To Export and Import the DAS Certificate for Sun Web Server 6.1 (Sun GlassFish Enterprise Server v2.1.1 High Availability Administration Guide)

Sun GlassFish Enterprise Server v2.1.1 High Availability Administration Guide

To Export and Import the DAS Certificate for Sun Web Server 6.1

If you are using Enterprise Server with HADB, export the DAS certificate by executing the command:
```
<as home>/lib/upgrade/pk12util -d <domain root>/config -o sjsas.p12-W
<file password> -K <master password> -n s1as
```
- If you are using GlassFish v2.1 or Enterprise Server without HADB bundle, you must use the following commands to export the DAS certificate:
```
<JAVA_HOME>/bin/keytool -export -rfc -alias s1as -keystore
<GLASSFISH_HOME>/domains/<DOMAIN_NAME>/config/keystore.jks-file s1as.rfc
```
  where, <GLASSFISH_HOME> indicates the Application Server installation directory and <DOMAIN_NAME> refers to the domain whose certificate is being exported.
- Copy the certificate file to the web server configuration directory.

If you are using Enterprise Server with HADB bundle, import the DAS certificate into the Web Server instance using the following commands:
```
<webserver home>/bin/https/admin/bin/pk12util-i sjsas.p12-d <webserver
home>/alias -W<file password> -K <webserver security db password> -P
<instance-name>-<hostname>-
```
```
<webserver home>/bin/https/admin/bin/certutil -M -n s1as -t "TCu,Cu,Tuw"
-d alias -P <instance-name>-<hostname>-
```
This command makes the Application Server CA be a trusted CA to sign both client and server certificates.
- If you are using GlassFish v2.1 or Enterprise Server without HADB bundle, import the DAS certificate from the rfc file created using certutil, the NSS security tool.
```
<webserver_home>/bin/certutil -A -a -n s1as -t "TCu,Cu,Tuw" -i s1as.rfc -d alias -P <instance-name>-<hostname>-
```
  where, <webserver_home> refers to the web server installation directory.
  
  You can check the presence of this certificate by using the following command, which would list the s1as certificate along with other CA certificates including the default server certificate. Ensure that you type the command in a single line.
```
<WS_INSTALL_ROOT>/bin/certutil -L -d
<WS_INSTALL_ROOT>/admin-server/config-store/
<DEFAULT_CONFIG_NAME>/config
```

If obj.conf does not contain the following lines, please append them at the end of the file. If you are using Enterprise Server with HADB bundle, this step is automatically performed by the installation program.
```
<Object ppath="*lbconfigupdate*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
<Object>
<Object ppath="*lbgetmonitordata*">
PathCheck fn="get-client-cert" dorequest="1" require="1"
</Object>
```

You can verify the above set up from the DAS using the steps provided in the section Verifying the Setup. Instead of using the local CA, you can use any other CA and server certificate. In that case you can skip steps 5 and 6 listed in the previous section, but need to import the server certificate that you obtained from other CAs.

© 2010, Oracle Corporation and/or its affiliates