users@glassfish.java.net

Re: Migrate SSL App from Apache to GlassFish v3

From: Major Péter <majorpetya_at_sch.bme.hu>
Date: Thu, 31 Dec 2009 01:26:49 +0100

> 1. Using openssl, I created the p12 file from my .crt and .key files. I imported the p12 into the keystore,jks file. I set the alias name to 's1as". Is this correct? In portecle, this entry has a two key icon.

Yes, this is correct.

> 2. There is a second file, cacerts.jks. What is the function of this file? Do I import my .crt file into this file? If this is the case, does the alias name also need to match the p12 imported into the keystore.jks (s1as)?

It's a ~truststore. For example your application tries to connect to an
LDAP server, which is SSL protected, then you store the LDAP servers
public key in the cacerts.jks, so GlassFish will now that the remote end
is trustable or not. So you don't have to import here your .crt file.

> 3. My certificate is signed by a CA and you mentioned I also need to import a public key file into the keystore.jks. I don't have a "public" key file. As I mentioned, I have an existing Apache configuration and all it uses is the .crt and .key files. If a third public key file is really needed, then I need to start investigating how and where the original certificate was signed.

Yes, you need to import your certificate signers public key in the
keystore.jks. Visit an apache served https page with firefox, at the
certificate details click on the root ca, and select export. I guess
portecle will handle the output of that export.

> 4. I have not changed any the Glassfish passwords so "changeit" remains as the default password for both the keystore.jks and cacerts.jks files.

cool, than you shouldn't have problem then.

> Sorry for the additional questions but I don't understand what is exactly needed from the glassfish end to make this work. As I mentioned, my starting point is Apache and the two files (.crt = signed certificate and .key = private key) that is specified in the Apache http config file. Nothing is changing from the website point of view (url is the same). I simply want to turn off Apache and turn on Glassfish.

No problem, I hope my answers helped you in the process. :)

Regards,
Peter