Easy to Learn Java: Programming Articles, Examples and Tips

Start with Java in a few days with Java Lessons or Lectures


Code Examples

Java Tools

More Java Tools!

Java Forum

All Java Tips


Submit News
Search the site here...
Search the JavaFAQ.nu
1000 Java Tips ebook

1000 Java Tips - Click here for the high resolution copy!1000 Java Tips - Click here for the high resolution copy!

Java Screensaver, take it here

Free "1000 Java Tips" eBook is here! It is huge collection of big and small Java programming articles and tips. Please take your copy here.

Take your copy of free "Java Technology Screensaver"!.

SSL with GlassFish v2, page 3

JavaFAQ Home » TechTips Go to all tips in TechTips

Bookmark and Share

Enabling the GlassFish v2 Application Server as an SSL Server

The steps to enable the GlassFish v2 as an SSL server depend on the profile used for the application server. Let's first examine the process if the developer profile is used. Then let's examine the process when the enterprise profile is used.

When the Developer Profile is Used

Recall that a GlassFish v2 profile presets configuration parameters for a particular type of use. One of those parameters is Security Store, which identifies how security and trust-related artifacts such as certificates and keys are stored. For the developer profile, the Security Store value is set to JKS. In this case, certificates and keys for the server are stored in a Java keystore file (keystore.jks) and certificates issued by trusted CAs are stored in a certificates file (cacerts.jks).

When you install GlassFish v2, it creates a default self-signed certificate as the server certificate. However, if authentication is important in your site, you need to replace the self-signed certificate with a digitally-signed certificate from a CA. This section describes how to replace the self-signed certificate, how to obtain a server certificate from a CA, and how to import the server certificate into the keystore.

The steps described below use keytool, a key and certificate management tool. Keytool is available in various versions of the Java Platform, Standard Edition (Java SE) Development Kit (jdk). However Java SE 6 added some required functions to keytool. The instructions below are based on the jdk 6 version of keytool. For detailed information about keytool, see JDK Tools and Utilities.

Here are the instructions for enabling GlassFish v2 as an SSL server when the application server is configured with the developer profile.

  1. Delete the default self-signed certificate by issuing the following command (note that the commands in this and subsequent steps are shown on multiple lines for formatting purposes):

                         keytool -delete -alias s1as -keystore keystore.jks
           -storepass <store_passwd>

    where <store_passwd> is the password for the keystore, for example, "mypass". Note that s1as is the default alias of the GlassFish v2 keystore.

  2. Generate a new key pair for the application server by issuing the following command:

                      keytool -genkeypair -keyalg <key_alg> 
          -keystore keystore.jks -validity <val_days> -alias s1as 

    where <key_alg> is the algorithm to be used for generating the key pair, for example RSA, and <val_days> is the number of days that the certificate should be considered valid, for example, 365.

    Note that in addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias.

    It's important to ensure that the name of the certificate matches the fully-qualified hostname of your site. If the names don't match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. You should notice that the name of the default self-signed certificate matches the fully-qualified hostname.

  3. Generate a Certificate Signing Request (CSR) by issuing the following command:

                      keytool -certreq -alias s1as -file <certreq_file> 
          -keystore keystore.jks -storepass <store_passwd>

    where <certreq_file> is the file in which the CSR is stored, for example, s1as.csr, and <store_passwd> is the password for the keystore, for example, changeit.

  4. Submit the CSR to a CA such as VeriSign. In response, you should receive a signed server certificate. Make sure to import into your browser the CA certificate of the CA and any intermediate certificates indicated by the CA in the reply.

  5. Store the signed server certificate from the CA including the markers -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a file such as s1as.cert. Download the CA certificate and any intermediate CA certificates and store them in local files. Refer to your browser documentation on how to import the CA and intermediate CA certificates into the browser. The CA may provide information on how to import the CA certificates into various browsers such as Mozilla and Internet Explorer.

  6. Replace the original self-signed certificate with the certificate you obtained from the CA (stored in a file such as s1as.cert). You can use keytool to do this, however it involves multiple steps. An easier approach to make the replacement is to run the following Java program:

          import java.io.*;
          import java.security.Key;
          import java.security.KeyStore;
          import java.security.cert.Certificate;
          import java.security.cert.CertificateFactory;
          import java.security.cert.X509Certificate;
          public class Main {
              public static void main(String[] args) throws Exception {
                //args[] error checking logic omitted
                //file containing signed cert reply from CA
                String csrReplyFromCA = args[0];     
                //Path to GlassFish keystore.jks
                String keystoreLocation = args[1];   
                //Password for GlassFish keystore.jks
                String keystorePassword = args[2];   
                //The keyalias to be replaced : s1as in our example
                String selfSignedKeyEntry = args[3];
                //create the signed Cert
                Certificate cert = null;
                FileInputStream fis =
                   new FileInputStream(csrReplyFromCA);
                CertificateFactory cf =
                cert = cf.generateCertificate(fis);
                //now replace the original entry
                char[] passwordChars =
                KeyStore keystore = KeyStore.getInstance("JKS");
                keystore.load(new FileInputStream(keystoreLocation),
                Key key = keystore.getKey(selfSignedKeyEntry,
                keystore.setKeyEntry(selfSignedKeyEntry, key,
                   passwordChars, (new Certificate[]{cert}));
                keystore.store(new FileOutputStream(
                   keystoreLocation), passwordChars);

After running the program, you should see that the certificate s1as in the GlassFish keystore is no longer the original self-signed certificate, but is now the response certificate from the CA. Here is an example that compares an original s1as certificate with a new s1as certificate obtained from VeriSign:

Original s1as (self-signed):

Owner: CN=KUMAR, OU=Sun Java System Application Server, O=Sun
Microsystems, L=Santa Clara, ST=California, C=US
Issuer: CN=KUMAR, OU=Sun Java System Application Server, O=Su
n Microsystems, L=Santa Clara, ST=California, C=US
Serial number: 472acd34
Valid from: Fri Nov 02 12:39:40 GMT+05:30 2007 until: Mon Oct
30 12:39:40 GMT+05:30 2017

New s1as (contains signed cert from CA):

Owner: CN=KUMAR, OU=Terms of use at www.verisign.com/cps/test
ca (c)05, OU=Sun Java System Application Server, O=Sun Micros
ystems, L=Santa Clara, ST=California, C=US
Issuer: CN=VeriSign Trial Secure Server Test CA, OU=Terms of
use at https://www.verisign.com/cps/testca (c)05, OU="For Test
Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
Serial number: 1375de18b223508c2cb0123059d5c440
Valid from: Sun Nov 11 05:30:00 GMT+05:30 2007 until: Mon Nov
26 05:29:59 GMT+05:30 2007

After performing these steps, you can restart GlassFish v2 and use the signed server certificate issued by the CA.

go to previous page of java lesson Previous Page: GlassFish v2 Profiles

Page 1: Keys and Certificates
Page 2: GlassFish v2 Profiles
Page 3: Enabling the GlassFish v2 Application Server as an SSL Server
Page 4: When the Cluster Profile is Used
Page 5: Two other cases to consider

 Printer Friendly Page  Printer Friendly Page
 Send to a Friend  Send to a Friend

.. Bookmark and Share

Search here again if you need more info!
Custom Search

Home Code Examples Java Forum All Java Tips Books Submit News, Code... Search... Offshore Software Tech Doodling

RSS feed Java FAQ RSS feed Java FAQ News     

    RSS feed Java Forums RSS feed Java Forums

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest 1999-2006 by Java FAQs Daily Tips.

Interactive software released under GNU GPL, Code Credits, Privacy Policy