Hot questions for Using GlassFish in ssl

Question:

Glassfish lets to set the SSL certificate nickname through its admin console as it is highlighted in the pic below:

But almost every tutorials in the web mention that it is necessary to replace all occurrences of the default SSL nickname (s1as) with the one will be used(i.e. mydomain.com) in the domain.xml file.

So what is the proper way of setting certificate nickname?


Answer:

It is very likely that the admin console is just updating the domain.xml file anyway. In either case, it is good practice to avoid modifying the domain.xml file wherever possible. There is no official advice in the Security Guide for GF4 and the only mention of the certificate nickname is:

If you enable secure admin on an SSL-enabled GlassFish Server installation, secure admin uses the existing value as the DAS admin alias for secure admin.

https://glassfish.java.net/docs/4.0/security-guide.pdf

Changing the nickname isn't actually necessary, from a functional perspective. When you import your key/cert to the keystores you can just use the same name to replace the existing cert, which is perfectly valid.


Edit: To change alias names with the asadmin command, you can use enable-secure-admin with either --instancealias myNewAlias or --adminalias myOtherNewAlias (or both).

The default for adminalias is s1as and the default for instancealias is glassfish-instance.

Question:

I have to call a SOAP web service having client authentication over HTTPS.

I have imported the client certificate (got from company hosting the server) into by keyStore file. I also imported server certificate (downloaded from server) into my trustStore. I have set 'javax.net.ssl.keyStore' and 'javax.net.ssl.keyStorePassword' to the appropriate values.

When I call the web-service from a simple java client (including just some additional jars), the call works and I get a result from the server.

When I call the web-service from within glassfish-4 (same java, same keyStore, same trustStore, same 'javax.net.ssl.keyStore' value etc), I get an exception 'com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca'.

I use the same java, same keystore, same trustStore in both cases. The first version without glassfish works, so the certificates seems to be ok. The second version with glassfish does not.

Does glassfish-4 do anything specific? Can it be a problem of other (third party) libraries? Are there any additional HTTP/SSL settings that I can try out? What else can it be?

Anybody an idea? Thanks for help.


Answer:

I have found the problem.

Glassfish needs the additional VM property 'com.sun.enterprise.security.httpsOutboundKeyAlias'. This has to be set to the alias of the client certificate.

For standard this is set in domain.xml in the java-config area. For standard this is set as -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as.

Change the value s1as to the alias of the certificate.

Question:

I created my own CA root certificate that I use to sign one of the domain on the server. I have tested the cert from the browser as well as through JavaSE HttpsURLConnection. everything works except for Glashfish. How can I troubleshoot it?

Note, for testing I have created a self-signed certificate and it works with Glassfish. what am I missing? please help! why CA Root cert don't work with Glassfish?


Answer:

You have to add your root certificate to glassfish's keystore.

First, find them:

find $GLASSFISH_HOME -type f -and -name keystore.jks -or -name cacerts.jks -or -name cacerts

and add it with keytool:

$JAVA_HOME/bin/keytool -importcert -keystore "/path/found/cacerts.jks"
-storepass changeit -alias **[[SET YOUT OWN ALIAS]]** -noprompt  -file YOUR-OWN-ROOT-CA.crt