Installing SSL Certificate in Glassfish 4

Glassfish uses Keystores (.jks), the certificate files need to be imported into the keystore with the corresponding private key before installation.

After Installing SSL Certificate on your Domain, and downloading the SSL Files (Private Key, SSL Certificate, and Intermediate Certificate), we need to upload our SSL files to the Server, and prefer where Java is looking for the keystores:

cd $GLASSFISH_HOME/glassfish/domains/domain1/config

Sometimes domain1 could be your own Domain Name, this depends on which Name has been given during Domain installation in Glassfish.

Afterwards, we need to create bundle.cer File.

cat SSLCertificateFile.crt SSL_Intermediate_CertificateFile.crt > Bundle.crt

Glassifish is using by default s1as certificate alias. To display it, we use keytool command, it will ask for Password, that has been configured during the installation again, but in most cases the Password is: changeit:

# cd $GLASSFISH_HOME/glassfish/domains/domain1/config
# keytool -list -keystore keystore.jks -alias s1as
Enter keystore password: changeit

Now we need to Backup and Delete current s1as Certificate, it’s very important to make Backup before you proceed with the following:

# cp keystore.jks keystore.jks.bak
# cp cacerts.jks cacerts.jks.bak
# keytool -delete -alias s1as -keystore keystore.jks
Enter keystore password: changeit
# keytool -delete -alias s1as -keystore cacerts.jks
Enter keystore password: changeit

To verify:

# keytool -list -v -keystore keystore.jks | grep s1as
# keytool -list -v -keystore cacerts.jks | grep s1as

Now for Creating our Keystore with our SSL Certificate:

# openssl pkcs12 -export -in Bundle.crt -inkey SSLCertificateKeyFile.key -name s1as -passout pass:changeit > keystore.p12
# keytool -list -v -keystore keystore.p12 -storetype pkcs12
# keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -alias s1as -destalias s1as

Now we have successfully Imported all the SSL Certificate files, after that we need to restart Glassfish to take effect:

# $GLASSFISH_HOME/glassfish4/bin/asadmin restart-domain
# $GLASSFISH_HOME/glassfish4/bin/asadmin enable-secure-admin

enable-secure-admin; to apply the SSL Certificate on GlassFish Admin Panel, this step will ask you for the Admin username, and Password for your GlassFish Admin Panel.

Furthermore, you need to allow HTTPS traffic on Port 443. To enable the certificate via the GlassFish Administration Console, enter this menu: Configurations >> server-config >> HTTP Service >> HTTP Listeners >> http-listener-2 and change Port from 8181 to 443. Then Restart Domain:

# $GLASSFISH_HOME/glassfish4/bin/asadmin restart-domain

Enable HTTPS Redirection:

To redirect all HTTP traffic to HTTPS, open default-web.xml (or your web.xml file if you have one) located in the domain config directory glassfish4/glassfish/domains/domain1/config and add the following within <web-app> … </web-app>:

<security-constraint>
   <web-resource-collection>
     <web-resource-name>Viewpoint Secure URLs</web-resource-name>
     <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
 </security-constraint>

And Restart Domain:

# $GLASSFISH_HOME/glassfish4/bin/asadmin restart-domain

In very rare cases, you may see the Redirection is not working, then you need to apply to following commands:

# $GLASSFISH_HOME/glassfish4/bin/asadmin create-protocol --securityenabled=false http-redirect

# $GLASSFISH_HOME/glassfish4/bin/asadmin create-http-redirect --redirect-port 443 --secure-redirect true http-redirect

# $GLASSFISH_HOME/glassfish4/bin/asadmin create-protocol --securityenabled=false portunif-protocol

# $GLASSFISH_HOME/glassfish4/bin/asadmin create-protocol-filter --protocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpRedirectFilter redirect-filter

# $GLASSFISH_HOME/glassfish4/bin/asadmin create-protocol-finder --protocol portunif-protocol --targetprotocol http-listener-2 --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-finder

# $GLASSFISH_HOME/glassfish4/bin/asadmin create-protocol-finder --protocol portunif-protocol --targetprotocol http-redirect --classname org.glassfish.grizzly.config.portunif.HttpProtocolFinder http-redirect

# $GLASSFISH_HOME/glassfish4/bin/asadmin set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.protocol=portunif-protocol

Then Restart Domain.

Mohammed has written 63 articles

One thought on “Installing SSL Certificate in Glassfish 4

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>