I want my Roller install
to use LDAP authentication (instead of its own account database).
LDAP auth means cleartext passwords, so I need to run the site over SSL.
where glassfish keeps SSL certs and keys
Each Glassfish domain has it’s own keystore, which is protected by what the docs call the
‘admin master password’ (not the same as the ‘admin password’).
The master password is just a Java keystore password,
so if you didn’t say otherwise at domain creation time
it defaults to ‘changeit’.
You can check by trying to list the entries in your keystore:
goldfish $ keytool -list -keystore \
/domains/rollerdisco/config/keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
s1as, Apr 22, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 80:08:13:50:00:00:80:08:13:50:00:00There’s just one entry – s1as – which is the SSL keypair for the domains admin webapp (om port 4848).
As of version 2, the Glassfish admin UI lets you choose keypairs from this keystore, but it can’t import into the keystore itself.
So you’ll have to break out the command line.
As you’ll see, I really hope they add that feature soon.
lots of swearing
If you’re creating a new keypair, things are relatively sane – see
Ryans howto .
I’m unlucky enough to have an existing apache-style’server.key/server.crt’ PEM keypair I want to use.
This turns out to be a massive pain in the arse. You’d think ‘keytool -import’ would do the trick,
but that only lets you add the certificate – keytool assumes it created the inital private key so doesn’t
provide a way to import one.
Googling found some very old tools for doing this, most of which only work with older, PKCS12 based keystores.
Let me save you an afternoon. The Jetty project have a tool called
PKCSImport
which is by far the least shitty way of doing this.
First, merge the two files using everyones favourite crypto swiss army knife:
goldfish $ openssl pkcs12 -export -out roller.p12 \
-inkey roller.key -in roller.crtIt asks you for an export password. ‘foo’ works fine 
Then get the Jetty jarfile and run the tool against your PKCS keypair:
goldfish # /usr/sfw/bin/wget http://kent.dl.sourceforge.net/sourceforge/jetty/jetty-6.1.4rc0.zip
goldfish # unzip jetty-6.1.4rc0.zip
goldfish # /j2ee/jdk/bin/java \
-cp jetty-6.1.4rc0/lib/jetty-6.1.4rc0.jar \
org.mortbay.jetty.security.PKCS12Import \
roller.p12 /domains/rollerdisco/config/keystore.jks
Enter input keystore passphrase: foo
Enter output keystore passphrase:
Alias 0: 1
Adding key for alias 1 This imports your certificate and keypair and creates a new keystore entry.
Unfortunately the entry is called ’1’, which is hardly self-documenting, so
I’ll rename that to the domain name it’ll run on:
goldfish # /j2ee/jdk/bin/keytool -changealias \
-keystore /domains/rollerdisco/config/keystore.jks \
-alias 1 -destalias roller.yourdomain.comuse the certificate
Glassfish already serves webapps over https, it’s just on a non-standard port of 8181
(the—domainproperties option to asadmin create-domain can specify this. Yay hindsight).
Go to the admin webapp, and browse to :
Configurations → server-config → HTTP Service → HTTP listeners
under there you’ll see 3 listeners
- admin-listener runs the Admin Console you’re using (on https port 4848) so you probably want to leave that the hell alone
- http-listener-1 (aka the ‘instance port’) defaults to 8080 . I set mine up on port 80 during my SMF setup .
- http-listener-2 (is the https port), still on it’s default of port 8181
First change the http-listener-2 port from 8181 to 443, then click over to the SSL tab.
Enter the keystore alias name for the keypair you just imported in ‘Certificate Nickname:’ and tick the TLS and SSLv3 boxes.
Also select at least the ‘common ciphers’.
We’re now running the same webapp (roller) over both the http and https.
Finally, go back to http-listener-1 and set the SSL redirect port to 443 – this tells the webapp to redirect to SSL for
sensitive operations.
Alternatively, turn off the http listener (untick ‘Listener: enabled’) to ensure all traffic comes over https.
saved my weekend! thanks