test

Sun GlassFish Mobility Platform 1.1 Installation Guide

Chapter 2 Establishing Trust

This chapter explains how to establish trust between tier 1, the Gateway tier, and tier 2, the Enterprise tier. The procedures included in this chapter use self-signed certificates that are automatically generated by the Enterprise Server. In a production environment, you would obtain certificates from a certificate authority (CA), a trusted third party that issues digital certificates for use by other parties. There are many commercial CAs, such as Verisign, that charge for their services. Some institutions and governments have their own CAs and there are even some CAs that issue certificates free of charge.

A CA issues digital certificates that contain a public key and the identity of the owner. The CA attests that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. The CA verifies an applicant's credentials, so other users and parties that rely on the veracity of the credentials can trust the information in the CA's certificates.

A self-signed certificate, on the other hand, is an identity certificate that is signed by its own creator. The person that created the certificate also signed off on its legitimacy. The mobile client, Gateway tier, and Enterprise tier in a Sun GlassFish Mobility Platform environment can use either self-signed or CA-issued certificates.

    Trust is established in two phases:

  1. Configuring the Enterprise tier to trust the Gateway tier

  2. Configuring the Gateway tier to trust the Enterprise tier

The following sections explain these phases.

Configuring the Enterprise Tier to Trust the Gateway Tier

    There is a two-step process to configure trust between the Gateway tier and the Enterprise tier:

  1. On the Gateway tier, export the keystore then copy it to the Enterprise tier.

    1. Change to the config subdirectory in the Gateway tier Sun GlassFish Mobility Platform installation:


      $ cd as-install/domains/domain-dir/config

    2. Export the keystore to a file:


      $ keytool -export
-keystore keystore.jks
-alias s1as
-file tier1_sjsas.cer
-storepass adminpass

    3. Copy the exported keystore to the config subdirectory in the Enterprise tier Sun GlassFish Mobility Platform installation:


      $ cp tier1_sjsas.cer /net/tier2-hostname/as-install/domains/domain-dir/config

      In this case, as-install is the location where the Enterprise Server has been installed and domain-dir is the name of the Sun GlassFish Mobility Platform domain, usually mep.

  2. On the Enterprise tier, import the keystore from the Gateway tier.

    1. Change to the config subdirectory in the Enterprise tier Sun GlassFish Mobility Platform installation:


      $ cd as-install/domains/domain-dir/config

    2. Import the keystore that was exported from the Gateway tier:


      $ keytool -import
-keystore cacerts.jks
-alias tier1_sjsas
-file tier1_sjsas.cer
-storepass adminpass
-trustcacerts
-noprompt

  3. Stop then restart the Enterprise Server on the Enterprise tier to use the new security settings.

    1. Stop the Enterprise Server:


      $ asadmin stop-domain domain-dir

    2. Restart the Enterprise Server:


      $ asadmin start-domain domain-dir

Configuring the Gateway Tier to Trust the Enterprise Tier

Text

    There is a two-step process to configure trust between Enterprise tier and the Gateway tier.

  1. On the Enterprise tier, export the keystore and copy it to the Gateway tier.

    1. Change to the config subdirectory in the Enterprise tier Sun GlassFish Mobility Platform installation:


      $ cd as-install/domains/domain-dir/config

    2. Export the keystore to a file:


      keytool -export
-keystore keystore.jks
-alias s1as
-file tier2_sjsas.cer
-storepass adminpass

    3. Copy the exported keystore to the config subdirectory in the Gateway tier Sun GlassFish Mobility Platform installation:


      $ cp tier2_sjsas.cer /net/tier1-hostname/as-install/domains/domain-dir/config

  2. On the Gateway tier, import the keystore from the Enterprise tier.

    1. Change to the config subdirectory in the Gateway tier Sun GlassFish Mobility Platform installation:


      $ cd as-install/domains/domain-dir/config

    2. Import the keystore that was exported from the Enterprise tier:


    $ keytool -import
-keystore cacerts.jks
-alias tier2_sjsas
-file tier2_sjsas.cer
-storepass adminpass
-trustcacerts
-noprompt

  3. Stop then restart the Enterprise Server on the Gateway tier to use the new security settings.

    1. Stop the Enterprise Server:


      $ asadmin stop-domain domain-dir

    2. Restart the Enterprise Server:


      $ asadmin start-domain domain-dir