Techies Adsense

Friday, 16 September 2016

How To Configure SSL Certificate With GlassFish

In this Article I have described in detailed steps How to Configure SSL Certificate With GlassFish 4 . and the Same process can be used for Both Windows and Linux.

First of all you need to buy the certificate from CA and steps to configure the SSL with GlassFish are Below:

Step 1. Create Keystore with Keytool:

$ keytool -genkey -alias domain -keyalg RSA -keysize 2048 -keystore  domain.keystore

Step 2. Create CSR with Keytool:

$ keytool -certreq -keyalg RSA -file domain.csr -keystore domain.keystore

Step 3. Submit your csr request with CA. from the domain.csr file.

Once CA approved the Certificate request you will receive 2 or 4 files from the CA. I have submitted the  request for 4 files from Comodo CA.

Step 4. Create and Install SSL with Glassfish3/4:
./asadmin create-domain mydomain

Example Output
========================================================================Eenter admin user name [Enter to accept default "admin" / no password]> admin
Enter the admin password [Enter to accept default of no password]>
Enter the admin password again>
Using default port 4848 for Admin.
Using default port 8080 for HTTP Instance.
Using default port 7676 for JMS.
Using default port 3700 for IIOP.
Default port 8181 for HTTP_SSL is in use. Using 43584
Using default port 3820 for IIOP_SSL.
Using default port 3920 for IIOP_MUTUALAUTH.
Using default port 8686 for JMX_ADMIN.
Using default port 6666 for OSGI_SHELL.
Using default port 9009 for JAVA_DEBUGGER.
Distinguished Name of the self-signed X.509 Server Certificate is:
[CN=conference,OU=GlassFish,O=Oracle Corporation,L=Santa Clara,ST=California,C=US]
Distinguished Name of the self-signed X.509 Server Certificate is:
[CN=conference-instance,OU=GlassFish,O=Oracle Corporation,L=Santa Clara,ST=California,C=US]
No domain initializers found, bypassing customization step
Domain my-domain created.
Domain my-domain admin port is 4848.
Domain my-domain admin user is "admin".
Command create-domain executed successfully.
========================================================================
Note: Do not start the domain for now first import the Certificate in your domain.keystore file which was created during csr creation or refer Step1 .

i. AddTrustExternalCARoot.crt 
$ keytool -import -v -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore /var/glassfish3/glassfish/domains/domain/config/domain.keystore
Type the password default i used changeit.

ii. COMODORSAAddTrustCA.crt 
$ keytool -import -v -trustcacerts -alias intermediate -file COMODORSAAddTrustCA.crt -keystore /var/glassfish3/glassfish/domains/domain/config/domain.keystore
Type the password default i used changeit.

iii. COMODORSADomainValidationSecureServerCA.crt 
$ keytool -import -v -trustcacerts -alias intermediate1 -file COMODORSADomainValidationSecureServerCA.crt -keystore /var/glassfish3/glassfish/domains/domain/config/domain.keystore
Type the password default i used changeit.

iv. STAR_trafficinsight_com.crt 
$ keytool -import -alias domain -trustcacerts -file STAR_trafficinsight_com.crt -keystore /var/glassfish3/glassfish/domains/domain/config/domain.keystore
Type the password default i used changeit

Example: 
Enter keystore password:
Certificate reply was installed in keystore. ........... Output message Success :-)

Note: The alias name here will be given when you gave it during csr creation see option 1.
v. Move your default keystore.jks as .bak and domain.keystore file to your domain config directory.

5. Now Start Your domain:   
./asadmin start-domain mydomain
Waiting for mydomain to start .....
 6 . Login into the Glassfish Server for example http://localhost:4848



You will receive error if you are accessing from remote location :  

Configuration Error  Secure Admin must be enabled to access the DAS remotely. 

Note:  Please do not enable Secure Admin by using command " ./asadmin enable-secure-admin or use ./asadmin enable-secure-admin alias-name you have used during csr creation.

Example: enable-secure-admin --aliasadmin mydomain --instancealias mydomain

7. Login into your local system using graphical interface and perform the below steps:  
i.  Server Admin (Server) and secure admin and change the options Administrations Alias and Instance Alias to domain-alias and then restart 



Now You will see the valid SSL has been reflected with your GlassFish Portal.

Step 8.  Login into the portal again and change the Http-Listner-2 Setting Also change the port .


Step 9.  Change the Port 8181 to 443 if it needed else you can use 8181 as well but you need to open from your system firewall.



Step 10 . Next go to the SSL tab and Change the alias name to  your newly created alias with for your domain Then Save.

Step 11. Now look your GlassFish Server and you will see the status should be Green Fully Secured see in the Example image below:



Thanks for your Kind Visit. If you are having still please don't hesitate to contact me.









No comments: