import ssl certificate in Glassfish - glassfish

i have the following issue:
I obtain a free certificate from comodo (90 days) for my glassfish web application and then i have imported the certs into glassfish 3.1 by following http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/
I have also modify the domain.xml file by replacing the alias s1as with my certificate alias and the file keystore.jks with the server.keystore....but when i try to access my web application with https protocol i got the following log error:
[#|2012-10-12T14:41:18.828+0200|WARNING|glassfish3.1.2|com.sun.grizzly.config.Gr
izzlyServiceListener|_ThreadID=25;_ThreadName=http-thread-pool-443(1);|GRIZZLY00
07: SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificat
e or key corresponds to the SSL cipher suites which are enabled.
Please help me..i know that here i can find the solution to my issue...

Unfortunately I don`t have enough reputation to post images of glassfish console admin, but let me try to help somebody just using text.
NOTE1: The configuration was done on Ubuntu 12.04 server and glassfish 3.1.2
Comodo gives you 4 files
your_domain.key (your private key)
your_domain.crt (your public key)
PositiveSSLCA2.crt (CA public key)
AddTrustExternalCARoot.crt (CA public key)
Import every public key into the file cacerts.jks. To do that merge the public key files in one file:
NOTE2: The order of the files DOES matter.
cat your_domain.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > all.crt
Now import them using keytool:
keytool -import -trustcacerts -alias tomcat -file all.crt -keystore cacerts.jks
Create a p12 file with your private key:
NOTE3: You can use the same password for every file to make things easier.
openssl pkcs12 -export -in all.crt -inkey your_domain.key -out your_domain.p12 - name your_alias -CAfile PositiveSSLCA2.crt -caname immed
NOTE4: Don`t forget you alias (your_alias), you will need to reference it in glassfish admin console later.
Now import the private key using keytool:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore your_domain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias your_alias
Now your keystore.jks (with your private keys) and your cacerts.jks (with you public key) are ready to me used. If you want to check if everything is ok run:
keytool -list -keystore keystore.jks
keytool -list -keystore cacerts.jks
Go to the glassfish admin console and find the session:
Configurations->server-config->HTTP Service->Http Listeners->http-listener-2
Go to the SSL tab and change the Certificate NickName to your_domain.
Restart Glassfish server.

Preconditions:
installed keytool and GlassFish 4.x (with default keystore password changeit)
your source keystore used to generate CSR
e.g. ~/mySourceKeystore.jks with password myPassword and private key with alias myAlias
your valid certificate (obtained from CA)
e.g. ~/myCertificate.crt with password myPassword and alias myAlias
certificate of CA (obtained from CA)
e.g. ~/AwesomeCA.crt
Here are all steps how to import SSL certificate into GlassFish:
Navigate to GLASSFISH-HOME/domains/domain1/config
Import your source keystore (with private key) into GlassFish keystore:
$ keytool -importkeystore -srckeystore ~/mySourceKeystore.jks -destkeystore keystore.jks`
Enter destination keystore password: changeit
Enter source keystore password: myPassword
Entry for alias server successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Import certificate of CA into GlassFish keystore:
$ keytool -import -v -trustcacerts -alias AwesomeCA -file ~/AwesomeCA.crt -keystore keystore.jks
Enter keystore password: changeit
Certificate was added to keystore
[Storing keystore.jks]
Import obtained SSL certificate into GlassFish keystore:
$ keytool -import -v -trustcacerts -alias myAlias -file ~/myCertificate.crt -keystore keystore.jks
Enter keystore password: changeit
Enter key password for <myAlias>: myPassword
Certificate reply was installed in keystore
[Storing keystore.jks]
At this moment error java.security.UnrecoverableKeyException: Cannot recover key would occur during GlassFish startup because you have different keystore password and alias key password. To prevent this error you need to execute:
$ keytool -keypasswd -alias myAlias -new changeit -keystore keystore.jks
Enter keystore password: changeit
Enter key password for <myAlias>: myPassword
Change default alias (s1as) in GlassFish to your myAlias:
$ asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=myAlias
(Optional) You can change default SSL port (8181) in GlassFish to well known 443:
$ asadmin set server.network-config.network-listeners.network-listener.http-listener-2.port=443
Restart GlassFish

For Glassfish 4.x you can follow this Comodo Guide
Here is the web archive if link expires.

Related

How to run Wowza streaming engine over https

I'm trying to import my existing ssl certificates in my wowza streaming server.
I'm following this document: Import certificate
I'm able to convert my certificates in JKS format, and i have change VHost.xml file as suggested on the url. but when i restart server and check logs i found below error:
Here is my conf VHost.xml file: (i have replace password with asterisk just for screenshot)
Steps that i have follow:
sudo openssl pkcs12 -export -in /etc/ssl/private/nginx/certificate.crt -inkey /etc/ssl/private/nginx/private.key -name example.com -out example.com-PKCS-12.p12
sudo keytool -importkeystore -deststorepass ***** -destkeystore example.com.jks -srckeystore example.com-PKCS-12.p12 -srcstoretype PKCS12
sudo keytool -import -alias bundle -trustcacerts -file /etc/ssl/private/nginx/ca_bundle.crt -keystore /usr/local/WowzaStreamingEngine-4.7.6/conf/example.com.jks
After that i have open 443 port in VHost.xml and change keystore and password
Please help me to run wowza streaming engine over https server.
Thanks in advance

Enabling-ssl-https for the keycloak-server

I am using keycloak-8.0.1 in standalone configuration . I am trying to enable SSL/Https for Keycloak server running on my Test machine (A.B.C.D) , token request will be requested from machine (X.Y.Z.P).
(Will there be any CORS/CSRF issue for the generated token , looks like yes ? And will Keycloak over SSL help to solve this?) Nevertheless i require SSL enabling .
So went ahead with https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server
Step 1 Run command :
keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
...
two files server.key and keycloak.jks got created.
Question : should i used localhost here or better to use IP A.B.C.D of my Test machine? Though documentation says localhost so went ahead with that.
Step 2 Generate a certificate request :
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
I can also generate the cert request using localhost/A.B.C.D.
Step 3: Send the cert req created in above step to CA and download the root cert from CA(root.crt) and import using command:
keytool -import -keystore keycloak.jks -file root.crt -alias root
Do i have to skip this step for localhost and if not how to generate root.crt for localhost.
step 4: last step is to import CA generated certificate to keystore
$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
Question: Now i have only two files generated in very first step "server.key" and keycloak.jks
and from where i should get root.crt and your-certificate.cer ? I tried uploading the ca request to CAcert.org but they dont create certificate for localhost DNS.
I already went through lot of links link1 , link2 , link3 link4 and getting confused
Please help.
Answer 1-
If you are testing this in your local machine you can use localhost but better would be if you are using IP-address or host name
Answer 3
Again if its for your testing you can use Self Sign Certificate only,No need to go to Ads Certificate authority.
Answer 4-
So for localhost or your machine IP simple Create Certificate with the help of keytool
keytool -genkey -alias initcert -ext san=ip:xxx.xxx.xxx.xx -keyalg RSA -keystore keycloak.jks-validity 365 -keysize 2048
Export the certificates
keytool -export -noprompt -trustcacerts -keystore keycloak.jks -alias initcert -file keycloak.cer -storepass changeit
Import Certificates into Client machine Java Keystore
keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore /workspace/tools/jdk/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/lib/security/cacerts

How, having IIS pfx with L1K, creat CSR for L1M and have cert returned compatible with Tomcat?

I have IIS server with pfx containing L1K cert. I need to request a new L1M cert for it, AND will need to also be able to import the returning cert to a java keystore as the URL in question will move from IIS to Apache Tomact.
Help!
I think I found the way to do this.
*credit to this site:
https://www.jamf.com/jamf-nation/discussions/4646/converting-a-windows-pfx-or-windows-pkcs12-keystore-to-a-jks-keystore
1 - use keytool to import PFX into JKS
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore .jks -deststoretype JKS
2 - get details such as Alias from PFX file
keytool -v -list -storetype pkcs12 -keystore .pfx
3 - generate CSR file from new JKS file
keytool -certreq -alias -keystore .jks -file .csr -storepass
So far the resulting CSR files are validated successfully by my CA Authority's online tool.

Openfire SSL certificat

I have an openfire server on centOS 7 and i want to install my wildcard certificate.
After importing certificate to keystore and tested it using
keytool -list -v -keystore keystore -alias chat.example.com
Everything looks good, i get certificate provider, CN,OU, algorithms etc.
In my Web admin panel i set ServerName to chat.example.com
When i restart openfire i get:
Found RSA certificate that is not valid for the server domain
the log shows me
Check for certificate for 'chat.example.com' using algorithm RSA returned: false
Where i misconfigure my openfire server?
get the certificate alias
./keytool -list -storetype pkcs12 -keystore /root/cert.pfx
Then insert it in openfire
./keytool -importkeystore -srckeystore /root/cert.pfx -destkeystore
/opt/openfire/resources/security/keystore -srcstoretype pkcs12
-deststoretype JKS -srcstorepass 'password' -deststorepass 'password' -srcalias 'alias' -destalias chat.example.com -destkeypass 'password'

Bad certificate error with SSL

I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.