users@glassfish.java.net

Re: Clean install, import key help requested *2nd*

From: Lance Raymond <lraymond_at_weatherflow.com>
Date: Wed, 28 Oct 2009 20:27:59 -0400

ok, this is what I got so far;
deleted the alias from that keystore file.

Recreated using the following;
* keytool -genkey -dname "CN=ws1.weatherflow.com, OU=Sun Java System
Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US"
-alias slas -keystore keystore.jks*
**
Note: I simply looked at a new server install slas which made sense. A
check on that file now shows what you said about the private key;
*Creation date: Oct 28, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ws1.domain.com, OU=Sun Java System Application Server, O=Sun
Microsystems, L=Santa Clara, ST=California, C=US*

Lastly I simply overwrote the newly installed keystore.jks and restarted,
knowing in the back of my head it would fail, simply for this reason. The
password on a new installed server I think is changeit or something similar
where this keystore is not. So on a restart, looking at the logs I knew I
would see this, and sure enough, saw it.
  *Caused by: java.lang.IllegalStateException: Keystore was tampered with,
or password was incorrect*

Which does make sense. So it seems I do 'understand' a bit more, and
probably 80% where I want to be. So, the question now is do I tell
glassfish, the new keystore password is this and if so how? Or the other
idea, not sure if you can, is if I have the .cert file from the original,
and a new clean install works, can you import that cert into a keystore on a
new working server? Not sure which of the above is better (really don't
even care anymore), just love to see it start and have the cert working :)

Derek, you have been so helpful so far, I appreciate it!



On Wed, Oct 28, 2009 at 6:15 PM, <bamoss_at_sceats.com> wrote:

> Okay, this is good news. So you should be able to set the certificate
> nickname to "wfgcert" once you get Glassfish started, if you haven't already
> done so.
>
> One thing that jumps out at me is that alias "s1as" is Entry type:
> trustedCertEntry. This should be Entry type: PrivateKeyEntry.
>
> Why don't you use keytool to delete alias s1as, then do a genkey and create
> a new s1as alias. Set the validity out a couple of years. Restart
> Glassfish (domain1) then see if you can access the Glassfish Admin Console
> on port 4848.
>
> Once you have access to Glassfish Admin Console, go to Configuration >
> HTTP Services > HTTP Listeners > SSL tab for port 8181 (and 4848 if you
> want) and set/validate that the certificate nickname is set to wfgcert.
> If you have to change it from s1as, restart Glassfish and click on the
> padlock in the browser to validate that you are now using the signed SSL
> cert.
>
> I believe that alias s1as can be fully replaced by editting domain.xml and
> replacing s1as with wfgcert -- then restart domain1. Someone from Sun would
> need to validate this.
>
> Finally, if you change the master-password, you need to manually change
> keypass for any alias other than s1as. For Glassfish SSL, storepass and
> keypass must be the same.
>
> Hope this helps. Good luck.
>
> Derek
>
> -------- Original Message --------
> Subject: Re: Clean install, import key help requested *2nd*
> From: Lance Raymond <lraymond_at_weatherflow.com>
> Date: Wed, October 28, 2009 12:32 pm
> To: users_at_glassfish.dev.java.net
>
> Actually yes, that much has :)
>
> Now I do have a backup keystore.jks file which I think he used and just
> found, and do have the password. So I did the following; (note this is the
> old one)
> keytool -list -v -keystore keystore.jks (entered the pw) and have this;
> (just including the good stuff)
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> Alias name: wfgfcert
> Creation date: Sep 23, 2009
> Entry type: PrivateKeyEntry
> Certificate chain length: 2
> Certificate[1]:
> Owner: CN=api.mydomain.com, OU=Domain Control Validated - RapidSSL(R),
> OU=See www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=
> api.mydomain.com, C=US
> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>
> Alias name: root
> Creation date: Sep 23, 2009
> Entry type: trustedCertEntry
>
> Owner: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
> Serial number: 35def4cf
> Valid from: Sat Aug 22 12:41:51 EDT 1998 until: Wed Aug 22 12:41:51 EDT
> 2018
>
>
> Alias name: s1as
> Creation date: Sep 23, 2009
> Entry type: trustedCertEntry
>
> Owner: CN=api.domain.com, OU=Domain Control Validated - RapidSSL(R),
> OU=See www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=
> api.domain.com, C=US
> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>
>
> So that was done last month and it looks like he imported the key into the
> keystore.jks file (I almost sound like I know what I'm talking about)! The
> only issue I see with that file is the last one, the s1as alias is using the
> same domain info, where the new install uses the self-signed one. Not sure
> if that matters or not as I don't really need that s1as alias, but you say
> other things use it.
>
> As for not being around, doesn't matter, I have the laptop and will be
> checking in all day/night :D Thanks again for the time already spent
> helping.
>
>
>
>
> On Wed, Oct 28, 2009 at 3:00 PM, <bamoss_at_sceats.com> wrote:
>
>> If you don't have the original keystore where the wflow alias was created,
>> you may need to create a new keypair and get the certificate signed by
>> rapidssl.
>>
>> The issue is that for SSL to work correctly, you need a keypair in your
>> keystore. When you do a signing request to a CA, you export the certificate
>> (not the key) then reimport the signed certificate. This gives you a chain
>> keypair. What you need to see in your keystore when you do keytool -list -v
>> -keystore keystore.jks, is the name of your alias (eg: wflow) followed by
>> "Entry Type: keyEntry". You should also see this after alias "s1as". If
>> you don't see this in your keystore, you need to go through the cert request
>> process with the CA.
>>
>> Does this make sense?
>>
>> If not, I'll try to help, but will be offline for a couple of hours.
>>
>>
>> -------- Original Message --------
>> Subject: Re: Clean install, import key help requested *2nd*
>> From: Lance Raymond <lraymond_at_weatherflow.com>
>> Date: Wed, October 28, 2009 11:44 am
>> To: users_at_glassfish.dev.java.net
>>
>> 1st all can ignore the new post (sorry for the dup as it came from namble)
>> and I am just mentally shot!
>> Next;
>> "If you used mystore.jks as the keystore where you created your original
>> certificate request for alias" well unfortunatly I didn't create the request
>> someone else did who left. I have just the .csr and .cert
>>
>> I have since wiped the app server again, so sitting idle with the
>> following;
>> default keystore.jks
>> folder in my home with; trustedroot.crt, wfgfcert.csr, wfgfcert.cert
>>
>> I can access the normal app server on 8080, 8181 is the ssl port and the
>> admin on 4848.
>>
>> So starting from step 1, can I simply import the wfgfcert into the
>> existing keystore using wflow (I assume there can be multiple) since other
>> things use that s1as alias, then change ssl to use that wflow alias?
>>
>> You threw alot out there (better than anything I have read) but dont want
>> to screw up again!
>>
>> Thanks
>>
>>
>> On Wed, Oct 28, 2009 at 2:35 PM, <bamoss_at_sceats.com> wrote:
>>
>>> So with the original keystore.jks, which contains alias s1as, you are
>>> able to access the glassfish admin console on port 4848, correct?
>>>
>>> If you used mystore.jks as the keystore where you created your original
>>> certificate request for alias, then imported back the signed certificate and
>>> the class and root certificate, you should see three entries, a chained
>>> signing key and the two imported certificates (class and root certs) in the
>>> mystore.jks keystore. However you won't have the s1as self-signed
>>> certificate, that is in the original keystore, since this is created when
>>> glassfish is built.
>>>
>>> If the above is true, create alias s1as using genkey in mystore.jks.
>>> Then rename the keystore.jks to keystore.old and copy and rename mystore.jks
>>> to keystore.jks. You should be able to log into the glassfish admin
>>> console. I have enabled SSL on port 4848 and 8181, leaving 8080 for HTTP.
>>> If you enable SSL on these ports, the default certificate nickname will be
>>> "s1as". If you change this to "wflow", you should now be using your signed
>>> certificate. This would be done by going to Configuration > HTTP Services >
>>> HTTP Listeners > SSL tab. After this change, you need to restart Glassfish.
>>>
>>> Does this make sense?
>>>
>>> Note that you need to have alias s1as in your active keystore, as other
>>> glassfish services use this certificate nickname. I suspect this is why the
>>> blog entry recommends deleting the original s1as and generating a new s1as
>>> alias for the certificate request. The other option if you don't have s1as
>>> in the active keystore is to make the change in the domain.xml file
>>> replacing all s1as certificate aliases with your alias, however, editing the
>>> domain.xml file is not recommended.
>>>
>>> Hope this helps.
>>>
>>> Derek
>>>
>>> -------- Original Message --------
>>> Subject: RE: Clean install, import key help requested *2nd*
>>> From: xlancealotx <lraymond_at_weatherflow.com>
>>> Date: Wed, October 28, 2009 11:17 am
>>> To: users_at_glassfish.dev.java.net
>>>
>>>
>>> Yep, I have tried to both copy the mystore.jks over the keystore
>>> (renaming it
>>> to keystore), trying importing into the existing file. Also tried using a
>>> different alias, changing in the admin and restarting, all still fail.
>>> There are a few docs out there, all pretty much say the same few things
>>> which is why I am surprised I am having such a hard time and the error is
>>> just so vague.
>>>
>>>
>>>
>>> bamoss wrote:
>>> >
>>> > Did you replace the existing keystore with your new keystore,
>>> mykeystore
>>> > and rename it to keystore.jks? Does your new keystore contain the s1as
>>> > alias? Derek
>>> >
>>> >
>>> > -------- Original Message --------
>>> > Subject: Clean install, import key help requested *2nd*
>>> > From: glassfish_at_javadesktop.org
>>> > Date: Wed, October 28, 2009 8:18 am
>>> > To: users_at_glassfish.dev.java.net
>>> >
>>> > ok, since over a day passed, 40+ people viewed an no response, figured
>>> I
>>> > would just wipe the gf server and start from scratch. I already have
>>> the
>>> > paid cert from rapidssl and have a clean GF2 server running. I followed
>>> a
>>> > few simple steps from
>>> > http://wiki.glassfish.java.net/Wiki.jsp?page=How_to_ssl_versign and
>>> have
>>> > the same issue. So maybe since it's a clean install, new alias, I can
>>> get
>>> > at least one response! With that, I did the following;
>>> >
>>> > [b]Step 1[/b]
>>> > keytool -import -alias wflow -keystore mykeystore.jks -trustcacerts
>>> -file
>>> > wfgfcert.cert
>>> > Enter keystore password:
>>> > Re-enter new password:
>>> > Certificate was added to keystore
>>> >
>>> > I had a trustedroot.cert from rapidssl which they said I might need to
>>> > install, when I did I got the following;
>>> > keytool -import -trustcacerts -keystore mykeystore.jks -alias rapidssl
>>> > -file trustedroot.crt
>>> > Enter keystore password:
>>> > Certificate already exists in system-wide CA keystore under alias
>>> > &lt;equifaxsecureca&gt;
>>> > Do you still want to add it to your own keystore? [no]:
>>> >
>>> > So to me, that means no, it already knows there good!
>>> > [b]Step 2 (per the docs);[/b]
>>> > cp mykeystore.jks
>>> /var/lib/glassfishv2/domains/domain1/config/keystore.jks
>>> >
>>> > [b]Step 3 - make the change[/b]
>>> > Logged into the admin gui, there are 2 http-listener-2 (one under
>>> > default-config and the other under server-config) and the doc doesn't
>>> tell
>>> > which so I figure do both.
>>> >
>>> > [b]Step 4: I try to start[/b]
>>> > /usr/share/glassfishv2/bin/asadmin start-domain domain1
>>> > Starting Domain domain1, please wait.
>>> > Log redirected to /var/lib/glassfishv2/domains/domain1/logs/server.log.
>>>
>>> > Please enter the admin user name&gt;admin
>>> > Please enter the admin password&gt;adminadmin
>>> > Redirecting output to
>>> /var/lib/glassfishv2/domains/domain1/logs/server.log
>>> > Domain domain1 failed to startup. Please check the server log for more
>>> > details.
>>> > CLI156 Could not start the domain domain1.
>>> >
>>> > The log shows the same;
>>> > [i]Caused by: java.lang.IllegalStateException: Keystore was tampered
>>> with,
>>> > or password was incorrect
>>> > [/i]
>>> >
>>> > I didn't see anyplace that said to enter the keystore password, or
>>> where
>>> > to put it, could that be it? Either way, I'm stuck, and really would
>>> > appreciate some type of help. I do try to provide as much as possible,
>>> > and not the 'help' on the subject, but don't know what else to try as
>>> this
>>> > java.net seems to be the right and best place to post!
>>> >
>>> > Thanks
>>> > [Message sent by forum member 'xlancealotx' (lraymond_at_weatherflow.com)]
>>>
>>> >
>>> > http://forums.java.net/jive/thread.jspa?messageID=369651
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>> >
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Clean-install%2C-import-key-help-requested-*2nd*-tp26096557p26099527.html
>>> Sent from the java.net - glassfish users mailing list archive at
>>> Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>
>> --------------------------------------------------------------------- To
>> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>