*
> From: xlancealotx <lraymond_at_weatherflow.com>
> Date: Wed, October 28, 2009 11:17 am
> To: users_at_glassfish.dev.java.net
>
>
> Yep, I have tried to both copy the mystore.jks over the keystore (renaming
> it
> to keystore), trying importing into the existing file. Also tried using a
> different alias, changing in the admin and restarting, all still fail.
> There are a few docs out there, all pretty much say the same few things
> which is why I am surprised I am having such a hard time and the error is
> just so vague.
>
>
>
> bamoss wrote:
> >
> > Did you replace the existing keystore with your new keystore, mykeystore
> > and rename it to keystore.jks? Does your new keystore contain the s1as
> > alias? Derek
> >
> >
> > -------- Original Message --------
> > Subject: Clean install, import key help requested *2nd*
> > From: glassfish_at_javadesktop.org
> > Date: Wed, October 28, 2009 8:18 am
> > To: users_at_glassfish.dev.java.net
> >
> > ok, since over a day passed, 40+ people viewed an no response, figured I
> > would just wipe the gf server and start from scratch. I already have the
> > paid cert from rapidssl and have a clean GF2 server running. I followed a
> > few simple steps from
> > http://wiki.glassfish.java.net/Wiki.jsp?page=How_to_ssl_versign and have
> > the same issue. So maybe since it's a clean install, new alias, I can get
> > at least one response! With that, I did the following;
> >
> > [b]Step 1[/b]
> > keytool -import -alias wflow -keystore mykeystore.jks -trustcacerts -file
> > wfgfcert.cert
> > Enter keystore password:
> > Re-enter new password:
> > Certificate was added to keystore
> >
> > I had a trustedroot.cert from rapidssl which they said I might need to
> > install, when I did I got the following;
> > keytool -import -trustcacerts -keystore mykeystore.jks -alias rapidssl
> > -file trustedroot.crt
> > Enter keystore password:
> > Certificate already exists in system-wide CA keystore under alias
> > &lt;equifaxsecureca&gt;
> > Do you still want to add it to your own keystore? [no]:
> >
> > So to me, that means no, it already knows there good!
> > [b]Step 2 (per the docs);[/b]
> > cp mykeystore.jks
> /var/lib/glassfishv2/domains/domain1/config/keystore.jks
> >
> > [b]Step 3 - make the change[/b]
> > Logged into the admin gui, there are 2 http-listener-2 (one under
> > default-config and the other under server-config) and the doc doesn't
> tell
> > which so I figure do both.
> >
> > [b]Step 4: I try to start[/b]
> > /usr/share/glassfishv2/bin/asadmin start-domain domain1
> > Starting Domain domain1, please wait.
> > Log redirected to /var/lib/glassfishv2/domains/domain1/logs/server.log.
> > Please enter the admin user name&gt;admin
> > Please enter the admin password&gt;adminadmin
> > Redirecting output to
> /var/lib/glassfishv2/domains/domain1/logs/server.log
> > Domain domain1 failed to startup. Please check the server log for more
> > details.
> > CLI156 Could not start the domain domain1.
> >
> > The log shows the same;
> > [i]Caused by: java.lang.IllegalStateException: Keystore was tampered
> with,
> > or password was incorrect
> > [/i]
> >
> > I didn't see anyplace that said to enter the keystore password, or where
> > to put it, could that be it? Either way, I'm stuck, and really would
> > appreciate some type of help. I do try to provide as much as possible,
> > and not the 'help' on the subject, but don't know what else to try as
> this
> > java.net seems to be the right and best place to post!
> >
> > Thanks
> > [Message sent by forum member 'xlancealotx' (lraymond_at_weatherflow.com)]
> >
> > http://forums.java.net/jive/thread.jspa?messageID=369651
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Clean-install%2C-import-key-help-requested-*2nd*-tp26096557p26099527.html
> Sent from the java.net - glassfish users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
> additional commands, e-mail: users-help_at_glassfish.dev.java.net