Getting SSL certificate to work with Payara 4.1

Question

I'm having a major pain getting my new SSL certificate to work with GlassFish 3.1.2.2. My current SSL certificate is due to expire soon, so I ordered a renewal at GlobalSign.

With my current SSL certificate I get following response (this is done through SoapUI for testing purposes):

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0 JSP/2.2 (Oracle GlassFish Server 3.1.2.2 Java/Oracle Corporation/1.7)
Server: Oracle GlassFish Server 3.1.2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Mon, 11 Jan 2016 13:38:32 GMT

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..(xmlresponse)..</xml>

However, with the new SSL certificate active, I get following message:

SoapUI:

Error getting response; javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake.

Browser:

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to  again. If this error persists, contact your site administrator.

The only thing I changed in the config of glassfish is the following:

Configurations > server-config > HTTP Service > Http Listeners > http-listener-2 > SSL tab

• The Certificate NickName field from my old alias (mydomain) to my new alias (mydomain.net), which matches the alias of my private key in the keystore
• The Key Store field value (file name) from the old keystore (server.keystore) to my new keystore (ssl_mydomain_net.jks)

Both new and old keystores are inside the C:\glassfish3\glassfish\domains\mydomain\config folder.

Old SSL settings:

New SSL settings:

I already had contact with GlobalSign support and we verified that the keystore is correctly generated.

When I run keytool -list -keystore ssl_mydomain_net.jks I get following output which should be correct:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Jan 8, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): <...>
intermediate, Jan 8, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): <...>
<mydomain>.net, Jan 8, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): <...>

As far as I concluded, it has something to do with Glassfish. Does anyone have any idea because I'm out of options here...

---

Update January 13th, 2016

I upgraded from Glassfish 3.1.2.2 to Payara 4.1 (which is basicly Glassfish 4.1). I created a new fresh domain and noticed that by default the following jks files were in the mydomain/config folder:

• cacerts.jks
• keystore.jks

I added my own jks (ssl_mydomain_net.jks) to this folder and adjusted the settings for the http-listener-2 as above in the new SSL image. This gave me the same result as mentioned at the start of this post.

What am I missing? Do I have to adjust something to the default jks files? Do I have to create a csr from the keystore.jks instead of my own made keystore?

Answer 1

What do I need?

• A GlobalSign SSL Certificate
• Windows server with IIS installed
• Payara instance

Getting your certificate from GlobalSign

Order or renew your SSL certificate at the GlobalSign website. During the process, choose the option Order with AutoCSR. The password of the new certificate will exist out of a password that you have to give during the creating process added by an extra string created by GlobalSign. Please remember this password as you will need it in the next phases.

Once your order is complete, you should be receive a PFX file. Copy this file to the Windows server where IIS is running.

Setting/Changing the master password for Payara

The password of the certificate which will contain your private and public key will have to match the master password of Payara (This can be freely chosen, this is NOT the password of your certification request at GlobalSign). You can change the master password by running following command:

asadmin change-master-password –savemasterpassword=true mydomain

Installing the certificate

1. Right click the PFX file and choose Install PFX
2. At the welcome screen, click Next
3. At the File to import screen, click Next as the PFX file location should be in there by default.
4. Enter the password. Remember, this is the password you gave up at the certificate creation extended by the string GlobalSign created.
5. Select the Mark this key as exportable. option.
6. Select the Include all extended properties. option.
7. Click Next
8. In the Certificate Store window, choose the Place all certificates in the following store option.
9. Click the Browse button.
10. Choose the Personal store.
11. Click OK
12. Click Next
13. Click Finish

Export the public and private key

14. Open the Microsoft Management Console (Start > Run > mmc > OK)
15. Click File > Add/Remove Snap-ins
16. Choose Certificates under the Available snap-ins list
17. Click the Add button
18. In the next window, choose the My user account option
19. Click Finish
20. Click OK
21. In the management console, expand Certificates - Current User > Personal > Certificates. If all want correct, you should see 3 certificates: GlobalSign Domain Validation CA, GlobalSign Root CA and mydomain.net.
22. Right click the mydomain.net entry
23. Choose All Tasks > Export...
24. In the welcome screen, press Next
25. Choose Yes, export the private key option
26. Click Next
27. In the Export File Format window, Choose Personal Information Exchange - PKCS # 12 (.PFX) and select the Include all certificates in the certification path if possible and Export all extended properties options.
28. Click Next
29. In the Password window, enter your Payara master password (this has to match!)
30. Click Next
31. Select the location were you want to put the export PFX file (e.g. mydomain.pfx) and click Next.
32. Click Finish

Getting the alias name

Run the following command to find out the generated alias name:

keytool -list -storetype pkcs12 -keystore mydomain.pfx

You will have to enter your keystore password, which should be the same as your Payara master password (see step 29).

When this command runs succesful, you should see your alias on the first line of the export. This looks like a long string of text (e.g. {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}) followed by the date. Copy this string of text as we will need it later.

Adding the certificate to Payara

These are the two important steps that I was missing. We have to add the certificate to the cacerts.jks and keystore.jks who is located in the payara_install_folder/glassfish/domains/mydomain/config. This can be done by following two commands:

keytool -importkeystore -deststorepass <payara masterpassword> \
-destkeypass <payara masterpassword> -destkeystore cacerts.jks \
-srckeystore mydomain.pfx -srcstoretype PKCS12 \
-srcstorepass <payara masterpassword> \
-alias mydomain_alias_name //in our example this would be {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}

keytool -importkeystore -deststorepass <payara masterpassword> \
-destkeypass <payara masterpassword> -destkeystore keystore.jks \
-srckeystore mydomain.pfx -srcstoretype PKCS12 \
-srcstorepass <payara masterpassword> \
-alias mydomain_alias_name //in our example this would be {fa2ebfd3-z11b-492d-2c73-f5z199732p2k}

Setting http-listener in Payara

1. Open your Payara admin console (normally this would be http://localhost:4848)
2. Go to Configurations > server-config > HTTP Service > HTTP Listeners > http-listener-2
3. Enable Security on the General tab
4. On the SSL tab, Enable SSL3 and TLS
5. In the Certificate NickName enter mydomain_alias_name (in our case {fa2ebfd3-z11b-492d-2c73-f5z199732p2k})
6. In the Key Store field, enter keystore.jks
7. Press the Save button
8. Restart your domain
9. Test if it works! :)

Thanks a lot to GlobalSign support and Max Lam who created a guide How To Install Comodo SSL Certificate Chain On Payara / Glassfish 4.x. Combining all this knowledge made me come up with the solution.

There is probably a way to replace the Installing the certificate and Export the public and private key part by running keytool commands. But as I'm not a 100% familiar with certificates, I left those out. If someone can tell me the right commands, let me know and I'll update the answer.

Answer 2

Add your new certificate to the truststore of the JVM that your server is using. If you take a look to your output when list the certificates of your keystore, you could see that your new certificate is not a trustedCertEntry.