Glassfish 4.1.1 - DAS with my own certificate throws "j_security_check" error

5
votes

I have an instance of glassfish 4.1.1 running and I added my own certificate to my applications, until then everything is Ok..

But, when I tried to access the glassfish admin(DAS) the connection was unstrusted and the button to add exception disappears.

Then I found some interesting links talking about that, like :

I tried this:

asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias
asadmin restart-domain domain1

This way the untrusted connection message disappears and the certicate properly appears, but when I try the authentication throw an error:

According to the comments of the answer from the link, it is very similar what that guy had but I could not solve it doing:

  • Removing the s1as certificate from ~.gfclient/truststore
  • Restart the domain with my new alias cert

How could I change the s1as certificate properly? In order to my DAS works...

I'am using Ubuntu 14 with java-1.8.0-openjdk-amd64.

Step 1: enter image description here

Step 2: enter image description here

The server log showing these lines:

[2016-10-18T10:38:12.565+0200] [glassfish 4.1] [SEVERE] [] [org.glassfish.admingui] [tid: _ThreadID=51 _ThreadName=admin-listener(2)] [timeMillis: 1476779892565] [levelValue: 1000] [[ javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; restRequest: endpoint=https://localhost:4848/management/domain/anonymous-user-enabled attrs={} method=GET]]

1
javasecuritysslhttpsglassfish
Are you actually adding your own trusted cert to the keystore and truststore, or just changing the alias?Mike
Yes, I am adding my cert to cacerts and keystore inside : /domain1/configVitorlui
I finally solved it, my cacerts still with the oldest s1as certificate and I dont realize.Vitorlui

1 Answers

6
votes

I finally solved it, why it was happening? Using the @Mike explanation:

That is because there is both a keystore and a truststore for GlassFish, and the Admin console effectively uses 2-way SSL authentication for the initial login. If you change the s1as certificate, you will also need to change the glassfish-instance certificate

In my case I was trying to use my own certificate but I did not delete the oldest certificates properly on cacerts.jks and keystore.jks files.

I was running the code bellow without firstly remove the s1as and glassfish-instance from files, that was my wrong step...

asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias

To your Domain Administration Server (DAS) on Glassfish 4.1.1 run with your own certificate you must follow these steps:

1) Insert your own certificate into cacerts.jks and keystore.jks files:

In my case I am using certificate pkcs12:

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias

If you have another kind of certificate you must search how to insert inside this two files your certificate type:

$GLASSFISH_HOME/domains/domain1/config/cacerts.jks - truststore - holding all the public keys $GLASSFISH_HOME/domains/domain1/config/keystore.jks - keystore - holding all the private keys

References:

Session 6. Security configuration before first startup: https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-41-on-ubuntu

http://peter-butkovic.blogspot.com.es/2013/02/glassfish-default-keystore-and.html

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3

https://glassfish.java.net/docs/4.0/security-guide.pdf

2) Delete the oldest self-signed certificates:

By default, when you run the command enabled-secur-admin the certificate assigned to this instance is s1as and the public is glassfish-instance, as explained by @Mike into another stack-overflow question the certificates remains even if you force to run with another certificate. Delete both using these commands:

#Restart your domain without secure-admin
$GLASSFISH_HOME/bin/asadmin disable-secure-admin


#Go to your domain config folder to remove the certificates:
cd $GLASSFISH_HOME/domains/domain1/config/
keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
keytool -delete -alias glassfish-instance -keystore keystore.jks -storepass changeit
keytool -delete -alias glassfish-instance -keystore cacerts.jks -storepass changeit
keytool -delete -alias s1as -keystore cacerts.jks -storepass changeit

References:

Thanks @Mike: Right way to configure Glassfish SSL certificate nickname?

https://glassfish.java.net/docs/4.0/security-guide.pdf (page ~80)

3) Restart the security-admin with your own alias set on the first step

$GLASSFISH_HOME/bin/asadmin enable-secure-admin --adminalias=myOwnAlias --instancealias myOwnAlias

$GLASSFISH_HOME/bin/asadmin restart-domain

In theory, it is done, You'll be able to access the DAS with your own certificate... ;)