By exporting and importing the DAS certificate, you can make the DAS a trusted client of Web Server. Client authentication using a DAS certificate ensures that only the DAS connects to Web Server as a trusted client.
Open a terminal window and set the LD_LIBRARY_PATH using the following command:
export LD_LIBRARY_PATH=/opt/SUNWappserver/lib
Export the DAS certificate.
If you are using Application Server 9.1, export the DAS certificate by executing the command. The DAS certificate acts as both the server certificate as well as the client certificate.
<appserver_install_dir>/lib/upgrade/pk12util -d <domain root>/config -o s1as.p12 -W <s1as.pk12-file-password> -K <master password> -n s1as
If you are using GlassFish v2, export the DAS certificate, named with the alias “s1as” using the Java SE 5.0 security tool called keytool. While doing so, select the -rfc option to export the certificate in the printable encoding format, as defined by the Internet RFC 1421 standard.
From the command line, you can use the following commands to export the DAS certificate:
<JAVA_HOME>/bin/keytool -export -rfc -alias s1as -keystore <GLASSFISH_HOME>/domains/<DOMAIN_NAME>/config/keystore.jks-file s1as.rfc
where, <GLASSFISH_HOME> indicates the Application Server installation directory and <DOMAIN_NAME> refers to the domain whose certificate is being exported.
After exporting, copy the certificate file to the web server configuration directory.
Import the DAS certificate.
If you are using Application Server 9.1, import the DAS certificate into the Web Server instance and set the trust attributes for the certificate using the following commands:
<webserver_install_dir>/bin/pk12util -i <path_to_s1as.pk12-file> -d <webserver_install_dir>/admin-server/config-store/<default-config-name>/config -K <webserver security db password> -W <s1as.pk12-file-passwd>
<webserver_install_dir>/bin/certutil -M -n s1as -t "TCu" -d <webserver_install_dir>/admin-server/config-store/<default-config-name>/config
These commands make the Application Server CA be a trusted CA to sign both client and server certificates.
If you are using GlassFish v2, import the DAS certificate from the rfc file created using certutil, the NSS security tool.
<webserver_install_dir>/bin/certutil -A -a -n s1as -t "TCu" -i s1as.rfc -d <webserver_install_dir>/admin-server/config-store/<CONFIG_NAME>/config
where, <webserver_install_dir> refers to the web server installation directory and <CONFIG_NAME> refers to the configuration name created for the default web server instance.
You can check the presence of this certificate by using the following command, which would list the s1as certificate along with other CA certificates including the default server certificate. Make sure that you type the entire command in a single line.
<webserver_install_dir>/bin/certutil -L -d <webserver_install_dir>/admin-server/config-store/ <DEFAULT_CONFIG_NAME>/config
You can also use the Web Server Admin Console to view this. Select the configuration to which the certificate has been imported to (default config, in this case), and then select the Certificates tab. To look at all the certificates available, select the Certificate Authorities sub tab.
Make the following configuration changes to Web Server 7 if you are using GlassFish v2. You can skip to the next step if you are using Application Server 9.1.
Append the following lines to obj.conffile located at <WS_INSTALL_ROOT>/admin-server/config-store/<DEFAULT_CONFIG_NAME>/config/. Make sure that you type in these lines without any trailing spaces.
<Object ppath="*lbconfigupdate*"> PathCheck fn="get-client-cert" dorequest="1" require="1" </Object> <Object ppath="*lbgetmonitordata*"> PathCheck fn="get-client-cert" dorequest="1" require="1" </Object>
Deploy the configuration. While doing the changes listed in the previous steps, the Admin Console would mark this configuration to be deployed.
Test this setup from the GlassFish DAS to see if it communicates with the configured HTTP Load Balancer over SSL. For more information, see Verifying the Setup.