SSL on Glassfishv2

We bought a real SSL cert for our OpenSSO server.  That means I need to “install it” on the Glassfishv2 installation that runs the OpenSSO app.  The new cert came with three other certs, that I now understand are the “chain” that legitimize our cert by associating it (somehow) with the external authority.

After much thrashing, I learned these important bits of info that I don’t want to forget:

  • In my servers $DIR is /opt/SDK.  That’s where GlassfishV2 is installed.
  • GlassfishV2 uses a Java keystore to hold it’s SSL cert
  • the default keystore location is in $DIR/domains/domain1/config and is named keystore.jks.
  • the default password for that keystore is ‘changeit’
  • there’s a cacerts.jks in there also – ignore it.  But it’s password is also ‘changeit.’
  • the tool of choice for working with Java keystores is ‘keytool’
  • keytool comes with GlassfishV2.  It’s in $DIR/bin/
  • the default, self-signed SSL cert that comes with a GlassfishV2 installation is named ‘s1as’
  • it is smart to work only with copies of your keystores.  🙂

The process for replacing that default SSL cert is this:

  • Create a new server key to be used when you create your CSR (certificate signing request)  Here’s the command:

keytool -genkeypair -keyalg RSA -keystore keystore.jks.new -validity 730  -alias lebabc.ansys.com

  • Create a CSR:

keytool -certreq -alias lebabc.ansys.com -file lebabc.ansys.com.generated.2010062301.csr -keystore keystore.jks.new

  • Use the contents of file lebabc.ansys.com.generated.2010062301.csr to apply for a signed certificate from one of the SSL agencies.  Like Thawte or Network Solutions.
  • Somehow (e-mail, download) you’ll get a zip file containing your new, signed cert and some other certificates.
  • install those other certificates first. In my case, the exact commands were:

keytool -importcert -trustcacerts -alias utnaddtrustserverca -keystore keystore.jks.new -file UTNAddTrustServer_CA.crt
keytool -importcert -trustcacerts -alias addtrustexternalcaroot -keystore keystore.jks.new -file AddTrustExternalCARoot.crt
keytool -importcert -trustcacerts -alias networksolutionsca -keystore keystore.jks.new -file NetworkSolutions_CA.crt

  • install your new, signed cert last

keytool -importcert -trustcacerts -alias lebabc.ansys.com -keystore keystore.jks.new -file LEBABC.ANSYS.COM.crt

  • copy your new keystore into place and restart Glassfish

This guy’s post saved what’s left of my hair:  Nathan Robertsons weblog: PositiveSSL and Apache Tomcat 6.

One Comment

  1. Mike Diehn says:

    Best to use “s1as” as the alias of the new private key. It’s used in many places in at least two config files. If you used a different alias when you created the key, like I did this time, you’ll want this:

    keytool -changealias -alias tokabc.ansys.com -destalias s1as -keystore keystore.jks

    🙂

Leave a Reply

You must be logged in to post a comment.