Skip Navigation Links | |
Exit Print View | |
Oracle GlassFish Server Message Queue 4.5 Administration Guide |
Part I Introduction to Message Queue Administration
1. Administrative Tasks and Tools
3. Starting Brokers and Clients
6. Configuring and Managing Connection Services
8. Configuring Persistence Services
9. Configuring and Managing Security Services
10. Configuring and Managing Broker Clusters
11. Managing Administered Objects
12. Configuring and Managing Bridge Services
13. Monitoring Broker Operations
14. Analyzing and Tuning a Message Service
17. Broker Properties Reference
18. Physical Destination Property Reference
19. Administered Object Attribute Reference
20. JMS Resource Adapter Property Reference
21. Metrics Information Reference
22. JES Monitoring Framework Reference
A. Distribution-Specific Locations of Message Queue Data
B. Stability of Message Queue Interfaces
HTTP/HTTPS Support Architecture
Step 1 (HTTPS Only): Generating a Self-Signed Certificate for the Tunnel Servlet
Step 2 (HTTPS Only): Specifying the Key Store Location and Password
To Specify the Location and Password of the Certificate Key Store
Step 3 (HTTPS Only): Validating and Installing the Server's Self-Signed Certificate
To Deploy the HTTP or HTTPS Tunnel Servlet
Modifying the Application Server's Security Policy File
Step 5 (HTTP and HTTPS): Configuring the Connection Service
To Activate the httpjms or httpsjms Connection Service
Step 6 (HTTP and HTTPS): Configuring a Connection
Installing a Root Certificate (HTTPS Only)
Configuring the Connection Factory (HTTP and HTTPS)
Using a Single Servlet to Access Multiple Brokers (HTTP and HTTPS)
Client Failure to Connect Through the Tunnel Servlet
By default, the Oracle GlassFish Server Server generates a self-signed certificate and stores it in a key store file at the location
appServerRoot/glassfish/domains/domain1/config/keystore.jkswhere appServerRoot is the root directory in which the application server is installed.
Note - If necessary, you can use the JDK Key Tool utility to generate a key store of your own and use it in place of the default key store. For more information, see the section “Establishing a Secure Connection Using SSL” in Chapter 28, “Introduction to Security in Java EE,” of the Java EE 5 Tutorial at
http://java.sun.com/javaee/5/docs/tutorial/doc/Security-Intro7.htmlFor example, to use the Application Server’s default key store file (as shown above), navigate to its directory with the command
cd appServerRoot/glassfish/domains/domain1/configwhere appServerRoot is, again, the root directory in which the application server is installed.
The Key Tool utility’s -list option lists the contents of a specified key store file. For example, the following command lists the Application Server’s default key store file (keystore.jks):
keytool -list -keystore keystore.jks -vThe -v option tells the Key Tool utility to display certificate fingerprints in human-readable form.
The Key Tool utility prompts you for the key store file’s password:
Enter keystore password:By default, the key store password is set to changeit; you can use the Key Tool utility’s -storepasswd option to change it to something more secure. After you have entered a valid password, the Key Tool utility will respond with output like the following:
|
Obtain the correct fingerprints for the Application Server’s self-signed certificate by independent means (such as by telephone) and compare them with the fingerprints displayed by the keytool -list command. Do not accept the certificate and install it in your application’s trust store unless the fingerprints match.
Use the Key Tool utility’s -export option to export the certificate from the Application Server’s key store to a separate certificate file, from which you can then import it into your application’s trust store. For example, the following command exports the certificate shown above, whose alias is slas, from the Application Server’s default key store (keystore.jks) to a certificate file named slas.cer:
keytool -export -keystore keystore.jks -storepass changeit -alias slas -file slas.cerThe Key Tool utility responds with the output
Certificate stored in file <slas.cer>If you wish, you can double-check the contents of the certificate file to make sure it contains the correct certificate:
The Key Tool utility’s -printcert option lists the contents of a specified certificate file. For example, the following command lists the certificate file slas.cer that was created in the preceding step:
keytool -printcert -file slas.cer -vOnce again, the -v option tells the Key Tool utility to display the certificate’s fingerprints in human-readable form. The resulting output looks like the following:
|
Examine the output from the keytool -printcert command to make sure that the certificate is correct.
The Key Tool utility’s -import option installs a certificate from a certificate file in a specified trust store. For example, if your client application’s trust store is kept in the file /local/tmp/imqhttps/appKeyStore, the following command will install the certificate from the file slas.cer created above:
keytool -import -file slas.cer -keystore "/local/tmp/imqhttps/appKeyStore"You can deploy the HTTP or HTTPS tunnel servlet on Oracle GlassFish Server Server either from the command line or by using the application server’s Web-based administration GUI. In either case, you must then modify the Application Server’s security policy file to grant permissions for the tunnel servlet.
To deploy the tunnel servlet from the command line, use the deploy subcommand of the application server administration utility (asadmin): for example,
asadmin deploy --user admin --passwordfile pfile.txt --force=true /local/tmp/imqhttps/imqhttps.warThe procedure below shows how to use the Web-based GUI to deploy the servlet.
After deploying the tunnel servlet (whether from the command line or with the Web-based GUI), proceed to Modifying the Application Server's Security Policy File for instructions on how to grant it the appropriate permissions.