UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.
At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https. Please feel free to comment and feedback, I am not an security expert either (…yet).
Used for this tutorial:
- Glassfish V3
- Java keytool
- Free 90 days SSL certificate from Comodo (link)
Pre-Requirements:
- A server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
- Basic knowledge of navigating around the Glassfish admin tool
Remarks:
- There are dozens of providers that sell you SSL certificates from 30 to 2000 U$ a year. Companies like Verisign, Thawte and Comodo being the more known ones. I cant give a recommendation nor judge the individual companies.
Find a list of providers here http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities - We (as in ‘user’) use security in the web on a daily base (you do online banking, right ?), but trying to understand and appreciate the underlying protocols and technologies throws a steep learning curve at us ! If you want to get started a few helpful links (in case you want to have some clue while talking to a customer):
- I recommend doing this tutorial with a test setup, not a productive environment.
- The tutorial shall help you get running, I do not attempt to explain all the details, you can refer to the links above and dive into any level of details you wish to. There are dozens of options, parameters and settings, this tutorial only attempts to make it running. From there you can experiment with settings, different certificates, etc.
What do we get out-of-the-box from Glassfish ?
- With the recent Version 3 (as part of the EE Netbeans package or standalone) you inherit an expired certificate. Look at your logfile and try to access https://localhost:8181
- There is no side-effect on your development or testing of your applications (except https related tests of course). The issues is known and should be fixed with one of the next Java SE udpates.
- If it bothers you, here the remedy (remove it): Navigate to the config folder of your domain (ie. domain1, …./sges-v3/glassfish/domains/domain1/config) and execute ‘keytool -delete -keystore cacerts.jks -alias verisignserverca‘
Restart the domain and its gone (in the logfile, your browser still reminds you of an untrusted site).
Tutorial:
- We need the Glassfish Master-Password. If you dont have it or forgot it, we can reset it using ‘asadmin change-master-password –savemasterpassword=true’ (in Glassfish/bin folder). Stop the domain first.
Note, the master password is not the same as the regular admin password that you use to access the GF admin page ! - Create keystore and CSR file
Navigate to config folder of your domain and execute this steps- Create keystore:
keytool -keysize 2048 -genkey -alias 10.10.10.10 -keyalg RSA -dname “CN=www.whateveryourdomainis.com,O=yourCompany,L=yourCity,S=yourState,C=yourCountry” -keypass yourmasteradminpw -storepass yourmasteradminpw -keystore server.keystore
(no-feedback command) - Create csr file
keytool -certreq -alias 10.10.10.10 -keystore server.keystore -storepass yourmasteradminpw -keypass yourmasteradminpw -file server-2048.csr
(no-feedback command) - Check keystore
keytool -list -v -alias 10.10.10.10 -keystore server.keystore
Note:
- Replace alias 10.10.10.10 with your servers ip address (or something else)
- Replace CN with the domain name connected to the ip address (comodo check connectivity)
- Replace the passwords with your GF master admin password
- Create keystore:
- Apply for certificate from Comodo
http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html >> Click Get it free nowCopy the csr content that you created in the previous step earlier into the box and select JavaWeb Server. Click Agree (and follow the subsequent steps of creating an account and validating it, Credit Card is NOT required)
Please note:- It will not work if you give the IP address as CN (you need to supply an domain that you have access too)
- Comodo kind of pings your server, obviously on port 80. If nothing listens, you get an error like ‘Your Common Name may not be an Internet-accessible IP Address!’ back
(Workaround: either configure your domain to port 80 or install Apache with ‘sudo apt-get install apache2‘ (if you run a Ubuntu Server). - The trial certificate is valid for 90 days
- They only give you 1 trial per domain, you cant create a second cert on subdomains.
- It won’t work with dyndns subdomains either.
- Wait for the email with the zip file containing the crt files
(This might take a while, maybe hours!)
www_whateverdomain_com.zip - Import the CRT files
Unzip the file into your domain/config folder and execute the import- keytool -import -alias root -keystore server.keystore -trustcacerts -file AddTrustExternalCARoot.crt
select no, if exist already - keytool -import -alias comodo -keystore server.keystore -trustcacerts -file ComodoUTNSGCCA.crt
feedback: Certificate was added to keystore - keytool -import -alias essential -keystore server.keystore -trustcacerts -file EssentialSSLCA_2.crt
feedback: Certificate was added to keystore - keytool -import -alias utn -keystore server.keystore -trustcacerts -file UTNAddTrustSGCCA.crt
feedback: Certificate was added to keystore - keytool -import -alias 10.10.10.10 -keystore server.keystore -trustcacerts -file www_whateveryourdomainis_com.crt
Certificate reply was installed in keystore
- keytool -import -alias root -keystore server.keystore -trustcacerts -file AddTrustExternalCARoot.crt
- Adjust Glassfish Settings with the admin tool
Open the settings page for http listener 2
Enable SSL and set the kesytore filename to ‘server.keystore’ or any name you used while creating the keystore. - Restart Glassfish and Access the secure site
https://www.whateverdomainname.com:8181Depending on your browser you can click the GOLDEN LOCK and retrieve detail info about the certificate issued by Comodo
More optional finetuning:
- You could disable regular http access by disabling http listener 1
- Secure the admin access by enabling SSL/security there as well
References (sources from which I put together the pieces of the puzzle):
- http://weblogs.java.net/blog/kumarjayanti/archive/2009/08/26/configuring-non-jks-keystore-glassfish-v3
- http://weblogs.java.net/blog/kalali/archive/2010/02/27/how-install-godaddy-certificate-your-glassfish-v3
- http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2
- http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html
- http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html
More to learn about security of Java EE6 (web) applications (more from application point of view)
i am getting following exception:
SEVERE: Failed to load keystore type JKS with path server.keystore due to Keystore was tampered with, or password was in
correct
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:328)
at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:266)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:198)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:349)
at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:307)
at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171
)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
… 19 more
May 3, 2010 3:37:24 PM com.sun.grizzly.config.SSLConfigHolder configureSSL
WARNING: SSL support could not be configured!
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:328)
at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:266)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:198)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:349)
at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:307)
at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171
)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
… 19 more
May 3, 2010 3:37:24 PM com.sun.grizzly.DefaultProtocolChain executeProtocolFilter
SEVERE: ProtocolChain exception
java.lang.NullPointerException
at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:347)
at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
at java.lang.Thread.run(Thread.java:619)
Did you ever find out the cause for your keystore password problem? I’m getting the same error (I’m not using Glassfish, but Tomcat 6.0 within Netbeans 6.8).
Thanks,
Rebeccah
I was encountering similar problems – a variety of uninformative GRIZZLY0007 errors – on a glassfish 3.1 installation. I finally got things to work by setting the keystore, truststore, and cert-nickname in the admin console, then modifying the section of domain.xml to include key-store-password=”thepassword”, trust-store-password=”thepassword”, placing both the AS_ADMIN_PASSWORD= and AS_ADMIN_MASTERPASSWORD= in a password file that is invoked in the glassfish startup script with the –passwordfile directive, and finally by adding symbolic links domain1/cacerts.jks and domain1/server.jks for domain1/config/cacerts.jks and domain1/config/cacerts.jks
@Paul Morris, Could you please elaborate on the process, for example, where to include the “keystore & truststore password values” in the domain.xml file & glassfish startup script ?
Please help, Im having the same error
What I don’t understand is: why is the keystore generated with a specific domain? If I have several Virtual Servers I also have several domains. So I’m confused as what to put as the domain for the key store.
Or is it just for administrative purposes and does not have any (direct) relation to the domains that will be served by the server?
Hi,
Excellent tutorial. I didn’t go the Comodo route but was basically able to complete the setup using openssl to generate a private key and self-sign the generated certificate request.
Openssl for windows can be downloaded here http://code.google.com/p/openssl-for-windows/downloads/list. Useful info is to be had here: http://www.openssl.org/docs/HOWTO
Also in Glassfish config the ‘Certificate Nickname’ field should be set to whatever alias you used when creating the initial keystore.
Many thanks,
Declan.
why my glassfish don’t have logout log?
ADVERTENCIA: SSL support could not be configured!
java.io.IOException: 5330: Alias name verisign does not identify a key entry
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:200)
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:359)
at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:308)
at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
at java.lang.Thread.run(Thread.java:619)
Did you ever get a response to your error Luis? Or did you fix it yourself? I’m getting the SAME EXACT error…
I can confirm the same error.. Indeed, I am tires to find some solution… It is not working – do not pay your time..
I also get this error. What to do? Do you guys have a solution?
I solved the prob. by making sure that I use the same key file. (keystore.jks)
The first steps up to the CRS file creation is used -keystore server.keystore
But after that I used -keystore keystore.jks
This resulted in java.io.IOException: 5330: Alias name verisign does not identify a key entry
Hope this helps
Nice explanation, simple, clear and complete!
Thanks!
Hi,
I followed the instructions in your post.
After I change the certificate nickname (IP address according to the URL above) and key store name (“server.keystore”) in the GUI, the server stops responding on the SSL port.
What Am I doing wrong?
The server log contains the following:
GRIZZLY0007: SSL support could not be configured! java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled. at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:455) at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183) at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:361) at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:237) at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:202) at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) at java.lang.Thread.run(Thread.java:636) Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327) at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272) at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.checkConfig(JSSE14SocketFactory.java:451
ProtocolChain exception java.lang.NullPointerException at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:352) at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:399) at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:159) at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) at com.sun.grizzly.ContextTask.run(ContextTask.java:71) at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) at java.lang.Thread.run(Thread.java:636)
Thanks in advance,
Ron
Were you able to resolve this issue? I am experiencing the same error after following this tutorial, and following the SSL procedures in Oracle’s Glassfish docs.
Yes I managed to solve it by re-doing the whole thing – in the default keystore and not in a new one.
Pingback: Issues with setting up SSL on Glassfish v3 - Admins Goodies
Hi All,
I am new to glassfish and java…i am trying to start my domain using the “asadmin start-domain” command but i get this error “CLI156 Could not start the domain domain1”
I check the server.log file and see the following messages:
[#|2011-09-23T10:59:43.520-0700|WARNING|sun-appserver2.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=dd03c82e-b95c-4317-9647-fdd807b031b1;|java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
Caused by: java.lang.ExceptionInInitializerError
at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:265)
at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:103)
at com.sun.enterprise.server.PEMain.run(PEMain.java:399)
at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
… 5 more
Caused by: java.lang.IllegalStateException: Keystore was tampered with, or password was incorrect
at com.sun.enterprise.security.SecuritySupportImpl.loadStores(SecuritySupportImpl.java:114)
at com.sun.enterprise.security.SecuritySupportImpl.initJKS(SecuritySupportImpl.java:82)
at com.sun.enterprise.security.SecuritySupportImpl.(SecuritySupportImpl.java:76)
at com.sun.enterprise.security.SecuritySupportImpl.(SecuritySupportImpl.java:71)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at com.sun.enterprise.pluggable.PluggableFeatureFactoryBaseImpl.invoke(PluggableFeatureFactoryBaseImpl.java:84)
at $Proxy0.getSecuritySupport(Unknown Source)
at com.sun.enterprise.security.SecurityUtil.getSecuritySupport(SecurityUtil.java:364)
at com.sun.enterprise.security.SSLUtils.(SSLUtils.java:102)
… 10 more
|#]
Any help is appreciated.
Thanks.
Please help, after prosedures, the web load on http but on https still loading
Check your log on server startup and you will see that event if you specify keystore name and alias in Http listener windows, server stills uses!!!! the s1as and keystore.jks filename !!! Just check you
glassfish_path/domains/your_domain_name/logs/server.log
and you will see that >>
-Djavax.net.ssl.keyStore=/eukleia/bin/as/glassfish/domains/elf/config/keystore.jks !!!!!!!!!!
That’s why some of youw was able to solve that problem by using original keystore name.
You have to change it in 2 places in JVM Settings: JVM Options and Http Servers:Http Listeners:Https Listener-2,
If this doesn;t solve your problem than it measn that you screwed youe keystore or using worng keystore alias combination as that keytook is your private/public key without them (or using wrong alias) you won;t be able to descript you certificate. But you should see wrong key in your log that, but not a ” No available certificate or key corresponds to the SSL cipher suites which are enabled” in your log.
I’m too lazy to register it on java forums or create a jira ticket for it 🙂
Hope this helps.
http://serverfault.com/questions/251805/issues-with-setting-up-ssl-on-glassfish-v3
Hope this help.
Pingback: Tab Sweep: Java EE 6 Scopes, Observer, SSL, Workshop, Virtual Server, JDBC Connection Validation « oracle fusion identity
Pingback: RE: problemas con company.security.auth.requires.https=true no funciona - Forums - Liferay.com
if you still get “untrusted site” warning, after reading other comments, also try this command:
keytool -import -alias 10.10.10.10 -keystore server.keystore -trustcacerts -file www_whateveryourdomainis_com.crt
I configured SSL. When try to connect to the SSL enabled port, I see the following in the server.log file:
[#|2012-05-07T08:40:17.453-0400|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|SSL support could not be configured!
java.io.IOException: Keystore was tampered with, or password was incorrect
I presume this means that my master and key store passwords are different. What do I do to rectify this?
I tried changing the master password to match my keystore and get the same error.
Pingback: Issues with setting up SSL on Glassfish v3 | PHP Developer Resource
Was the password issue resolved? getting error when starting glassfish
server.log has
-Djavax.net.ssl.keyStore=/apps/glassfish3/glassfish/domains/domain1/config/keystore.jks
– Djavax.net.ssl.trustStore=/apps/glassfish3/glassfish/domains/domain1/config/cacerts.jks
….
later
Caused by: java.lang.IllegalStateException: Exception when initializing KeyStore and XMLSignatureFactory [Keystore was tampered with, or password was incorrect]
at com.fico.ps.mks.ram.sso.util.SAMLSignatureUtil.(SAMLSignatureUtil.java:63)
… 32 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1214)
at com.fico.ps.mks.ram.sso.util.KeyStoreUtil.loadKeyStore(KeyStoreUtil.java:61)
at com.fico.ps.mks.ram.sso.util.SAMLSignatureUtil.(SAMLSignatureUtil.java:53)
… 32 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
… 36 more
we ended up changing the master password and that resolved our problem.
Pingback: Glassfish V3 SSL configuration CipherSuites may not be null at
Reblogged this on JetCracker and commented:
How to configure HTTPS with SSL certificate in Glassfish.
Pingback: Glassfish V3.1.2 and SSL | The JavaDude Weblog
Hello=)
I have a1sa alias in domain.xml. So i generete certificate like you (10.10….) with -alias s1as. Then i export this PrivateKeyEntry and make all like your manual.
Now i have exception:
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
So, second night i fight with glassfish, but still nothing.
Please, help!=)
Hi=)I’m such of idiot=)
If you are like me:
Your private key must be with alias “my.com” and your certificate from external service must be with alias “my.com”.
If you have exception like “…chain…” you forget to import “root” and other “stuff”certificates from external sites=)
Good luck
Thank you for this tutorial. I was able to set-up an SSL certificate in Glassfish v3.1 build 43 (for an existing https listener) on a production server on my first attempt 🙂 I’m not sure I would have known how to approach starting this without this tutorial. It certainly saved me much time and allowed me to just get on with the task.
There was one last step I had to take to get this solution to work though and that was to alter the following JVM Options (in the JVM Settings for the server-config) to match the values entered on the SSL tab for the “http listener 2 settings”:
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias
-Djavax.net.ssl.keyStore
I’d also manually edited the domain.xml to replace ‘s1as’, but not sure if that was necessary. I had set the web module to be the default module for the virtual server and Glassfish was throwing an exception when I changed the SSL settings for the http listener 2. This stopped happening when I removed the default module setting. Once the certificate and SSL was configured I set it back again to be the default module. It may be that the domain.xml would have been updated when this exception was not thrown? (I didn’t have time to investigate further.)
I tried these steps in Glassfish V4.0. The non-ssl port works but the ssl port gives a connection error.