users@glassfish.java.net

Glassfish 3.1.1.3 looking in wrong .jks file for certificate alias

From: <forums_at_java.net>
Date: Thu, 25 Oct 2012 03:43:18 -0500 (CDT)

We have a server certificate alias called 'server_cert' which is our
replacement of the default 's1as' in keystore.jks. Our aim is to secure the
GlassFish admin console with the command 'enable-secure-admin'. This is how
we are using it: /opt/SUNWappserver/glassfish/bin/asadmin --user admin
--passwordfile /opt/SUNWappserver/glassfish/private/passwordfile --port 4848
enable-secure-admin --adminalias server_cert --instancealias
glassfish-instance With these JVM options:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks For
reference, these are the commands we run to show that the server_cert alias
is in the keystore.jks file but not the cacerts.jks file. keytool -list
-keystore /opt/SUNWappserver/glassfish/domains/domain1/config/keystore.jks |
grep 'server_cert' Enter keystore password: ************** server_cert, Nov
12, 2008, PrivateKeyEntry, keytool -list -keystore
/opt/SUNWappserver/glassfish/domains/domain1/config/cacerts.jks | grep
'server_cert' Enter keystore password: ************** This is the error we
receive back from asadmin when trying to run the enable-secure-admin command:
remote failure: Error enabling secure admin :
org.jvnet.hk2.config.TransactionFailure: java.lang.RuntimeException:
java.lang.IllegalArgumentException: Could not find the alias server_cert in
the trust store java.lang.RuntimeException:
java.lang.IllegalArgumentException: Could not find the alias server_cert in
the trust store Command enable-secure-admin failed. What is most confusing is
that we never had this issue before we upgraded to GlassFish 3.1.1.3 (build
2). This method of enabling secure admin listener works on 3.1 (build 43). Is
this a bug introduced by Oracle in the new version of GlassFish I wonder?
And, just for referencing sake, we tried putting the alias into the
truststore file (cacerts.jks) which works, but it is not what we want to do.
We can ONLY have it in the keystore.jks file. Thanks very much for any help
given. 

--
[Message sent by forum member 'danbeddoe']
View Post: http://forums.java.net/node/891746
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.