Oracle GlassFish Message Queue 4.4.2 Administration Guide

ProcedureTo Validate and Install the Server’s Self-Signed Certificate

  1. Validate the server’s certificate.

    By default, the Oracle GlassFish Server generates a self-signed certificate and stores it in a key store file at the location

       appServerRoot/glassfish/domains/domain1/config/keystore.jks
    

    where appServerRoot is the root directory in which the application server is installed.


    Note –

    If necessary, you can use the JDK Key Tool utility to generate a key store of your own and use it in place of the default key store. For more information, see the section “Establishing a Secure Connection Using SSL” in Chapter 28, “Introduction to Security in Java EE,” of the Java EE 5 Tutorial at

       http://java.sun.com/javaee/5/docs/tutorial/doc/Security-Intro7.html
    

    1. Make the directory containing the key store file your current directory.

      For example, to use the Application Server’s default key store file (as shown above), navigate to its directory with the command

         cd appServerRoot/glassfish/domains/domain1/config
      

      where appServerRoot is, again, the root directory in which the application server is installed.

    2. List the contents of the key store file.

      The Key Tool utility’s -list option lists the contents of a specified key store file. For example, the following command lists the Application Server’s default key store file (keystore.jks):

         keytool  -list  -keystore keystore.jks  -v
      

      The -v option tells the Key Tool utility to display certificate fingerprints in human-readable form.

    3. Enter the key store password.

      The Key Tool utility prompts you for the key store file’s password:

         Enter keystore password:
      

      By default, the key store password is set to changeit; you can use the Key Tool utility’s -storepasswd option to change it to something more secure. After you have entered a valid password, the Key Tool utility will respond with output like the following:


      Keystore type: JKS
      Keystore provider: SUN
      
      Your keystore contains 1 entry
      
      Alias name: slas
      Creation date: Nov 13, 2007
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=helios, OU=Sun Java System Application Server, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
      Issuer: CN=helios, OU=Sun Java System Application Server, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
      Serial number: 45f74784
      Valid from: Tue Nov 13 13:18:39 PST 2007 until: Fri Nov 10 13:18:39 PST 2017
      Certificate fingerprints:
               MD5:  67:04:CC:39:83:37:2F:D4:11:1E:81:20:05:98:0E:D9
               SHA1: A5:DE:D8:03:96:69:C5:55:DD:E1:C4:13:C1:3D:1D:D0:4C:81:7E:CB
               Signature algorithm name: MD5withRSA
               Version: 1

    4. Verify the certificate’s fingerprints.

      Obtain the correct fingerprints for the Application Server’s self-signed certificate by independent means (such as by telephone) and compare them with the fingerprints displayed by the keytool -list command. Do not accept the certificate and install it in your application’s trust store unless the fingerprints match.

  2. Export the Application Server’s certificate to a certificate file.

    Use the Key Tool utility’s -export option to export the certificate from the Application Server’s key store to a separate certificate file, from which you can then import it into your application’s trust store. For example, the following command exports the certificate shown above, whose alias is slas, from the Application Server’s default key store (keystore.jks) to a certificate file named slas.cer:

       keytool  -export  -keystore keystore.jks  -storepass changeit
                -alias slas  -file slas.cer
    

    The Key Tool utility responds with the output

       Certificate stored in file <slas.cer>
    
  3. Verify the contents of the certificate file.

    If you wish, you can double-check the contents of the certificate file to make sure it contains the correct certificate:

    1. List the contents of the certificate file.

      The Key Tool utility’s -printcert option lists the contents of a specified certificate file. For example, the following command lists the certificate file slas.cer that was created in the preceding step:

         keytool  -printcert  -file slas.cer  -v
      

      Once again, the -v option tells the Key Tool utility to display the certificate’s fingerprints in human-readable form. The resulting output looks like the following:


      Owner: CN=helios, OU=Sun Java System Application Server, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
      Issuer: CN=helios, OU=Sun Java System Application Server, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
      Serial number: 45f74784
      Valid from: Tue Nov 13 13:18:39 PST 2007 until: Fri Nov 10 13:18:39 PST 2017
      Certificate fingerprints:
               MD5:  67:04:CC:39:83:37:2F:D4:11:1E:81:20:05:98:0E:D9
               SHA1: A5:DE:D8:03:96:69:C5:55:DD:E1:C4:13:C1:3D:1D:D0:4C:81:7E:CB
               Signature algorithm name: MD5withRSA
               Version: 1

    2. Confirm the certificate’s contents.

      Examine the output from the keytool -printcert command to make sure that the certificate is correct.

  4. Import the certificate into your application’s trust store.

    The Key Tool utility’s -import option installs a certificate from a certificate file in a specified trust store. For example, if your client application’s trust store is kept in the file /local/tmp/imqhttps/appKeyStore, the following command will install the certificate from the file slas.cer created above:

       keytool  -import  -file slas.cer  -keystore "/local/tmp/imqhttps/appKeyStore"