SUMMARY
---------------
Glassfish 3.0.1 cannot be configured to use SSL certificates for different
internet domain names. We have summarised our understanding and hope someone
can correct this, or acknowledge that this is a known issue, or indicate a
work around.
BACKGROUND
-------------------
We run an enterprise application on Glassfish 3.0.1. The application hosts
several websites, with pages constructed on request from EJB over a database.
Although there is more than one internet domain name pointed at the static ip
address of the server, Glassfish is configured with one http listener and one
virtual server. Our application is responsible for inspecting the internet
domain name requested and serving appropriate content.
For many months we have had a Verisign SSL certificate installed for one of
the internet domain names (say domain_1). This is trouble-free.
We have come to install a second Verisign SSL certificate for another of the
internet domain names pointed at this server (say domain_2).
After successfully installing the SSL certificate for domain_2, we noted that
irrespective of whether a browser is pointed at domain_1 or domain_2,
domain_1's certificate is used by Glassfish to establish the SSL connection.
This is fine for domain_1, but for domain_2 browsers (rightly) throw up
warnings about a mismatch between the internet domain name in use and the
internet domain name certified by the SSL certificate.
GLASSFISH CONFIGURATION
---------------------------------------
We read up about this. We found Oracle's article at
http://download.oracle.com/docs/cd/E19798-01/821-1751/abloj/index.html [1],
which states:
START_OF_QUOTE
Name-based Virtual Hosts
Using name-based virtual hosts for a secure application can be problematic.
This is a design limitation of the SSL protocol itself. The SSL handshake,
where the client browser accepts the server certificate, must occur before
the HTTP request is accessed. As a result, the request information containing
the virtual host name cannot be determined prior to authentication, and it is
therefore not possible to assign multiple certificates to a single IP
address.
If all virtual hosts on a single IP address need to authenticate against the
same certificate, the addition of multiple virtual hosts probably will not
interfere with normal SSL operations on the server. Be aware, however, that
most browsers will compare the server's domain name against the domain name
listed in the certificate, if any (applicable primarily to official,
CA-signed certificates). If the domain names do not match, these browsers
display a warning. In general, only address-based virtual hosts are commonly
used with SSL in a production environment.
END_OF_QUOTE
This is a good description of what we have seen. It implies that we will
need two static IP addresses, one for domain_1 and one for domain_2.
Indeed, this is confirmed on this forum at
http://www.java.net/node/677472
[2]. We also conclude that Glassfish must be configured with two network
listeners, one for each IP address and each associated with a different SSL
certificate (using the Certificate Nickname field) so that the correct
certificate is used for the correct internet domain name.
domain_1 --> IP Address 1 --> Network Listener 1 --> domain_1 SSL
certificate.
domain_2 --> IP Address 2 --> Network Listener 2 --> domain_2 SSL
certificate.
The document at
http://download.oracle.com/docs/cd/E19798-01/821-1751/ablsw/index.html [3] is
helpful in describing the configuration of internet connectivity in
Glassfish.
From reading the above document, we conclude that we can run a single
virtual
server over both network listeners, and a single instance of our application,
which can continue to be responsible for inspecting the internet domain name
requested and serving appropriate content. In the Glassfish admin
interface, the virtual server's network listeners field is a multi-selection
list, implying that a single virtual server can sit on top of multiple
network listeners. So we get:
domain_1 --> IP Address 1 --> Network Listener 1 --> domain_1 SSL certificate
--> virtual_server_1 --> application_1
domain_2 --> IP Address 2 --> Network Listener 2 --> domain_2 SSL certificate
PROBLEM
-------------
If the above configuration is implemented, then the application is not
avaialable to service requests. Instead, Glassfish serves its standard
'Your server is now running' page.
To strip this down a bit, we can set aside all the stuff about SSL
certificates, and state that if Glassfish is configured with two network
listeners on different IP addresses, then any application associated with a
virtual server associated with the network listeners is not available.
OTHER INCIDENTAL STUFF
-----------------------------------
It might be worth mentioning two further issues: The virtual server's hosts
field, and implications of the above for routers:
VIRTUAL SERVER'S HOSTS FIELD
------------------------------------------
We had some difficulty understanding the virtual server's hosts list. In
the admin interface it is labelled 'Comma-separated list of hosts or IP
addresses' but the help pages don't mention ip addresses at all and are
utterly confusing with its reference to 'name or names for the machine on
which the server is running' and 'the DNS server for your network':
START_OF_QUOTE
Hosts
The host name or names for the machine on which the server is running. Use
either actual or virtual host names that are registered with the DNS server
for your network (and, on a UNIX system, in your /etc/hosts file). The
default value is the system property value ${com.sun.aas.hostName}.
END_OF_QUOTE
A better description of a virtual server's hosts list is found at
http://download.oracle.com/docs/cd/E19798-01/821-1758/create-virtual-server-1/index.html
[4], which states:
START_OF_QUOTE
A comma-separated (,) list of values allowed in the host request header to
select the current virtual server. Each virtual server that is configured to
the same connection group must have a unique host for that group.
END_OF_QUOTE
ROUTER
-----------
Incidently, although this is off-topic, the requirement that https requests
must reach the glassfish server using multiple fixed IP addresses requires us
to dump our Netgear router (which can only have a single IP address on its
public side) and to stop using Network Address Translation (NAT). Our
broadband provider can supply mulitple fixed IP addresses on the line, but we
will need to find a broadband router capable of having multiple public IP
addresses.
[1]
http://download.oracle.com/docs/cd/E19798-01/821-1751/abloj/index.html
[2]
http://www.java.net/node/677472
[3]
http://download.oracle.com/docs/cd/E19798-01/821-1751/ablsw/index.html
[4]
http://download.oracle.com/docs/cd/E19798-01/821-1758/create-virtual-server-1/index.html
--
[Message sent by forum member 'grahamrobbins']
View Post: http://forums.java.net/node/789147