users@glassfish.java.net

Re: SSL on Glassfish - having trouble setting it up

From: <forums_at_java.net>
Date: Tue, 14 Feb 2012 21:08:55 -0600 (CST)

[quote=skahlert2010]

Hello Jim and all others!

I was finally successful in setting up the SSL connection.

Here are the steps, which I hope will help others who run into similar
initial problems:

1. Make sure the JAVA_HOME envvar ist set correctly
export JAVA_HOME=Usr/lib/jvm/java-6-open/jdk
2. Take the original keystore and trial certificate provided with Glassfish
and change the master password.
3. Change the master password using the following command and take care that
the master password matches the keystore and certificate password.
/glassfish3/glassfish/domains/domain1/config> 
/home/oracle/glassfish3/glassfish/bin/asadmin change-master-password
--savemasterpassword=true
3.1. Beware of changing the keystore password using the keytool command. It
will definitely not work properly:
keytool -storepasswd -keystore keystore.jks
2. Delete the trial key in stored in the keystore
keytool -delete -alias s1as -keystore keystore.jks -storepass
password_from_step_3
3. Import the PK12 key into the keystore.jks
keytool -importkeystore \
    -srckeystore https-certificates.pkcs12 \
    -srcstoretype PKCS12 \
    -srcstorepass password \
    -deststorepass changeit \
    -destkeypass changeit \
    -destkeystore
$GLASSFISH_HOME/glassfish/domains/$GLASSFISH_DOMAIN/config/keystore.jks \
    -srcalias 1 \
    -destalias s1as
4. Import the root certificate into the cacerts.jks truststore.
keytool -import -alias s1as -keystore keystore.jks -file mycertificate.der
5. Check keystore for certificate entry
keytool -list -keystore keystore.jks
keytool -list -keystore cacerts.jks -alias s1as
6. Start the domain and you should be done setting up the connection (however
make sure to reference alias s1as under http-listener-2 in the admin console)
7. Alternatively you may also try to convert the PK12 certificate to an X509
comptatible format:
https://www.sslshopper.com/ssl-converter.html
7.1 Convert the PEM certificate received from sslhopper to *.DER as expected
by Glassfish
openssl x509 -outform der -in mycertificate.pem -out mycertificate.der
7.2 Zertifikat in Keystore importieren
keytool -import -alias s1as -keystore keystore.jks -file mycertificate.der
8. Check keystore for certificate entry
keytool -list -keystore keystore.jks
 

[/quote]

 

Hi,

Thanks for posting what worked for you.  

So, I just ran the asadmin command you posted, and it asked for the old and
new master passwords.  It looks like asadmin also set the new keystore
password on the keystore.jks itself, and the alias too, so I didn't have to
even run keytool to change the password.  System came up after that, and SSL
is still working.

 

Thanks again,

Jim


--
[Message sent by forum member 'jimcpl']
View Post: http://forums.java.net/node/883445