Glassfish V3.1.2 and SSL

After almost 3 years (see previous post) I revisit the topic this time using the latest version og Glassfish 3.1.2 and GoDaddy as certificate provider. I created a certificate for a sub-domain (sub.whateverdomain.com) this time and make use of the extremly cheap 5.99 U$/year offer (no wildcard included)

Let me summarize the key steps here:

  • Get yourself a GoDaddy account
  • Order a standard SSL
    Standard SSL

    Standard SSL

     

  • After payment you get 1 credit to use. Before we create the certificate we need to create a certificate request with the keytools for our glassfish domain
  • Change domain masterpassword (not the admin password)
    The default password is ‘changeit’, better change that with /bin$ ./asadmin change-masterpassword yourdomain
  • Go to you domain config folder ~/glassfish/domains/yourdomain/config$
  • We will use the default keystore file in the config folder keystore.jks
  • Optional: List the existing certifcates, there should be 2.
    keytool -list -keystore keystore.jks or keytool -list -v -keystore keystore.jks (more info)
    You should get something like this

    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    glassfish-instance, Mar 28, 2011, PrivateKeyEntry,
    Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:BD:9D:85:5B:CF:AA:AA:86:BA:49:50:AA:AA:AA
    s1as, Mar 28, 2011, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 95:B4:E4:55:7F:F6:AA:AA:AA:AA:3D:65:21:D1:1B:AA:AA:AA:AA:AA
    
  • Create a key
    keytool -genkey -keysize 2048 -genkey -alias sub.whateverdomain.com -keyalg RSA  -keystore keystore.jks
    This differs from the previous command, you dont use the -dname option any longer, but the keytool will ask interactivelyImportant: It asks for your last and first name, this is the CN tag. You MUST use the domain name you register for (sub.whateverdomain.com). The alias I would choose the same.

    keytool

    keytool

  • Create a certificate request file
    keytool -certreq -alias sub.whateverdomain.com -keystore keystore.jks -file whateverdomain.csr
  • Open the file with the editor
    Request File

    Request File

     

  • Now we need to go back to GoDaddy to create our certificate with the request string
    SSL Setup

    SSL Setup

    SSL Setup

    SSL Setup

     

  • Enter the request string from the above file
    SSL Setup

    SSL Setup

     

  • Choose validation method
    If you are the contact in the whois record, email verification is the easiest option.

    SSL Validation

    SSL Validation

    SSL Admin

    SSL Admin

     

  • Confirm the email
    Validation

    Validation

    Validation

    Validation

     

  • Go to the SSL admin page
    SSL Console

    SSL Console

    Download the certificate
    Choose ‘other’
    Download Certifcate

     

  • Upload the 2 cert files from the zip to the domain config folder
    gd_bundle.crt
    sub.whateverdomain.com.crt
    and import them
    keytool -import -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks
    keytool -import -trustcacerts -alias demo.airtilus.net -file sub.whateverdomain.com.crt -keystore keystore.jks
  • Go to the Glassfish admin console
    Glassfish admin

    Glassfish admin

    and adjust nickname (alias, here sub.whateverdomain.com) and the keystore file (here keystore.jks)

    http listener 2

    http listener 2

     

  • Restart is not required but I recommend.
  • Optionally you can disable the http port 8080.
  • Open any of your web applications at port 8181
    SVH20130322002

    https

    https

    https

    https

     

  • Voila !
Advertisements

7 thoughts on “Glassfish V3.1.2 and SSL

  1. Pingback: Getting started with Glassfish V3 and SSL | The JavaDude Weblog

  2. Pingback: Glassfish and https running secure applications | The JavaDude Weblog

  3. Hello,
    first thanks for this nice blog!
    I followed exactly the steps above, with the difference that I got my certificate from thawte, send per Email. I copied in crt file and added it to the keystore.
    Unfortunately it doesn’t work for me, even after restarting Glassfish many times. Trying a secure page end up with: “SSL connection error”.
    Any help?
    Thanks

  4. I had the same issue. I tried re-installing various certificate types from GoDaddy and each time encountered the same SSL connection error. I followed the instructions above over and again. Just today I got it working. All I remember changing was deleting HTTP Listener 2 and recreating it using the command line tool asadmin. Also, I did ensure the response from keytool during certificate installation was “certificate reply installed” not just “certificate installed”. Here’s the command line commands I used for the recreation of HTTP listener 2:

    asadmin> delete-ssl –type http-listener http-listener-2

    asadmin> create-ssl –type http-listener –certname http-listener-2

    I found these commands in the guide: https://glassfish.java.net/docs/4.0/administration-guide.pdf

    Hope it helps! Took me days to get it working finally.
    Rob

  5. Thank you very much for this tutorial. I had the exact same requirement as you : my server was moved to a subdomain and I had to implement the new ssl certificate for it. After many unsuccessful tries, I found your blog. I was missing the very last part : to tell glassfish to use the new certificate alias in keystore.jks. As soon as I did this, everything worked! I would also suggest this excellent tutorial on installing GF : http://www.nabisoft.com/tutorials/glassfish/installing-glassfish-311-on-ubuntu. It works for all versions (3.x – 4.1).

    • I configured Glassfish 4.0 using these settings. The non-ssl port works but the ssl port gives a connection error. I don’t see any error messages in the log.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s