tag:blogger.com,1999:blog-36773632.post6472932231690401064..comments2023-12-19T08:40:05.062-05:00Comments on Java Evangelist John Yeary: Sun Java System Application Server 9.x (glassfish) SSL/TLS Authentication SetupJohn Yearyhttp://www.blogger.com/profile/00461192445071361043noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-36773632.post-59667243111598319212008-03-19T19:26:00.000-05:002008-03-19T19:26:00.000-05:00First off thanks for taking the time to figure out...First off thanks for taking the time to figure out this process and give us a how-to. I've scripted the process for CACert and made the code available on my <A HREF="http://jeffreyrodriguez.blogspot.com/2008/03/ca-signed-ssl-certs-in-glassfish-for.html" REL="nofollow">blog</A>.Jeff Rodriguezhttps://www.blogger.com/profile/02361814496774064249noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-21142993018250542552008-01-22T12:23:00.000-05:002008-01-22T12:23:00.000-05:00Hello posterboy,You should have no problems with s...Hello posterboy,<BR/><BR/>You should have no problems with switching the configuration back as long as you copy the files you mentioned to a safe location.<BR/><BR/>I don't imagine that you will have any issues with the certs from GeoTrust. You will need to check to see if their certs are part of the CA root store. Otherwise you can add them easily.<BR/><BR/>VERY COOOOL!!!John Yearyhttps://www.blogger.com/profile/00461192445071361043noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-77592364066796715102008-01-16T05:45:00.000-05:002008-01-16T05:45:00.000-05:00Hi John Great Tutorial! Thanks. I tried it out on...Hi John <BR/><BR/>Great Tutorial! Thanks. I tried it out on Windows XP Pro with SJSAS 9 environment and it seems to have worked with a few tweaks. On localhost I can view the cert in IE. <BR/><BR/>The tweaks were related to CAcerts now issueing certs with the .cer extention rather than .crt<BR/><BR/>I'm about to try it out in a Production Environment with Windows 2003 Server and SJSAS 9 and I'm wondering if there's a way to return to my original config if anything goes wrong. If I back up both cacerts.jks and keystore.jks and restore them in the event of problems, will that suffice?<BR/><BR/>I'll also be using a free GeoTrust cert that came with a 1&1 package. Do you expect I'll have to do anything differently? I'm not sure if they have root certs available or if I can skip those steps.<BR/><BR/>Thanks<BR/>-Garrygarry.donnellyhttps://www.blogger.com/profile/15729799287803023821noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-84631467170843724312007-08-07T17:40:00.000-05:002007-08-07T17:40:00.000-05:00I just performed a similar process as above (I use...I just performed a similar process as above (I used a self signed certificate) and it worked like a champ on V2 B58. I am wondering if you have set the listener correctly. I will add another screen shot for build 58.John Yearyhttps://www.blogger.com/profile/00461192445071361043noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-48217173846029929972007-08-03T13:51:00.000-05:002007-08-03T13:51:00.000-05:00I am not sure why you can not see the secured por...I am not sure why you can not see the secured port. I am going to write another blog post on the latest version of glassfish. Some of the options and configuration have changed slightly. Stay tuned...John Yearyhttps://www.blogger.com/profile/00461192445071361043noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-71428856513964567892007-07-31T04:03:00.000-05:002007-07-31T04:03:00.000-05:00HiToday finally i could perform all steps without ...Hi<BR/>Today finally i could perform all steps without error, and my application server starts correcly.<BR/>I am using glassfish v2 b50g.<BR/>everything looks to be fine but at the end, i can not view the page by going to https://localhost:8181/<BR/>it return an error like the following in the browser:<BR/>[b]<BR/>The connection was interrupted<BR/>...<BR/>[/b]<BR/><BR/>can you please let me know what can i do to resolve it?<BR/>there is no sign of any error in server log too.<BR/>thanksUnknownhttps://www.blogger.com/profile/17609201108184441555noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-124278168004853682007-04-06T13:12:00.000-05:002007-04-06T13:12:00.000-05:00I have a couple of thoughts and questions: What ve...I have a couple of thoughts and questions: <BR/><BR/>What version of glassfish are you using?<BR/><BR/>Have you set the SSL certificate nickname to <B>server</B> like the certificate in the keystore?<BR/><BR/>Have you checked to make sure that the certificates were imported back into the keystore using the same alias as the original CSR?<BR/><BR/>I also wonder about your certificates being valid since they have no additional information like OU, C, Owner, Issuer, etc.John Yearyhttps://www.blogger.com/profile/00461192445071361043noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-42693190679326263232007-04-05T04:23:00.000-05:002007-04-05T04:23:00.000-05:00HiVery good article, But in latest steps i faced a...Hi<BR/>Very good article, But in latest steps i faced a very strange problem.<BR/><BR/>issueing follwoing command shows that i have complete all steps<BR/><BR/>keytool -list -v -alias server -keystore keystore.jks -storepass changeit<BR/><BR/>Alias name: server<BR/>Creation date: Apr 5, 2005<BR/>Entry type: keyEntry<BR/>Certificate chain length: 2<BR/>Certificate[1]:<BR/>Owner: //<BR/>Issuer: //<BR/>Serial number: db60eaa3ad98f625<BR/>Valid from: Tue Apr 05 11:54:29 GMT+03:30 2005 until: Wed Apr 05 11:54:29 GMT+03<BR/>:30 2006<BR/>Certificate fingerprints:<BR/> MD5: 81:8C:A1:76:28:03:76:E9:33:74:44:63:B3:5E:51:06<BR/> SHA1: 44:9D:60:98:51:DA:E4:F4:98:16:38:E5:E4:3D:21:AF:FE:D7:5B:A8<BR/>Certificate[2]:<BR/>Owner: //<BR/>Issuer: //<BR/>Serial number: db60eaa3ad98f61b<BR/>Valid from: Mon Apr 04 11:54:31 GMT+03:30 2005 until: Thu Apr 03 11:54:31 GMT+03<BR/>:30 2008<BR/>Certificate fingerprints:<BR/> MD5: CF:AE:D2:15:2A:2A:65:D8:51:7C:E7:A1:FB:18:92:DC<BR/> SHA1: A3:F4:83:F9:72:7D:01:0A:F9:24:E2:CF:52:12:FD:92:E2:61:22:68<BR/><BR/><BR/><BR/><BR/><BR/><BR/><BR/>but when i start application server it shows following error, do you have any comment?<BR/>This error is shown before i do anything in administration console.<BR/><BR/><BR/>java.lang.reflect.InvocationTargetException<BR/> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<BR/> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)<BR/> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)<BR/> at java.lang.reflect.Method.invoke(Method.java:585)<BR/> at com.sun.enterprise.server.PELaunch.main(PELaunch.java:272)<BR/>Caused by: java.lang.ExceptionInInitializerError<BR/> at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:88)<BR/> at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:240)<BR/> at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:93)<BR/> at com.sun.enterprise.server.PEMain.run(PEMain.java:316)<BR/> at com.sun.enterprise.server.PEMain.main(PEMain.java:260)<BR/> ... 5 more<BR/>Caused by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Cannot recover key<BR/> at com.sun.enterprise.security.SSLUtils.----clinit----(SSLUtils.java:112)<BR/> ... 10 more<BR/>Caused by: java.security.UnrecoverableKeyException: Cannot recover key<BR/> at sun.security.provider.KeyProtector.recover(KeyProtector.java:301)<BR/> at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:120)<BR/> at java.security.KeyStore.getKey(KeyStore.java:731)<BR/> at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.-----init----(SunX509KeyManagerImpl.java:111)<BR/> at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:41)<BR/> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:192)<BR/> at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:303)<BR/> at com.sun.enterprise.security.SSLUtils.-----clinit-----(SSLUtils.java:89)<BR/> ... 10 more<BR/><BR/><BR/><BR/>Thanks.Unknownhttps://www.blogger.com/profile/17609201108184441555noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-81787821380323916472007-03-06T21:22:00.000-05:002007-03-06T21:22:00.000-05:00Actually, I imported the certs into the trusted st...Actually, I imported the certs into the trusted store (cacerts.jks) since the CAcert certificate is not one of the certificates that come standard with glassfish.John Yearyhttps://www.blogger.com/profile/00461192445071361043noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-40264025729925560962007-02-28T03:31:00.000-05:002007-02-28T03:31:00.000-05:00Excellent stuff, John.One question though -- I und...Excellent stuff, John.<BR/><BR/>One question though -- I understand<BR/>that you imported the CAcert's root<BR/>and class-3 cert in keystore.jks, so that the signed.crt can be <BR/>imported without problems.<BR/><BR/>But for that to happen, it is not <BR/>necessary to import these certs <BR/>into your server's trust-store, <BR/>right?<BR/><BR/>Can you confirm that you imported<BR/>those certificates into your<BR/>trust-store (server's trust-store,<BR/>i.e. cacerts.jks) because you<BR/>trust them anyway (as they are<BR/>signed by the CA: CACert.org),<BR/>right?<BR/><BR/>Thanks for a *great* resource!<BR/><BR/>weblogs.java.net/blog/kmKedarsThoughtsWorkhttps://www.blogger.com/profile/13913937338770633657noreply@blogger.comtag:blogger.com,1999:blog-36773632.post-44777115562209730732007-01-11T18:00:00.000-05:002007-01-11T18:00:00.000-05:00Thanks Sebastian. I fixed the file commands. I mus...Thanks Sebastian. I fixed the file commands. I must not have copied them correctly from the actual server I was working on.John Yearyhttps://www.blogger.com/profile/00461192445071361043noreply@blogger.com