This section describes known issues and associated solutions related to Enterprise Server and web application security and certificates.
The CA certificate bundled with Sun GlassFish Enterprise Server v2.1.1 has expired since Jan 08, 2010. Hence some SEVERE messages may be observed while starting the domain.
Remove the expired certificate from the keystore. To remove the certificate from the JKS keystore, use the following command,
keytool delete -alias verisignserverca -keystore domain-dir/config/cacerts.jks
To remove the certificate from the NSS keystore, use the following command,
certutil -D -n verisignserverca -d domain-dir/config
A JDK bug (See: https://jdk6.dev.java.net/issues/show_bug.cgi?id=23) in JDK6 Sun PKCS11 Provider could cause an OutOfMemoryError when running certain SSL scenarios under heavy stress.
If you run into this issue, remove sun.security.pkcs11.SunPKCS11 provider from the java.security file in your JRE installation.
On the AIX platform, dynamic encryption for the determination of an encryption key for a response is failing. The failure occurs during the validation of the certificate on the server side.
In response to the failure, the following error messages are written to the server's log file server.log:
Unable to validate certificate |
Error occurred while resolving key information com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed |
Install Metro 1.1 on Enterprise Server v2.1.1
A method in an enterprise bean whose run-as, or propagated, security identity is defined by using the @RunAs annotation attempts to invoke a method in another enterprise bean. If no run-as principal is defined in the sun-ejb-jar.xml deployment descriptor file, the attempt might fail with a javax.ejb.AccessLocalException exception.
javax.ejb.AccessLocalException: Client not authorized for this invocation. |
In the sun-ejb-jar.xml deployment descriptor file, define in the principal-name element the principal name for which the run-as role specified.
SSL termination is not working; when Load Balancer (Hardware) is configured for SSL termination, the Enterprise Server changes the protocol from https to http during redirection.
Add a software load balancer between the hardware load balancer and the Enterprise Server.
Because of a JVM bug, there is a leak issue with some JDK versions when security-enabled is set to true on an HTTP listener. Specifically, the steps to reproduce this bug are as follows:
Set security-enabled to true on the HTTP listener:
<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id=" http-listener-1" port="8080" security-enabled="true" server-name="" xpowered-by="true"> |
Comment out stopping domain at the end of quicklook tests.
Run quicklook tests.
Check socket usage:
netstat -an | grep 8080 |
The following are shown to be in use:
*.8080 *.* 0 0 49152 0 LISTEN *.8080 *.* 0 0 49152 0 BOUND |
This issue is tracked on the GlassFish site at http://java.net/jira/browse/GLASSFISH-849.
Upgrade to the latest JDK version.