7 Configuring GlassFish Server to Use a CA-Signed Certificate

This chapter describes how to configure Oracle GlassFish Server to use a certificate issued by a Certification Authority (CA) to establish secure sessions through secure sockets layer (SSL) technology.

For complete instructions on how to request and install a certificate for GlassFish Server, refer to the official GlassFish Security documentation. Also see the Mozilla certutil page for more information on the certutil command at:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

To configure GlassFish Server to use a CA signed certificate:

1. Change to the GlassFish_home/lib directory and run the certutil command to generate the certificate request.

   In the following example:

   • The Organization (O) field is required and must be filled in with organization name exactly (without commas or periods).

   • The Country (C) field is required and must be filled in with the two-letter code for the country in which the server resides, for example,US.

     VeriSign does not accept CSR's with a country code of U. Instead you must use the country code GB.

   • The State (ST) field is required and should be filled in with the full name, not the abbreviated name, of the state or province in which the server resides.

   • The Common name (CN) field is required and should be filled in with the fully qualified domain name (FQDN) of the server. A fully qualified domain name means the full name of the server host. For example, demoserver.central.example.com is a fully qualified domain name, while demoserver.central is not. DNS must be able to resolve the FQDN.

   • The Locality (L) field is optional, but if filled in appears in the certificate. Use the name of the city in which the server resides.

   • The Organization Unit (OU) field is optional, but if filled in appears in the certificate. You can use it to differentiate between multiple SSL server instances running on the same host. If you do not need to use it then leave it blank.

   • -o specifies the file to be created.

   • -d specifies the config directory of the GlassFish Server domain for which the certificate is being requested.

   • -a specifies ASCII output.

   Sample command to create a request:
   ./certutil -R -s "CN=demoserver.central.example.com,OU=Demo, O=Example Inc,L=San Jose,ST=California,C=US" -o /export/tmp/democert-app-server.req -d /opt/SUNWappserver/domains/domain1/config -a 
   Enter Password or Pin for "NSS Certificate DB": <This is the GlassFish Enterprise Server's administrative password.> 
   A random seed must be generated that will be used in the 
   creation of your key. One of the easiest ways to create a 
   random seed is to use the timing of keystrokes on a keyboard. 
   To begin, type keys on the keyboard until this progress meter 
   is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! 
   Continue typing until the progress meter is full: 
   |************************************************************| 
   Finished. Press enter to continue: 
   Generating key. This may take a few moments...
   

   The Certificate Request resembles the following:

   Certificate request generated by Netscape certutil 
   Phone: (not specified) 
   Common Name: <> 
   Email: (not specified) 
   Organization: <> 
   State: <> 
   Country: <> 
   -----BEGIN NEW CERTIFICATE REQUEST----- 
   MIIBzDCCATUCAQAwgYsxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2Ex 
   EjAQBgNVBAcTCUJhbmdhbG9yZTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lzdGVtcyBJ 
   bmMuMQ4wDAYDVQQLEwVDb21tczEkMCIGA1UEAxMbY29tcy0xNTJ4LTE2OC5pbmRp 
   YS5zdW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf95F4RGUJYLHg 
   HGAEP4g2T45Wlf7soXfOBqVbani25NZXjQNKGKsPqvr8f6ata6OLFMgYzTzIkpI5 
   qkRWY/OIpEAfm3fxUuv+PWDxmdnQYqSc/t7+OdAqeeNk5Vlw0MI2PneOsXtm5hia 
   hOTKMAZPrQbnbtefwiKp58zKcwMFbwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA 
   AEmToTq5gDx2oOrYI8glXG6JbSpHJcf6AyW7TDTHPYRTSdx7N63LVG2IjkwYLoU8 
   nmj+RYp5srw/WatDF/Mm5lN9pjs6KP4fbu2HqI4XHDdJMjot9DPmAVTdqQwto1+e 
   quA85Lp7x0eGlbjoyYR51gDAGdDcfWcM51TZx0FGwwM= 
   -----END NEW CERTIFICATE REQUEST-----
   

2. Submit the certificate request and get the certificate approved by the Certificate Authority (CA).

   As there are many ways to have your certificate request approved, this step is left up to you. The approved certificate, in pem format, resembles the following:

   Certificate: 
   Data: 
   Version: 3 (0x2) 
   Serial Number: 3 (0x3) 
   Signature Algorithm: md5WithRSAEncryption 
   Issuer: C=<>, ST=<>, L=<>, O=<>, OU=<>, CN=<> 
   Validity 
   Not Before: Sep 24 11:47:45 2009 GMT 
   Not After : Sep 24 11:47:45 2010 GMT 
   Subject: C=<>, ST=<>, O=<>, OU=<>, CN=<> 
   Subject Public Key Info: 
   Public Key Algorithm: rsaEncryption 
   RSA Public Key: (1024 bit) 
   Modulus (1024 bit): 
   00:9f:f7:91:78:44:65:09:60:b1:e0:1c:60:04:3f: 
   88:36:4f:8e:56:95:fe:ec:a1:77:ce:06:a5:5b:6a: 
   78:b6:e4:d6:57:8d:03:4a:18:ab:0f:aa:fa:fc:7f: 
   a6:ad:6b:a3:8b:14:c8:18:cd:3c:c8:92:92:39:aa: 
   44:56:63:f3:88:a4:40:1f:9b:77:f1:52:eb:fe:3d: 
   60:f1:99:d9:d0:62:a4:9c:fe:de:fe:39:d0:2a:79: 
   e3:64:e5:59:70:d0:c2:36:3e:77:8e:b1:7b:66:e6: 
   18:9a:84:e4:ca:30:06:4f:ad:06:e7:6e:d7:9f:c2: 
   22:a9:e7:cc:ca:73:03:05:6f 
   Exponent: 65537 (0x10001) 
   X509v3 extensions: 
   X509v3 Basic Constraints: 
   CA:FALSE 
   Netscape Cert Type: 
   SSL Server 
   X509v3 Key Usage: 
   Digital Signature, Non Repudiation, Key Encipherment 
   Netscape Comment: 
   OpenSSL Generated Certificate 
   X509v3 Subject Key Identifier: 
   A0:0B:AC:87:D6:29:DA:AD:1C:EC:82:85:33:C3:BC:09:E0:25:B4:2B 
   X509v3 Authority Key Identifier: 
   keyid:10:C9:2C:31:AC:4A:A5:F1:08:0B:28:15:96:3F:1D:1A:71:33:E7:47 
   DirName:/C=<>/ST=<>/L=<>/O=<>/OU=<>/CN=<> 
   serial:CA:0F:64:A4:89:4F:2C:21 
   Signature Algorithm: md5WithRSAEncryption 
   51:5e:8b:08:bc:fa:9d:21:be:c6:1e:6b:30:d4:7d:a7:ef:86: 
   28:1b:6f:e4:66:c0:69:64:14:19:07:e9:5d:ad:a0:bb:ce:1a: 
   3c:27:81:30:3e:65:46:57:60:4c:a6:8c:76:a2:2e:14:4f:12: 
   35:a2:04:e9:36:31:2b:4e:c1:63:be:89:db:30:b8:01:78:c8: 
   39:0d:7d:2c:87:c9:cb:72:5d:1e:88:87:e7:ce:0f:b8:45:8a: 
   d7:66:a1:5a:d0:bf:3a:67:bd:a2:b9:65:21:f5:e5:db:8b:cf: 
   c0:39:18:66:96:79:7e:96:b3:21:00:c5:4a:24:bb:42:ad:52: 
   d4:f1 
   -----BEGIN CERTIFICATE----- 
   MIID7jCCA1egAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBpTELMAkGA1UEBhMCSU4x 
   EjAQBgNVBAgTCUthcmFudGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMR8wHQYDVQQK 
   ExZTdW4gTWljcm9zeXN0ZW1zIEluZGlhMRQwEgYDVQQLEwtDb21tc1FBLUlFQzET 
   MBEGA1UEAxMKQ0EtQ29tbXNRQTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AaW5kaWEu 
   c3VuLmNvbTAeFw0wOTA5MjQxMTQ3NDVaFw0xMDA5MjQxMTQ3NDVaMHcxCzAJBgNV 
   BAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExHjAcBgNVBAoTFVN1biBNaWNyb3N5 
   c3RlbXMgSW5jLjEOMAwGA1UECxMFQ29tbXMxJDAiBgNVBAMTG2NvbXMtMTUyeC0x 
   NjguaW5kaWEuc3VuLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn/eR 
   eERlCWCx4BxgBD+INk+OVpX+7KF3zgalW2p4tuTWV40DShirD6r6/H+mrWujixTI 
   GM08yJKSOapEVmPziKRAH5t38VLr/j1g8ZnZ0GKknP7e/jnQKnnjZOVZcNDCNj53 
   jrF7ZuYYmoTkyjAGT60G527Xn8IiqefMynMDBW8CAwEAAaOCAVkwggFVMAkGA1Ud 
   EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DAsBglghkgBhvhC 
   AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKAL 
   rIfWKdqtHOyChTPDvAngJbQrMIHaBgNVHSMEgdIwgc+AFBDJLDGsSqXxCAsoFZY/ 
   HRpxM+dHoYGrpIGoMIGlMQswCQYDVQQGEwJJTjESMBAGA1UECBMJS2FyYW50YWth 
   MRIwEAYDVQQHEwlCYW5nYWxvcmUxHzAdBgNVBAoTFlN1biBNaWNyb3N5c3RlbXMg 
   SW5kaWExFDASBgNVBAsTC0NvbW1zUUEtSUVDMRMwEQYDVQQDEwpDQS1Db21tc1FB 
   MSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBpbmRpYS5zdW4uY29tggkAyg9kpIlPLCEw 
   DQYJKoZIhvcNAQEEBQADgYEAUV6LCLz6nSG+xh5rMNR9p++GKBtv5GbAaWQUGQfp 
   Xa2gu84aPCeBMD5lRldgTKaMdqIuFE8SNaIE6TYxK07BY76J2zC4AXjIOQ19LIfJ 
   y3JdHoiH584PuEWK12ahWtC/Ome9orllIfXl24vPwDkYZpZ5fpazIQDFSiS7Qq1S 
   1PE= 
   -----END CERTIFICATE-----
   

3. Once you have obtained your CA signed and approved SSL server certificate, install it by using the certutil command.

   certutil -A -n TestSSLCert -t "P,u,u" -d GlassFish_home/domain-config directory -i /space/smime/ssl-certs/certs/<>.pem
   

   TestSSLCert is an example of the certificate nickname that you need to provide in the GlassFish Enterprise Server configuration.

4. Verify that the certificate was installed.

   certutil -L -d GlassFish_home/domain-config
   (The output is similar to the following.) verisignclass1ca T,c,c thawtepersonalpremiumca T,c,c baltimorecodesigningca T,c,c TestSSLCert T,c,c verisignclass2g2ca T,c,c verisignclass3g3ca T,c,c entrustglobalclientca T,c,c entrustsslca T,c,c verisignclass3g2ca T,c,c thawtepremiumserverca T,c,c entrust2048ca T,c,c valicertclass2ca T,c,c gtecybertrust5ca T,c,c equifaxsecureebusinessca1 T,c,c verisignclass1g3ca T,c,c godaddyclass2ca T,c,c thawtepersonalbasicca T,c,c verisignclass1g2ca T,c,c verisignclass2g3ca T,c,c equifaxsecureca T,c,c entrustclientca T,c,c verisignserverca T,c,c geotrustglobalca T,c,c equifaxsecureebusinessca2 T,c,c s1as u,u,u sslCACert T,c,c verisignclass3ca T,c,c verisignclass2ca T,c,c sslcert1 pu,pu,pu gtecybertrustglobalca T,c,c entrustgsslca T,c,c thawtepersonalfreemailca T,c,c thawteserverca T,c,c baltimorecybertrustca T,c,c starfieldclass2ca T,c,c equifaxsecureglobalebusinessca1 T,c,c TestSSLCert P,u,u
   

5. Log in to the GlassFish Server Administration Console and change the SSL certificate nickname. (This example uses TestSSLCert.) If you want the JMX connector to also use the new certificate, perform the following:

   1. From Configuration, select server-config.

   2. Select admin service.

   3. Select system.

   4. Select the SSL tab.

   5. Change the SSL certificate nickname to be the new one you want to use.

6. Run any asadmin command to prompt you to accept the new certificate:

   cd GlassFish_home/bin
   asadmin list-jms-hosts
   Do you trust the above certificate y? yes
   

   Accepting the certificate updates your .asadmintruststore file.

7. Restart the GlassFish Server domain.

8. If you have installed the CA certificate after running the init-config command, copy the .asadmintruststore file under the root directory to Calendar Server's /var/opt/sun/comms/davserver/config directory.