How To Configure GlassFish With Fully Managed TLS Certificates in JKS

configure glassfish with certaccord enterprise for PKI certificate management solution

GlassFish is an open source Java application server from Eclipse typically run on Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu Server, MacOS, and Windows Server. This guide will walk you through the steps of configuring a GlassFish server to use an X.509 certificate created from Microsoft ADCS (PKI). GlassFish uses a certificate to provide secure TLS (formerly SSL) communications via HTTPS.  GlassFish requires the certificate to be in a Java Key Store (JKS) file.

CertAccord© Enterprise can automatically create  X.509 certificates from Microsoft ADCS and other CA platforms. The certificates are fully managed including automatic renewal.  Certificates can be exported into multiple formats including PEM, PKCS12 (P12), and JKS.

The resulting JKS file will be automatically updated by CertAccord prior to expiration.  For more information on how this works visit the CertAccord Enterprise page.

Password Strategy

GlassFish has specific password requirements. You must use the same password for all of the following:

  • GlassFish master password for the domain
  • JKS keystore password
  • Private key (contained in the keystore file)
  • CA trust file cacerts.jks

Your first instinct might be to change the password of the keystore and private key created by CertAccord to match the GlassFish master password for the domain. If you do that then CertAccord automatic renewals of the JKS will not work.  You have the following options:

Password Option 1 (Recommended)

Change the GlassFish master password for domain to match the JKS password found in the CertAccord created keystore.jks.properties file.

Password Option 2

Change the CertAccord created keystore.jks to use the GlassFish master domain password using “keytool”.  You also must edit the keystore.jks.properties file and change the “keystore.password” value to the GlassFish master domain password.

Step By Step Guide

STEP 1

Install and register CertAccord Enterprise Agent on the target system with GlassFish.  See the CertAccord Enterprise Installation Guide for details.

STEP 2

Create a certificate in JKS format from CertAccord:

PS C:\> cmb cert create usages=serverauthentication alias=s1as certstoragefmt=jks
Authenticate using CertAccord/Active Directory
Username: jsmith
Password:
Created certificate ID: d2pN78bQ SUBJECT: "test23.contoso.com" SERIAL: 2500009c USAGES: ServerAuthentication EXPIRES: Dec 02 2020 07:20:02 PST
Adding certificate + private key [ID: 3HM836fC [RSA 2048]] to C:\ProgramData\Revocent\CertAccordAgent\cert\test23.contoso.com-serverauthentication.jks
Exported [ADDED] FILE: C:\ProgramData\Revocent\CertAccordAgent\cert\test23.contoso.com-serverauthentication.jks
ENTRY: [ADDED] PRIVATEKEY "Private Key 3HM836fC" RSA 2048
ENTRY: [ADDED] "Certificate d2pN78bQ" SUBJECT: "test23.contoso.com" USAGES: ServerAuthentication
ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Issuing CA2" SUBJECT: "CN=Contoso Issuing CA2, DC=contoso, DC=com"
ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Root CA" SUBJECT: "CN=Contoso Root CA"
Exported JKS Config File [NoChange] FILE: C:\ProgramData\Revocent\CertAccordAgent\cert\test23.contoso.com-serverauthentication.jks.properties

The alias of “s1as” can be whatever you wish.

Review the output and take note of these files that will be used later:

C:\ProgramData\Revocent\CertAccordAgent\cert\test23.contoso.com-serverauthentication.jks
C:\ProgramData\Revocent\CertAccordAgent\cert\test23.contoso.com-serverauthentication.jks.properties

STEP 3

Stop the GlassFish server:

asadmin stop-domain

STEP 4

Edit the following file with Notepad or your editor of choice:

glassfishInstallDir/glassfish5/glassfish/domains/domain1/config/domain.xml

Locate all of these lines (each line may appear in multiple locations in the file):

Change the keystore alias by editing this line and replace “s1as” with the alias you choose in STEP 2.

<jvm-options>-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as</jvm-options>

Change the keystore file by changing this line:

<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks</jvm-options>

to be:

<jvm-options>-Djavax.net.ssl.keyStore=C:\ProgramData\Revocent\CertAccordAgent\cert\test23.contoso.com-serverauthentication.jks</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStore=C:\ProgramData\Revocent\CertAccordAgent\ca>\glassfish-cacerts.jks</jvm-options>

Save the domain.xml file and close your editor.

STEP 5

Review the Password Strategy and pick the desired option. In this step we follow the recommended option.

Change the GlassFish master password for the domain to match the CertAccord created JKS.  Gather the password from the “keystore.password” value:

PS C:\> type test23.contoso.com-serverauthentication.jks.properties
privatekey.password=3gOtsrO3M4At2G?RBqqB?s3Sg
keystore.password=3gOtsrO3M4At2G?RBqqB?s3Sg

The “keystore.password” line contains the keystore password.  The private key password should be the same value.

Change the GlassFish master password for the domain:

asadmin change-master-password domain1

Enter the value from “keystore.password” when prompted for new password by asadmin.

STEP 6

The CA trust file used by GlassFish must have the same password as the keystore file. See Password Strategy for more details.

Make a copy of the CertAccord created CA trust file named “glassfish-cacerts.jks”:

PS C:\> cd C:\ProgramData\Revocent\CertAccordAgent\ca
PS C:\ProgramData\Revocent\CertAccordAgent\ca> copy cacerts.jks glassfish-cacerts.jks

Change the password of glassfish-cacerts.jks to be the same as the keystore.jks file.  This is the password found in the keystore.jks.properties file.

PS C:\ProgramData\Revocent\CertAccordAgent\ca> keytool -storepasswd -keystore .\glassfish-cacerts.jks
Enter keystore password: changeit
New keystore password: same as jks password
Re-enter new keystore password: same as jks password
PS C:\ProgramData\Revocent\CertAccordAgent\ca>

STEP 7

Start GlassFish:

asadmin start-domain

STEP 8

Access your application via browser or usual methods to verify its working.

More Information

For more information on CertAccord Enterprise:

Learn More

References

GlassFish

How to install an SSL certificate on GlassFish

 

 

Categories