Easy to Learn Java: Programming Articles, Examples and Tips

Start with Java in a few days with Java Lessons or Lectures

Home

Code Examples

Java Tools

More Java Tools!

Java Forum

All Java Tips

Books

Submit News
Search the site here...
Search...
 
Search the JavaFAQ.nu
1000 Java Tips ebook

1000 Java Tips - Click here for the high resolution copy!1000 Java Tips - Click here for the high resolution copy!

Java Screensaver, take it here

Free "1000 Java Tips" eBook is here! It is huge collection of big and small Java programming articles and tips. Please take your copy here.

Take your copy of free "Java Technology Screensaver"!.

SSL with GlassFish v2, page 4

JavaFAQ Home » TechTips Go to all tips in TechTips


Bookmark and Share

When the Cluster Profile is Used

You perform the same steps to enable GlassFish v2 as an SSL server when the application server is configured with the cluster profile as you do for a developer profile. However, in this case you need to ensure that the same server key in replicated in all the application server instances in the cluster.

When the Enterprise Profile is Used

The Security Store parameter value for the enterprise profile is NSS, which stands for Network Security Services. In an NSS security infrastructure there is no JKS keystore and so there is no default GlassFish keystore.

For the most part, the steps to enable the GlassFish v2 application server as an SSL server are the same when the enterprise profile is used as when the developer profile is used. However there are two differences. The first difference pertains to the first step of the process. Because there is no JKS keystore, you start the process with an empty keystore (keystore.jks). The second difference pertains to the last step of the process. Instead of importing the resulting signed certificate into the JKS keystore, you import it into the NSS store. In other words, to enable the GlassFish v2 application server as an SSL server, you perform the same steps as in the When the Developer Profile is Used section, but you start with an empty keystore, and you replace step 6 in that section with the following steps:

  1. Export the private key for the server certificate from the keystore in Privacy Enhanced Mail (PEM) format by issuing the following command:

                      keyexport.bat -keyfile serverkey.pem 
          -keystore keystore.jks -storepass changeit -alias s1as 

    The command invokes the keyexport utility. You can find the keyexport in the keyexport package, which you can download from the XWSS downloads page in Project Metro

    In response you will be prompted for the keystore password. The keystore password is the same as the key password, so you can reply by simply pressing the return key.

    This creates a serverkey.pem file which contains the server private key under the markers -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----.

  2. Append the signed certificate reply from the CA, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers, to the servercert.pem file. Append the reply just below the END PRIVATE KEY marker.

  3. Convert the serverkey.pem file into a PKCS#12 file (a file with a .pfx extension). "PKCS" refers to a group of public key cryptography standards devised and published by RSA Security. PKCS#12 defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key.

    There are various tools you can use to convert the serverkey.pem file into a PKCS#12 file. One of them is the openssl tool. Here is the command to convert the file using openss1:

                      openssl pkcs12  -export  -in serverkey.pem -out s1as.pfx

    In response, you will be prompted for the export password. Enter a password such as "changeit" or the GlassFish master password.

    The s1as.pfx file will now contain the required signed server certificate and the private key.

  4. Delete the original s1as self-signed entry, if it exists, by issuing the following command:

                      certutil -D -n s1as -d $AS_NSS_DB

  5. Use the pk12util utility to import the new s1as.pfx file into the NSS store by issuing the following command:

                      pk12util -i s1as.pfx -d $AS_NSS_DB 

    pk12util is an NSS utility available inside the GlassFish installation template directory for the Enterprise Profile. The utility is used to import or export a PCKS#12 file to and from an NSS store.

    In response to the command, you will be prompted for the passwords for the NSS soft token and PKCS#12 file. Supply the appropriate passwords. You should then see the following message indicating that the import was successful:

                      pk12util: PKCS12 IMPORT SUCCESSFUL   

There are two other cases to consider:

go to previous page of java lesson Previous Page: Enabling the GlassFish v2 Application Server as an SSL Server

Page 1: Keys and Certificates
Page 2: GlassFish v2 Profiles
Page 3: Enabling the GlassFish v2 Application Server as an SSL Server
Page 4: When the Cluster Profile is Used
Page 5: Two other cases to consider


 Printer Friendly Page  Printer Friendly Page
 Send to a Friend  Send to a Friend

.. Bookmark and Share

Search here again if you need more info!
Custom Search



Home Code Examples Java Forum All Java Tips Books Submit News, Code... Search... Offshore Software Tech Doodling

RSS feed Java FAQ RSS feed Java FAQ News     

    RSS feed Java Forums RSS feed Java Forums

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest 1999-2006 by Java FAQs Daily Tips.

Interactive software released under GNU GPL, Code Credits, Privacy Policy