Getting started with Glassfish V3 and SSL

UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.

At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https.  Please feel free to comment and feedback, I am not an security expert either (…yet).

Used for this tutorial:

• Glassfish V3
• Java keytool
• Free 90 days SSL certificate from Comodo (link)

Pre-Requirements:

• A  server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
• Basic knowledge of navigating around the Glassfish admin tool

Remarks:

• There are dozens of providers that sell you SSL certificates from 30 to 2000 U$ a year. Companies like Verisign, Thawte and Comodo being the more known ones. I cant give a recommendation nor judge the individual companies.
  Find a list of providers here http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities
• We (as in ‘user’) use security in the web on a daily base (you do online banking, right ?), but trying to understand and appreciate the underlying protocols and technologies throws a steep learning curve at us ! If you want to get started a few helpful links (in case you want to have some clue while talking to a customer):
  • http://en.wikipedia.org/wiki/HTTP_Secure
  • http://en.wikipedia.org/wiki/Transport_Layer_Security
  • http://en.wikipedia.org/wiki/Certificate_authority
  • http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
• I recommend doing this tutorial with a test setup, not a productive environment.
• The tutorial shall help you get running, I do not attempt to explain all the details, you can refer to the links above and dive into any level of details you wish to. There are dozens of options, parameters and settings, this tutorial only attempts to make it running. From there you can experiment with settings, different certificates, etc.

What do we get out-of-the-box from Glassfish ?

• With the recent Version 3 (as part of the EE Netbeans package or standalone) you inherit an expired certificate. Look at your logfile and try to access https://localhost:8181
  

  Untrusted certificate

  

  Glassfish server.log

• There is no side-effect on your development or testing of your applications (except https related tests of course). The issues is known and should be fixed with one of the next Java SE udpates.
• If it bothers you, here the remedy (remove it): Navigate to the config folder of your domain (ie. domain1, …./sges-v3/glassfish/domains/domain1/config) and execute ‘keytool -delete -keystore cacerts.jks -alias verisignserverca‘
  Restart the domain and its gone (in the logfile, your browser still reminds you of an untrusted site).

Tutorial:

• We need the Glassfish Master-Password. If you dont have it or forgot it, we can reset it using ‘asadmin change-master-password –savemasterpassword=true’ (in Glassfish/bin folder). Stop the domain first.
  Note, the master password is not the same as the regular admin password that you use to access the GF admin page !
• Create keystore and CSR file
  Navigate to config folder of your domain and execute this steps
  • Create keystore:
    keytool -keysize 2048 -genkey -alias 10.10.10.10 -keyalg RSA -dname “CN=www.whateveryourdomainis.com,O=yourCompany,L=yourCity,S=yourState,C=yourCountry” -keypass yourmasteradminpw -storepass yourmasteradminpw -keystore server.keystore
    (no-feedback command)
  • Create csr file
    keytool -certreq -alias 10.10.10.10 -keystore server.keystore -storepass yourmasteradminpw -keypass yourmasteradminpw -file server-2048.csr
    (no-feedback command)
  • Check keystore
    keytool -list -v -alias 10.10.10.10 -keystore server.keystore

  Note:

  • Replace alias 10.10.10.10 with your servers ip address (or something else)
  • Replace CN with the domain name connected to the ip address (comodo check connectivity)
  • Replace the passwords with your GF master admin password
• Apply for certificate from Comodo
  http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html >> Click Get it free now
  

  Free SSL certificate

  Copy the csr content that you created in the previous step earlier into the box and select JavaWeb Server. Click Agree (and follow the subsequent steps of creating an account and validating it, Credit Card is NOT required)
  Please note:

  • It will not work if you give the IP address as CN (you need to supply an domain that you have access too)
  • Comodo kind of pings your server, obviously on port 80. If nothing listens, you get an error like ‘Your Common Name may not be an Internet-accessible IP Address!’ back
    (Workaround: either configure your domain to port 80 or install Apache with ‘sudo apt-get install apache2‘ (if you run a Ubuntu Server).
  • The trial certificate is valid for 90 days
  • They only give you 1 trial per domain, you cant create a second cert on subdomains.
  • It won’t work with dyndns subdomains either.
• Wait for the email with the zip file containing the crt files
  (This might take a while, maybe hours!)
  www_whateverdomain_com.zip
  

  CRT files

• Import the CRT files
  Unzip the file into your domain/config folder and execute the import
  • keytool -import -alias root -keystore server.keystore -trustcacerts -file AddTrustExternalCARoot.crt
    select no, if exist already
  • keytool -import -alias comodo -keystore server.keystore -trustcacerts -file ComodoUTNSGCCA.crt
    feedback: Certificate was added to keystore
  • keytool -import -alias essential -keystore server.keystore -trustcacerts -file EssentialSSLCA_2.crt
    feedback: Certificate was added to keystore
  • keytool -import -alias utn -keystore server.keystore -trustcacerts -file UTNAddTrustSGCCA.crt
    feedback: Certificate was added to keystore
  • keytool -import -alias 10.10.10.10 -keystore server.keystore -trustcacerts -file www_whateveryourdomainis_com.crt
    Certificate reply was installed in keystore
• Adjust Glassfish Settings with the admin tool
  Open the settings page for http listener 2
  Enable SSL and set the kesytore filename to ‘server.keystore’ or any name you used while creating the keystore.
  

  http listener 2 settings

  

  http listener 2 settings

• Restart Glassfish and Access the secure site
  https://www.whateverdomainname.com:8181
  

  Secure Site

  Depending on your browser you can click the GOLDEN LOCK and retrieve detail info about the certificate issued by Comodo

  

  Trusted Site Info

  

  Trusted Site Info

More optional finetuning:

• You could disable regular http access by disabling http listener 1
  

  Disable http listener 1

• Secure the admin access by enabling SSL/security there as well
  

  Secure admin access

References (sources from which I put together the pieces of the puzzle):

• http://weblogs.java.net/blog/kumarjayanti/archive/2009/08/26/configuring-non-jks-keystore-glassfish-v3
• http://weblogs.java.net/blog/kalali/archive/2010/02/27/how-install-godaddy-certificate-your-glassfish-v3
• http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2
• http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html
• http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html

More to learn about security of Java EE6 (web) applications (more from application point of view)

• http://java.sun.com/javaee/6/docs/tutorial/doc/bncas.html
• http://java.sun.com/javaee/6/docs/tutorial/doc/bnbyk.html