Getting started with Glassfish V3 and SSL

UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.

At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https.  Please feel free to comment and feedback, I am not an security expert either (…yet).

Used for this tutorial:

  • Glassfish V3
  • Java keytool
  • Free 90 days SSL certificate from Comodo (link)

Pre-Requirements:

  • A  server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
  • Basic knowledge of navigating around the Glassfish admin tool

Remarks:

What do we get out-of-the-box from Glassfish ?

  • With the recent Version 3 (as part of the EE Netbeans package or standalone) you inherit an expired certificate. Look at your logfile and try to access https://localhost:8181

    Untrusted certificate

    Glassfish server.log

  • There is no side-effect on your development or testing of your applications (except https related tests of course). The issues is known and should be fixed with one of the next Java SE udpates.
  • If it bothers you, here the remedy (remove it): Navigate to the config folder of your domain (ie. domain1, …./sges-v3/glassfish/domains/domain1/config) and execute ‘keytool -delete -keystore cacerts.jks -alias verisignserverca
    Restart the domain and its gone (in the logfile, your browser still reminds you of an untrusted site).

Tutorial:

  • We need the Glassfish Master-Password. If you dont have it or forgot it, we can reset it using ‘asadmin change-master-password –savemasterpassword=true’ (in Glassfish/bin folder). Stop the domain first.
    Note, the master password is not the same as the regular admin password that you use to access the GF admin page !
  • Create keystore and CSR file
    Navigate to config folder of your domain and execute this steps

    • Create keystore:
      keytool -keysize 2048 -genkey -alias 10.10.10.10 -keyalg RSA -dname “CN=www.whateveryourdomainis.com,O=yourCompany,L=yourCity,S=yourState,C=yourCountry” -keypass yourmasteradminpw -storepass yourmasteradminpw -keystore server.keystore
      (no-feedback command)
    • Create csr file
      keytool -certreq -alias 10.10.10.10 -keystore server.keystore -storepass yourmasteradminpw -keypass yourmasteradminpw -file server-2048.csr
      (no-feedback command)
    • Check keystore
      keytool -list -v -alias 10.10.10.10 -keystore server.keystore

    Note:

    • Replace alias 10.10.10.10 with your servers ip address (or something else)
    • Replace CN with the domain name connected to the ip address (comodo check connectivity)
    • Replace the passwords with your GF master admin password
  • Apply for certificate from Comodo
    http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html >> Click Get it free now

    Free SSL certificate

    Copy the csr content that you created in the previous step earlier into the box and select JavaWeb Server. Click Agree (and follow the subsequent steps of creating an account and validating it, Credit Card is NOT required)
    Please note:

    • It will not work if you give the IP address as CN (you need to supply an domain that you have access too)
    • Comodo kind of pings your server, obviously on port 80. If nothing listens, you get an error like ‘Your Common Name may not be an Internet-accessible IP Address!’ back
      (Workaround: either configure your domain to port 80 or install Apache with ‘sudo apt-get install apache2‘ (if you run a Ubuntu Server).
    • The trial certificate is valid for 90 days
    • They only give you 1 trial per domain, you cant create a second cert on subdomains.
    • It won’t work with dyndns subdomains either.
  • Wait for the email with the zip file containing the crt files
    (This might take a while, maybe hours!)
    www_whateverdomain_com.zip

    CRT files

  • Import the CRT files
    Unzip the file into your domain/config folder and execute the import

    • keytool -import -alias root -keystore server.keystore -trustcacerts -file AddTrustExternalCARoot.crt
      select no, if exist already
    • keytool -import -alias comodo -keystore server.keystore -trustcacerts -file ComodoUTNSGCCA.crt
      feedback: Certificate was added to keystore
    • keytool -import -alias essential -keystore server.keystore -trustcacerts -file EssentialSSLCA_2.crt
      feedback: Certificate was added to keystore
    • keytool -import -alias utn -keystore server.keystore -trustcacerts -file UTNAddTrustSGCCA.crt
      feedback: Certificate was added to keystore
    • keytool -import -alias 10.10.10.10 -keystore server.keystore -trustcacerts -file www_whateveryourdomainis_com.crt
      Certificate reply was installed in keystore
  • Adjust Glassfish Settings with the admin tool
    Open the settings page for http listener 2
    Enable SSL and set the kesytore filename to ‘server.keystore’ or any name you used while creating the keystore.

    http listener 2 settings

    http listener 2 settings

  • Restart Glassfish and Access the secure site

    https://www.whateverdomainname.com:8181

    Secure Site

    Depending on your browser you can click the GOLDEN LOCK and retrieve detail info about the certificate issued by Comodo

    Trusted Site Info

    Trusted Site Info

More optional finetuning:

  • You could disable regular http access by disabling http listener 1

    Disable http listener 1

  • Secure the admin access by enabling SSL/security there as well

    Secure admin access

References (sources from which I put together the pieces of the puzzle):

More to learn about security of Java EE6 (web) applications (more from application point of view)

About these ads

37 thoughts on “Getting started with Glassfish V3 and SSL

  1. i am getting following exception:

    SEVERE: Failed to load keystore type JKS with path server.keystore due to Keystore was tampered with, or password was in
    correct
    java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
    at java.security.KeyStore.load(KeyStore.java:1185)
    at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:328)
    at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:266)
    at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:198)
    at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
    at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:349)
    at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:307)
    at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171
    )
    at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
    at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
    at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
    at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
    at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
    … 19 more
    May 3, 2010 3:37:24 PM com.sun.grizzly.config.SSLConfigHolder configureSSL
    WARNING: SSL support could not be configured!
    java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
    at java.security.KeyStore.load(KeyStore.java:1185)
    at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:328)
    at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:266)
    at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:198)
    at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
    at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:349)
    at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:307)
    at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171
    )
    at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
    at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
    at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
    at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
    at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
    … 19 more
    May 3, 2010 3:37:24 PM com.sun.grizzly.DefaultProtocolChain executeProtocolFilter
    SEVERE: ProtocolChain exception
    java.lang.NullPointerException
    at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:347)
    at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
    at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
    at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
    at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
    at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
    at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
    at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
    at java.lang.Thread.run(Thread.java:619)

    • Did you ever find out the cause for your keystore password problem? I’m getting the same error (I’m not using Glassfish, but Tomcat 6.0 within Netbeans 6.8).

      Thanks,

      Rebeccah

    • I was encountering similar problems – a variety of uninformative GRIZZLY0007 errors – on a glassfish 3.1 installation. I finally got things to work by setting the keystore, truststore, and cert-nickname in the admin console, then modifying the section of domain.xml to include key-store-password=”thepassword”, trust-store-password=”thepassword”, placing both the AS_ADMIN_PASSWORD= and AS_ADMIN_MASTERPASSWORD= in a password file that is invoked in the glassfish startup script with the –passwordfile directive, and finally by adding symbolic links domain1/cacerts.jks and domain1/server.jks for domain1/config/cacerts.jks and domain1/config/cacerts.jks

      • @Paul Morris, Could you please elaborate on the process, for example, where to include the “keystore & truststore password values” in the domain.xml file & glassfish startup script ?

  2. What I don’t understand is: why is the keystore generated with a specific domain? If I have several Virtual Servers I also have several domains. So I’m confused as what to put as the domain for the key store.

    Or is it just for administrative purposes and does not have any (direct) relation to the domains that will be served by the server?

  3. Hi,
    Excellent tutorial. I didn’t go the Comodo route but was basically able to complete the setup using openssl to generate a private key and self-sign the generated certificate request.
    Openssl for windows can be downloaded here http://code.google.com/p/openssl-for-windows/downloads/list. Useful info is to be had here: http://www.openssl.org/docs/HOWTO

    Also in Glassfish config the ‘Certificate Nickname’ field should be set to whatever alias you used when creating the initial keystore.

    Many thanks,
    Declan.

  4. ADVERTENCIA: SSL support could not be configured!
    java.io.IOException: 5330: Alias name verisign does not identify a key entry
    at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:200)
    at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
    at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:359)
    at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:308)
    at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171)
    at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
    at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
    at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
    at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
    at java.lang.Thread.run(Thread.java:619)

    • I solved the prob. by making sure that I use the same key file. (keystore.jks)
      The first steps up to the CRS file creation is used -keystore server.keystore

      But after that I used -keystore keystore.jks
      This resulted in java.io.IOException: 5330: Alias name verisign does not identify a key entry

      Hope this helps

  5. Hi,

    I followed the instructions in your post.
    After I change the certificate nickname (IP address according to the URL above) and key store name (“server.keystore”) in the GUI, the server stops responding on the SSL port.

    What Am I doing wrong?

    The server log contains the following:

    GRIZZLY0007: SSL support could not be configured! java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled. at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:455) at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183) at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:361) at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:237) at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:202) at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) at java.lang.Thread.run(Thread.java:636) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327) at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272) at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:451

    ProtocolChain exception java.lang.NullPointerException at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:352) at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:399) at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:159) at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) at java.lang.Thread.run(Thread.java:636)

    Thanks in advance,
    Ron

    • Were you able to resolve this issue? I am experiencing the same error after following this tutorial, and following the SSL procedures in Oracle’s Glassfish docs.

      • Yes I managed to solve it by re-doing the whole thing – in the default keystore and not in a new one.

  6. Pingback: Issues with setting up SSL on Glassfish v3 - Admins Goodies

  7. Hi All,
    I am new to glassfish and java…i am trying to start my domain using the “asadmin start-domain” command but i get this error “CLI156 Could not start the domain domain1″
    I check the server.log file and see the following messages:
    [#|2011-09-23T10:59:43.520-0700|WARNING|sun-appserver2.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=dd03c82e-b95c-4317-9647-fdd807b031b1;|java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
    Caused by: java.lang.ExceptionInInitializerError
    at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
    at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:265)
    at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:103)
    at com.sun.enterprise.server.PEMain.run(PEMain.java:399)
    at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
    ... 5 more
    Caused by: java.lang.IllegalStateException: Keystore was tampered with, or password was incorrect
    at com.sun.enterprise.security.SecuritySupportImpl.loadStores(SecuritySupportImpl.java:114)
    at com.sun.enterprise.security.SecuritySupportImpl.initJKS(SecuritySupportImpl.java:82)
    at com.sun.enterprise.security.SecuritySupportImpl.(SecuritySupportImpl.java:76)
    at com.sun.enterprise.security.SecuritySupportImpl.(SecuritySupportImpl.java:71)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at java.lang.Class.newInstance0(Class.java:355)
    at java.lang.Class.newInstance(Class.java:308)
    at com.sun.enterprise.pluggable.PluggableFeatureFactoryBaseImpl.invoke(PluggableFeatureFactoryBaseImpl.java:84)
    at $Proxy0.getSecuritySupport(Unknown Source)
    at com.sun.enterprise.security.SecurityUtil.getSecuritySupport(SecurityUtil.java:364)
    at com.sun.enterprise.security.SSLUtils.(SSLUtils.java:102)
    ... 10 more
    |#]

    Any help is appreciated.
    Thanks.

  8. Check your log on server startup and you will see that event if you specify keystore name and alias in Http listener windows, server stills uses!!!! the s1as and keystore.jks filename !!! Just check you
    glassfish_path/domains/your_domain_name/logs/server.log
    and you will see that >>
    -Djavax.net.ssl.keyStore=/eukleia/bin/as/glassfish/domains/elf/config/keystore.jks !!!!!!!!!!
    That’s why some of youw was able to solve that problem by using original keystore name.
    You have to change it in 2 places in JVM Settings: JVM Options and Http Servers:Http Listeners:Https Listener-2,

    If this doesn;t solve your problem than it measn that you screwed youe keystore or using worng keystore alias combination as that keytook is your private/public key without them (or using wrong alias) you won;t be able to descript you certificate. But you should see wrong key in your log that, but not a ” No available certificate or key corresponds to the SSL cipher suites which are enabled” in your log.

    I’m too lazy to register it on java forums or create a jira ticket for it :)
    Hope this helps.

  9. Pingback: Tab Sweep: Java EE 6 Scopes, Observer, SSL, Workshop, Virtual Server, JDBC Connection Validation « oracle fusion identity

  10. Pingback: RE: problemas con company.security.auth.requires.https=true no funciona - Forums - Liferay.com

  11. if you still get “untrusted site” warning, after reading other comments, also try this command:
    keytool -import -alias 10.10.10.10 -keystore server.keystore -trustcacerts -file www_whateveryourdomainis_com.crt

  12. I configured SSL. When try to connect to the SSL enabled port, I see the following in the server.log file:
    [#|2012-05-07T08:40:17.453-0400|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|SSL support could not be configured!
    java.io.IOException: Keystore was tampered with, or password was incorrect

    I presume this means that my master and key store passwords are different. What do I do to rectify this?

  13. Pingback: Issues with setting up SSL on Glassfish v3 | PHP Developer Resource

  14. server.log has
    -Djavax.net.ssl.keyStore=/apps/glassfish3/glassfish/domains/domain1/config/keystore.jks

    - Djavax.net.ssl.trustStore=/apps/glassfish3/glassfish/domains/domain1/config/cacerts.jks

    ….

    later
    Caused by: java.lang.IllegalStateException: Exception when initializing KeyStore and XMLSignatureFactory [Keystore was tampered with, or password was incorrect]
    at com.fico.ps.mks.ram.sso.util.SAMLSignatureUtil.(SAMLSignatureUtil.java:63)
    … 32 more
    Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
    at java.security.KeyStore.load(KeyStore.java:1214)
    at com.fico.ps.mks.ram.sso.util.KeyStoreUtil.loadKeyStore(KeyStoreUtil.java:61)
    at com.fico.ps.mks.ram.sso.util.SAMLSignatureUtil.(SAMLSignatureUtil.java:53)
    … 32 more
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
    … 36 more

  15. Pingback: Glassfish V3 SSL configuration CipherSuites may not be null at

  16. Pingback: Glassfish V3.1.2 and SSL | The JavaDude Weblog

  17. Hello=)

    I have a1sa alias in domain.xml. So i generete certificate like you (10.10….) with -alias s1as. Then i export this PrivateKeyEntry and make all like your manual.

    Now i have exception:
    java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.

    So, second night i fight with glassfish, but still nothing.

    Please, help!=)

    • Hi=)I’m such of idiot=)
      If you are like me:

      Your private key must be with alias “my.com” and your certificate from external service must be with alias “my.com”.

      If you have exception like “…chain…” you forget to import “root” and other “stuff”certificates from external sites=)

      Good luck

  18. Thank you for this tutorial. I was able to set-up an SSL certificate in Glassfish v3.1 build 43 (for an existing https listener) on a production server on my first attempt :-) I’m not sure I would have known how to approach starting this without this tutorial. It certainly saved me much time and allowed me to just get on with the task.

    There was one last step I had to take to get this solution to work though and that was to alter the following JVM Options (in the JVM Settings for the server-config) to match the values entered on the SSL tab for the “http listener 2 settings”:

    -Dcom.sun.enterprise.security.httpsOutboundKeyAlias
    -Djavax.net.ssl.keyStore

    I’d also manually edited the domain.xml to replace ‘s1as’, but not sure if that was necessary. I had set the web module to be the default module for the virtual server and Glassfish was throwing an exception when I changed the SSL settings for the http listener 2. This stopped happening when I removed the default module setting. Once the certificate and SSL was configured I set it back again to be the default module. It may be that the domain.xml would have been updated when this exception was not thrown? (I didn’t have time to investigate further.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s