Using a Different Server Certificate with the Application Server

Follow the steps in Creating a Server Certificate, to create your own server certificate, have it signed by a CA, and import the certificate into keystore.jks.

Make sure that when you create the certificate, you follow these rules:

• When you create the server certificate, keytool prompts you to enter your first and last name. In response to this prompt, you must enter the name of your server. For testing purposes, this can be localhost.

• The server/host specified in the keystore must match the host identified in the javaee.server.name property specified in the tut-install/javaeetutorial5/examples/bp-project/build.properties file for running the example applications.

• Your key/certificate password in keystore.jks should match the password of your keystore, keystore.jks. This is a bug. If there is a mismatch, the Java SDK cannot read the certificate and you get a “tampered” message.

• If you want to replace the existing keystore.jks, you must either change your keystore’s password to the default password (changeit) or change the default password to your keystore’s password.

To specify that the Application Server should use the new keystore for authentication and authorization decisions, you must set the JVM options for the Application Server so that they recognize the new keystore. To use a different keystore than the one provided for development purposes, follow these steps.

1. Start the Application Server if you haven’t already done so. Information on starting the Application Server can be found in Starting and Stopping the Application Server.

2. Start the Admin Console. Information on starting the Admin Console can be found in Starting the Admin Console.

3. Select Application Server in the Admin Console tree.

4. Select the JVM Settings tab.

5. Select the JVM Options tab.

6. Change the following JVM options so that they point to the location and name of the new keystore. There current settings are shown below:

   -Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks -Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks

7. If you’ve changed the keystore password from its default value, you need to add the password option as well:

   -Djavax.net.ssl.keyStorePassword=your-new-password

8. Log out of the Admin Console and restart the Application Server.