One of the most repeated question in GlassFish mailing list is SSL, Certification, Mutual Authentication,.... In this  Entry I will try to address some of this questions by giving an step by step guide for using EJBCA to issue certificate, use them in both glassfish and clients which connect to glassfish in some manner. clients like web browser, standalone java applications,...

There are several tutorial and blog entry about configuring  glassfish to use some specific certification in order to perform server  authentication for clients over SSL and each of those weblog is an invaluable  source of information. In this blog entry and perhaps the next one I will address another concerns which  some people has for their GlassFish and client security. Some times we are  running an application within an enterprise and we need to have mutual  authentication for every clients that connect to server so we will need to have  one certification for client and another one for our glassfish server. both of  this certification should be valid (issued by an already known CA within  glassfish trust store and client trust store). For these two entries I assume that  our client and server will just accept certification issued by our own CA which  is based on EJBCA.

Before we start the main job you will need to download and install EJBCA from its web site, then you will need  to install it according to its manual which you can find in  documentation  section. After you installed and could view EJBCA administration console then  you can follow the rest of the entry.

 

In order to create server certification we will need to perform following  steps as described in 4 sections:

Section 1: Creating servers certification profile:
       
  • Go to      https://localhost:8080/ejbca/ and select Administration.
  •    
  • Select Edit Certification profiles from the left side       menu.
  •    
  • Enter a name for the profile and press add button. I choose      servers as the name.
  •    
  • From the list select servers Item and press      Edit button.
  •    
  • Now profile edit page will open change the attribute as follow:    
             
    • for Key Usage  you should select at least            Digital Signature and Key Encypherment.
    •        
    • From  Extended Key Usage select Server            Authentication
    •    
       
  •    
  • press save button.
Section 2: Create servers end entities profile:

Now you have create a profile which in next sections you can create  certifications which will comply with it. Now we will need to create an End Entity Profile so follow these steps to create it.

       
  • From the left side menu click on  edit end entities profile      .
  •    
  • Enter ServersProfile as profile name and press add       button.
  •    
  • From the list select ServersProfile and press      Edit End Entity Profile button.
  •    
  • Enter a user name and a password for the profile, I choose sAdmin/       sAdminAdmin.
  •    
  • Enter the common name
  •    
  • From the list of Available Certificate Profiles       select Servers which we made in last step.
  •    
  • select JKS as default token.
  •    
  • click Save

Now we are reaching an step in which we will create the real certificate that  Glassfish will use  in its SSL enabled listener. To create the  certificate perform following steps:

Section 3: Create server certification
       
  • From the left side menu select add end entity link.
  •    
  • Select ServersProfile as End Entity Profile.
  •    
  • Enter all information as you like but make sure that CN should be Exact       and fully qualified name of your sever as will access it from clients, for       example if you are going to access the serve as      computer1.mydomain.com then the CN should be the same if you are       going to access it as Comuter1 then the CN should be that.
  •    
  • Select JKS as Token.
  •    
  • press add end entity button
Section 4: Use the certification in Application Server.

You are done, the certification is ready to be downloaded and used.

       
  • Go to https://localhost:8080/ejbca/        and select Certification Enrollment.
  •    
  • Select Manually for a Server
  •    
  • enter user name and password which you have entered for end entity in       previous step.
  •    
  • Click OK.

By pressing OK a JKS file will download to your computer.

       
  • Create two copies of the file and Rename them  to keystore.JKS and       cacerts.jks.
  •    
  • Goto Glassfish/domains/domain1 (If domain 1 is the domain that you want       to configure for SSL).
  •    
  • Make sure that application server is stopped by issuing the following       command.
     Glassfish_home/bin/asadmin  stop-domain domain1     
       
  • Now we need to change the master password in order to let glassfish open our  new cacert.jks and keystore.jks so perform following command.
     Glassfish_home/bin/asadmin  change-master-password  \\\Here you should write the password that you choosed in last step/// --savemasterpassword=true
       
  • Now Goto glassfish_home/domains/domain1/config and create a backup from       cacert.jks and keystore.jks.
  •    
  • Copy files that we create in first step of this section to this folder       (overwrite the original files).
  •    
  • Open domain.xml (it is in domain1/config folder) by a text editor and       replace all s1as occurrences with CN name       that you have choose in section 3.
  •    
  • Start the application server.

You are done, you application server should start normally, but you have some  more steps before you complete the mutual authentication capability.

Section 5: Enabling mutual authentication for a listener.

Open application server administration console and from the left side menu  select Configuration> HTTP Service> HTTP Listeners> http-listener-2, now you should check the Security check box and select SSL tab, now make sure that you have checked Client  Authentication check box.

You are done, point your browser to https://computer1.mydomain.com:8181 you will see that this page will only  open for the browser that you have imported EJBCA administration certification.  it means that both server and client must prove their identity before they could  communicate.

In next entry of this series I will demonstrate steps that you need to follow  in order to create a stand alone web service client.

Make sure that you need to delete the private key of you server from  cacerts.jks (it is not necessary by the way). Best way to explore you key stores  is using keytool which you can find more information about it Here. Also if you are may  find more cool key store editor in NetBeans Module Portal

For more information or maybe to find some of your questions answered you may  take a look at: