This chapter describes how to configure Oracle GlassFish Server to use a certificate issued by a Certification Authority (CA) to establish secure sessions through secure sockets layer (SSL) technology.
For complete instructions on how to request and install a certificate for GlassFish Server, refer to the official GlassFish Security documentation. Also see the Mozilla certutil page for more information on the certutil command at:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
To configure GlassFish Server to use a CA signed certificate:
Change to the GlassFish_home/lib directory and run the certutil command to generate the certificate request.
In the following example:
The Organization (O) field is required and must be filled in with organization name exactly (without commas or periods).
The Country (C) field is required and must be filled in with the two-letter code for the country in which the server resides, for example,US.
VeriSign does not accept CSR's with a country code of U. Instead you must use the country code GB.
The State (ST) field is required and should be filled in with the full name, not the abbreviated name, of the state or province in which the server resides.
The Common name (CN) field is required and should be filled in with the fully qualified domain name (FQDN) of the server. A fully qualified domain name means the full name of the server host. For example, demoserver.central.example.com is a fully qualified domain name, while demoserver.central is not. DNS must be able to resolve the FQDN.
The Locality (L) field is optional, but if filled in appears in the certificate. Use the name of the city in which the server resides.
The Organization Unit (OU) field is optional, but if filled in appears in the certificate. You can use it to differentiate between multiple SSL server instances running on the same host. If you do not need to use it then leave it blank.
-o specifies the file to be created.
-d specifies the config directory of the GlassFish Server domain for which the certificate is being requested.
-a specifies ASCII output.
Sample command to create a request:
./certutil -R -s "CN=demoserver.central.example.com,OU=Demo, O=Example Inc,L=San Jose,ST=California,C=US" -o /export/tmp/democert-app-server.req -d /opt/SUNWappserver/domains/domain1/config -a
Enter Password or Pin for "NSS Certificate DB": <This is the GlassFish Enterprise Server's administrative password.>
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
The Certificate Request resembles the following:
Certificate request generated by Netscape certutil Phone: (not specified) Common Name: <> Email: (not specified) Organization: <> State: <> Country: <> -----BEGIN NEW CERTIFICATE REQUEST----- MIIBzDCCATUCAQAwgYsxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2Ex EjAQBgNVBAcTCUJhbmdhbG9yZTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lzdGVtcyBJ bmMuMQ4wDAYDVQQLEwVDb21tczEkMCIGA1UEAxMbY29tcy0xNTJ4LTE2OC5pbmRp YS5zdW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf95F4RGUJYLHg HGAEP4g2T45Wlf7soXfOBqVbani25NZXjQNKGKsPqvr8f6ata6OLFMgYzTzIkpI5 qkRWY/OIpEAfm3fxUuv+PWDxmdnQYqSc/t7+OdAqeeNk5Vlw0MI2PneOsXtm5hia hOTKMAZPrQbnbtefwiKp58zKcwMFbwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA AEmToTq5gDx2oOrYI8glXG6JbSpHJcf6AyW7TDTHPYRTSdx7N63LVG2IjkwYLoU8 nmj+RYp5srw/WatDF/Mm5lN9pjs6KP4fbu2HqI4XHDdJMjot9DPmAVTdqQwto1+e quA85Lp7x0eGlbjoyYR51gDAGdDcfWcM51TZx0FGwwM= -----END NEW CERTIFICATE REQUEST-----
Submit the certificate request and get the certificate approved by the Certificate Authority (CA).
As there are many ways to have your certificate request approved, this step is left up to you. The approved certificate, in pem format, resembles the following:
Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: md5WithRSAEncryption Issuer: C=<>, ST=<>, L=<>, O=<>, OU=<>, CN=<> Validity Not Before: Sep 24 11:47:45 2009 GMT Not After : Sep 24 11:47:45 2010 GMT Subject: C=<>, ST=<>, O=<>, OU=<>, CN=<> Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9f:f7:91:78:44:65:09:60:b1:e0:1c:60:04:3f: 88:36:4f:8e:56:95:fe:ec:a1:77:ce:06:a5:5b:6a: 78:b6:e4:d6:57:8d:03:4a:18:ab:0f:aa:fa:fc:7f: a6:ad:6b:a3:8b:14:c8:18:cd:3c:c8:92:92:39:aa: 44:56:63:f3:88:a4:40:1f:9b:77:f1:52:eb:fe:3d: 60:f1:99:d9:d0:62:a4:9c:fe:de:fe:39:d0:2a:79: e3:64:e5:59:70:d0:c2:36:3e:77:8e:b1:7b:66:e6: 18:9a:84:e4:ca:30:06:4f:ad:06:e7:6e:d7:9f:c2: 22:a9:e7:cc:ca:73:03:05:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A0:0B:AC:87:D6:29:DA:AD:1C:EC:82:85:33:C3:BC:09:E0:25:B4:2B X509v3 Authority Key Identifier: keyid:10:C9:2C:31:AC:4A:A5:F1:08:0B:28:15:96:3F:1D:1A:71:33:E7:47 DirName:/C=<>/ST=<>/L=<>/O=<>/OU=<>/CN=<> serial:CA:0F:64:A4:89:4F:2C:21 Signature Algorithm: md5WithRSAEncryption 51:5e:8b:08:bc:fa:9d:21:be:c6:1e:6b:30:d4:7d:a7:ef:86: 28:1b:6f:e4:66:c0:69:64:14:19:07:e9:5d:ad:a0:bb:ce:1a: 3c:27:81:30:3e:65:46:57:60:4c:a6:8c:76:a2:2e:14:4f:12: 35:a2:04:e9:36:31:2b:4e:c1:63:be:89:db:30:b8:01:78:c8: 39:0d:7d:2c:87:c9:cb:72:5d:1e:88:87:e7:ce:0f:b8:45:8a: d7:66:a1:5a:d0:bf:3a:67:bd:a2:b9:65:21:f5:e5:db:8b:cf: c0:39:18:66:96:79:7e:96:b3:21:00:c5:4a:24:bb:42:ad:52: d4:f1 -----BEGIN CERTIFICATE----- MIID7jCCA1egAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBpTELMAkGA1UEBhMCSU4x EjAQBgNVBAgTCUthcmFudGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMR8wHQYDVQQK ExZTdW4gTWljcm9zeXN0ZW1zIEluZGlhMRQwEgYDVQQLEwtDb21tc1FBLUlFQzET MBEGA1UEAxMKQ0EtQ29tbXNRQTEiMCAGCSqGSIb3DQEJARYTYWRtaW5AaW5kaWEu c3VuLmNvbTAeFw0wOTA5MjQxMTQ3NDVaFw0xMDA5MjQxMTQ3NDVaMHcxCzAJBgNV BAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExHjAcBgNVBAoTFVN1biBNaWNyb3N5 c3RlbXMgSW5jLjEOMAwGA1UECxMFQ29tbXMxJDAiBgNVBAMTG2NvbXMtMTUyeC0x NjguaW5kaWEuc3VuLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn/eR eERlCWCx4BxgBD+INk+OVpX+7KF3zgalW2p4tuTWV40DShirD6r6/H+mrWujixTI GM08yJKSOapEVmPziKRAH5t38VLr/j1g8ZnZ0GKknP7e/jnQKnnjZOVZcNDCNj53 jrF7ZuYYmoTkyjAGT60G527Xn8IiqefMynMDBW8CAwEAAaOCAVkwggFVMAkGA1Ud EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DAsBglghkgBhvhC AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFKAL rIfWKdqtHOyChTPDvAngJbQrMIHaBgNVHSMEgdIwgc+AFBDJLDGsSqXxCAsoFZY/ HRpxM+dHoYGrpIGoMIGlMQswCQYDVQQGEwJJTjESMBAGA1UECBMJS2FyYW50YWth MRIwEAYDVQQHEwlCYW5nYWxvcmUxHzAdBgNVBAoTFlN1biBNaWNyb3N5c3RlbXMg SW5kaWExFDASBgNVBAsTC0NvbW1zUUEtSUVDMRMwEQYDVQQDEwpDQS1Db21tc1FB MSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBpbmRpYS5zdW4uY29tggkAyg9kpIlPLCEw DQYJKoZIhvcNAQEEBQADgYEAUV6LCLz6nSG+xh5rMNR9p++GKBtv5GbAaWQUGQfp Xa2gu84aPCeBMD5lRldgTKaMdqIuFE8SNaIE6TYxK07BY76J2zC4AXjIOQ19LIfJ y3JdHoiH584PuEWK12ahWtC/Ome9orllIfXl24vPwDkYZpZ5fpazIQDFSiS7Qq1S 1PE= -----END CERTIFICATE-----
Once you have obtained your CA signed and approved SSL server certificate, install it by using the certutil command.
certutil -A -n TestSSLCert -t "P,u,u" -d GlassFish_home/domain-config directory -i /space/smime/ssl-certs/certs/<>.pem
TestSSLCert is an example of the certificate nickname that you need to provide in the GlassFish Enterprise Server configuration.
Verify that the certificate was installed.
certutil -L -d GlassFish_home/domain-config
(The output is similar to the following.) verisignclass1ca T,c,c thawtepersonalpremiumca T,c,c baltimorecodesigningca T,c,c TestSSLCert T,c,c verisignclass2g2ca T,c,c verisignclass3g3ca T,c,c entrustglobalclientca T,c,c entrustsslca T,c,c verisignclass3g2ca T,c,c thawtepremiumserverca T,c,c entrust2048ca T,c,c valicertclass2ca T,c,c gtecybertrust5ca T,c,c equifaxsecureebusinessca1 T,c,c verisignclass1g3ca T,c,c godaddyclass2ca T,c,c thawtepersonalbasicca T,c,c verisignclass1g2ca T,c,c verisignclass2g3ca T,c,c equifaxsecureca T,c,c entrustclientca T,c,c verisignserverca T,c,c geotrustglobalca T,c,c equifaxsecureebusinessca2 T,c,c s1as u,u,u sslCACert T,c,c verisignclass3ca T,c,c verisignclass2ca T,c,c sslcert1 pu,pu,pu gtecybertrustglobalca T,c,c entrustgsslca T,c,c thawtepersonalfreemailca T,c,c thawteserverca T,c,c baltimorecybertrustca T,c,c starfieldclass2ca T,c,c equifaxsecureglobalebusinessca1 T,c,c TestSSLCert P,u,u
Log in to the GlassFish Server Administration Console and change the SSL certificate nickname. (This example uses TestSSLCert.) If you want the JMX connector to also use the new certificate, perform the following:
From Configuration, select server-config.
Select admin service.
Select system.
Select the SSL tab.
Change the SSL certificate nickname to be the new one you want to use.
Run any asadmin command to prompt you to accept the new certificate:
cd GlassFish_home/bin asadmin list-jms-hosts Do you trust the above certificate y? yes
Accepting the certificate updates your .asadmintruststore file.
Restart the GlassFish Server domain.
If you have installed the CA certificate after running the init-config command, copy the .asadmintruststore file under the root directory to Calendar Server's /var/opt/sun/comms/davserver/config directory.