All geek questions in one place

Glassfish 4.1.1 - DAS with my own certificate throws error "j_security_check"

I have a copy of working with glass fish 4.1.1, and I added my own certificate to my applications until everything is OK.

But, when I tried to access the Glassfish Administrator (DAS), the connection was unstrusted, and the button for adding an exception disappeared.

Then I found some interesting links about this, for example:

I tried this:

asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias asadmin restart-domain domain1

Thus, the untrusted connection message disappears and the certificate displays correctly, but when I try to authenticate, output an error:

According to the comments of the answer from the link , this is very similar to what this guy had, but I could not solve it:

  • Removing s1as certificate from ~ .gfclient / truststore
  • Restart the domain with my new alias certificate

How can I change the s1as certificate correctly? To make my DAS work ...

I am using Ubuntu 14 with java-1.8.0-openjdk-amd64.

Step 1: enter image description here

Step 2: enter image description here

Server log showing these lines:

[2016-10-18T10: 38: 12.565 + 0200] [glassfish 4.1] [SEVERE] [] [org.glassfish.admingui] [tid: _ThreadID = 51 _ThreadName = admin-listener (2)] [timeMillis: 1476779892565] [ levelValue: 1000] [[javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Failed to create PKIX path: sun.security.provider.certpath.SunCertPathBuilderException: cannot find a valid certification path for the requested target; javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Failed to create PKIX path: sun.security.provider.certpath.SunCertPathBuilderException: could not find a valid certification path for the requested target; restRequest: endpoint = https: // localhost: 4848 / management / domain / anonymous-user-enabled attrs = {} method = GET]]

+1
source share
1 answer

I finally decided why this is happening? Using @Mike's explanation:

This is because there is a keystore and trust store for GlassFish and the admin console efficiently use two-way SSL authentication for initial login. If you change the value of the s1as certificate, you will also need to change the instance of glassfish certificate

In my case, I tried to use my own certificate, but I did not delete the oldest certificates properly in the cacerts.jks and keystore.jks files.

I ran the code below without first removing the s1as and glassfish files from the files, this was my wrong step ...

 asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias

On your domain administration server (DAS) on Glassfish 4.1.1, run your certificate, you must follow these steps:

1) Insert your own certificate into the files cacerts.jks and keystore.jks:

In my case, I am using the pkcs12 certificate:

 keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias

If you have another type of certificate, you should look for how to insert your type of certificate inside these two files:

$ GLASSFISH_HOME / domains / domain1 / config / cacerts.jks - truststore - holding all public keys $ GLASSFISH_HOME / domains / domain1 / config / keystore.jks - keystore - saving all private keys

Literature:

Session 6. Security configuration before first launch: https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-41-on-ubuntu

http://peter-butkovic.blogspot.com.es/2013/02/glassfish-default-keystore-and.html

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3

https://glassfish.java.net/docs/4.0/security-guide.pdf

2) Remove the oldest self-signed certificates:

By default, when you run the enabled-secur-admin command, the certificate assigned to this instance has s1as , and publishing glassfish-instance , as explained by @ Mike in another question about stack overflows , certificates remain even if you are forced to run another certificate. Remove both of these commands:

 #Restart your domain without secure-admin $GLASSFISH_HOME/bin/asadmin disable-secure-admin #Go to your domain config folder to remove the certificates: cd $GLASSFISH_HOME/domains/domain1/config/ keytool -delete -alias s1as -keystore keystore.jks -storepass changeit keytool -delete -alias glassfish-instance -keystore keystore.jks -storepass changeit keytool -delete -alias glassfish-instance -keystore cacerts.jks -storepass changeit keytool -delete -alias s1as -keystore cacerts.jks -storepass changeit

Literature:

Thanks @Mike: Correct way to configure Glassfish SSL certificate name?

https://glassfish.java.net/docs/4.0/security-guide.pdf (p. ~ 80)

3) Restart security-admin using your own set of aliases in the first step

 $GLASSFISH_HOME/bin/asadmin enable-secure-admin --adminalias=myOwnAlias --instancealias myOwnAlias $GLASSFISH_HOME/bin/asadmin restart-domain

Theoretically, this is done, you can access DAS using your own certificate ...;)

+2
source

Source: https://habr.com/ru/post/1209672/

More articles:


All Articles