Published on Feb 20 2019 in Java Glassfish

Usually you can proxy HTTP and HTTPS ports to their Glassfish counterparts (8080 and 8081) with the certificate installed on webserver (frontend) level but to have Glassfish console (port 4848) secured with certificate you may want to install it directly in Glassfish.

You may also want to access HTTPS listener directly with port number in URL. In this case you will need to install the certificate directly in Glassfish.

In this example we will use typical Apache format certificate fileset i.e. key file, certificate file and CA certificate bundle.

You can have the same certificate installed in Apache and Glassfish but use it for different ports depending on where it has been installed. See below diagram.

---> Apache 80 ------------------------> Glassfish 8080
---> Apache 443 (SSL certificate) -----> Glassfish 8080
---> Glassfish 4848 (SSL certificate)

Review and backup existing keystore

We have already generated key in cPanel so will not repeat this step. Our starting point assumes we have:

The files are saved in cd $GLASSFISH_HOME/glassfish/domains/domain1/config (can be any other location that you’ll use consequently).

asadmin list-jvm-options

Above you can see where Java is looking for the keystores. Glassifish is by default using s1as certificate alias. Let’s display it.

cd $GLASSFISH_HOME/glassfish/domains/domain1/config
keytool -list -keystore keystore.jks -alias s1as
Enter keystore password: changeit

s1as, May 15, 2013, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 4A:57:58:F6:92:79:E8:2F:2A:91:3C:83:CA:65:8D:69:64:57:5A:72

Delete current self-signed s1as certificate

We will delete it from keystore.jks and cacerts.jks.

cp keystore.jks keystore.jks.bak 
keytool -delete -alias s1as -keystore keystore.jks
Enter keystore password: changeit
keytool -delete -alias s1as -keystore cacerts.jks
Enter keystore password: changeit

Verify that it has been deleted:

keytool -list -v -keystore keystore.jks | grep s1as
keytool -list -v -keystore cacerts.jks | grep s1as

Put SSL componenets into Java keystore

The SSLCACertificateFile.crt already contains certifcate chain (root and intermediate certificates). We will prepend them with certificate for our domain.

cat SSLCertificateFile.crt SSLCACertificateFile.crt > all.crt
openssl pkcs12 -export -in all.crt -inkey SSLCertificateKeyFile.key -name s1as -passout pass:changeit > keystore.p12
keytool -list -v -keystore keystore.p12 -storetype pkcs12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -alias s1as -destalias s1as

The above command imported key and 3 certificates. You can verify it with

keytool -list -v -keystore keystore.jks

Now you need to restart Glassfish

asadmin restart-domain

Go to (or whatever port your Glassfish Console is using) to verify your new certificate is working. The green padlock should shine in your address bar.

Alternatively you could leave s1as as is and import the new certificate(s) under different alias then update all references to s1as in domain.xml with your new certificate alias.

Enabling HTTP SSL connector on default port 8081

Optionally - if you need direct HTTPS access to your Glassfish - you can enable SSL connector. This can be the case if you are not using Apache as fronted but running bare Glassfish. The certificate that we installed above will be securing our HTTPS connection.

Login to Glassfish Console and set s1as in Configurations - server-config - Network Config - Network Listeners - http-listener-2 - SSL - Certificate Nickname.

Console login issues

After above steps admin cannot longer login to web console with its password (he can login with local-password though).

Solution is to run (even if you have already run it):

asadmin enable-secure-admin

Alternativley you can run

asadmin enable-secure-admin-principal --alias s1as

And finally restarrt glassfish:

asadmin restart-domain