4.1.12

Glassfish v3.1 goes SSL (Client)

This entry is about making the Glassfish v3.1 ready for a two-way SSL authentication as a client. In our case, we had a p12 file.

Import certificate into keystore
The first thing that needs to be done, is to install your private key. For standalone applications one option would be to change the JVM system parameters and use it as a keystore. Using Glassfish however, that is not possible, as the already included %domain%/config/keystore.jks file contains needed entries (alias "s1as"); so the p12 file must be imported into the existing keystore. This is done using the keytool  with the following option (a). You can check the keystore afterwards using the "list" option (b).

keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -srcstorepass password -deststorepass changeit  

keytool -list -keystore keystore.jks -v 

Change the password of your certificate
Next, you need to change the password of the imported private key. The standard Java SSL implementation uses the keystore's password (in this case "changeit") to recover the stored keys, so it must be the same.

keytool -keypasswd -alias mycert -keypass password -new changeit -keystore keystore.jks 

Modify outbound JVM option
After that, modify the following entry in the file %domain%/config/domain.xml so it points to your private key alias. If you have added several private keys to your keystore, try to delete the option complete or check this link out.

<jvm-options>
   -Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
</jvm-options> 

Add server to truststore
You have to add the the server to your truststore in this case "cacerts.jks". We dynamically added it on runtime using an internal SSLHelper class. There must be other possibilities too ...




Exceptions that were thrown during my journey:
If the  s1as appears in one of your exceptions, the server could not find the alias in your keystore, so maybe you deleted it or changed the keystore.

Wrong password for private key within keystore:

 java.security.UnrecoverableKeyException: Cannot recover key

The outbound JVM option was not deleted and pointed to a wrong alias within the keystore: 

javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)