1

Am trying to configure glassfish-4 for SSL but it seems i can't get it to work. By default glassfish uses port 8181 for SSL which of course works very well from my localhost prompting the browser to add the certificate in its truststore but from remote this fails with the exception -- SSL received a record that exceeded the maximum permissible length-- on mozilla firefox. I also tried generating my own key/pair using java's keytool in the config folder of the domain1, I then changed certificate nickname on glassfish to the alias of the new keystore but this fails to work instead returns the default certificate from alias s1as even after restarting the server. Below is the command i used to generate the keystore file.

keytool -genkey -alias MY_ALIAS_NAME -validity 1000 -keyalg RSA -keysize 1024 -keystore /opt/......./domain1/config/keystore.jks

The first and last names being the IP address of the remote when generating it. Please help, thanks.

odich daniel
  • 87
  • 2
  • 12
  • What version is this? Have you tried it in the latest GlassFish (4.1.1) or Payara 4.1.1.154? (The latest Payara has fixes which are not in the latest GlassFish). Also, is this the latest Firefox? – Mike Dec 07 '15 at 17:44
  • Am using version glassfish 4.0 and firefox 42.0. It appears glassfish ignores by certicate nickname and instead continues to use the default s1as – odich daniel Dec 08 '15 at 08:49
  • I can't shift server because the company insists i use glassfish – odich daniel Dec 08 '15 at 08:53
  • Look through this answer, it sounds like there may be a configuration issue: http://stackoverflow.com/questions/29278152/right-way-to-configure-glassfish-ssl-certificate-nickname/29280729#29280729 – Mike Dec 08 '15 at 09:28
  • Ok thanks let me look through that – odich daniel Dec 08 '15 at 09:29
  • Mike I have done the following, please go through and see where i have made a mistake, I have switched to glassfish paraya. 1-I generated a key/pair using java's keytool utility, the keystore password being the default password 'changeit' so the server can find it because i didnt set the master password. 2- I then go the admin console and change the certicate nickname to the new alias name. 3- I restart payara. 4- Test https from port 8181 but i still get the default certicate from keystore.jks instead of MY_NEW_KEYSTORE.jks. Please help. NB the first and last names being ip address of pc – odich daniel Dec 10 '15 at 13:19
  • The generated key/pair is in the folder /domains/domain1/config – odich daniel Dec 10 '15 at 13:25
  • If you look in `server-config` -> `JVM Settings` in the admin console, then click the `JVM Options` tab, you will see two properties - one for `keystore.jks` and one for `cacerts.jks`. You will need to change these to point to your new keystore/truststore. – Mike Dec 10 '15 at 14:05
  • I have changed those to point to my keystore but in doing that the admin console fails to start after restarting the server – odich daniel Dec 17 '15 at 13:21
  • What does the server.log say when it fails to start? – Mike Dec 17 '15 at 13:23
  • At j_security_check, it just doesnt load – odich daniel Dec 21 '15 at 12:23
  • Seems the admin console will still want to load with the default configuration yet it has already been changed from the domain.xml – odich daniel Dec 21 '15 at 12:24

0 Answers0