Using SSL in GlassFish v2

Most enterprise applications need to run in a secure environment. Transport Layer Security (TLS)/Secure Sockets Layer (SSL) is a point-to-point, secure transport mechanism that can be used to authenticate messages exchanged between clients and servers and to ensure the integrity and confidentiality of messages. Tls/ssl (or "SSL" in this article) can meet the security requirements of most enterprise application environments and is widely used.

Regardless of the information exchange involved in SSL protection, the server needs to be an SSL server. This article describes how to make the GlassFish V2 application Server an SSL server.

To understand these steps, you need to understand some of the basic concepts in SSL (such as keys and certificates) and understand the profile (configuration) in GlassFish v2.

Keys and certificates

Keys and certificates are two important concepts in SSL. The key is used to establish trust and privacy in the transmission between the client and the server. SSL uses public key cryptography, which is based on key pairs. The key pair contains a public key and a private key. If you encrypt the data with one of the keys, you can only decrypt it with another key in the key pair.

Certificates are used for validation. To use SSL, the server must have a certificate associated with each client IP address that it can connect to. The certificate identifies the owner of the server site and provides relevant information. The certificate is encrypted digitally signed by its owner. Sites that are very important for validation can be purchased from a trusted reputable certification authority (CA). However, if validation is not particularly important, the Web site can also use self-signed certificates.

GlassFish v2 Configuration

GlassFish v2 supports multiple configurations. Configuration parameters are preset for each configuration, and are used by the application server to optimize for a specific purpose. It supports three configurations: Developer (developer), cluster (cluster), and Enterprise (Enterprise).

Developer Configuration optimizes GlassFish v2 for development environments. This means that configuration parameters support targets similar to Quick Launch, but do not support logon or session replication. The cluster configuration sets configuration parameters that support cluster creation and session replication. A cluster is a set of GlassFish v2 instances that can be managed and monitored as a single logical entity. Enterprise configuration can be optimized GlassFish v2 is suitable for production environments. It supports login and other security-related features.

Make the GlassFish v2 application Server an SSL server

The steps to make GlassFish v2 an SSL server depend on the configuration of the application server. First let's look at the process of using the developer configuration. Then review the process when you use enterprise configuration.

Using Developer Configuration

Reminder again: The GlassFish v2 configuration preset configuration parameters for a particular usage type. One of these parameters is the security store, which can determine how to store things that are safe and trust-related, such as certificates and keys. For developer configuration, the security Store value is set to JKS. In this case, the server's certificate and key are stored in the Java keystore file (Keystore.jks), and the certificate issued by the trusted CA is stored in the certificate file (CACERTS.JKS).

When you install GlassFish v2, it creates a default self-signed certificate as the server certificate. However, if validation is important to your site, you need to replace the self-signed certificate with a digital signature certificate issued by the CA. This section describes how to replace the self-signed certificate, how to obtain a server certificate from a CA, and how to import a server certificate into KeyStore.

The following steps require the use of Keytool, which is a key and certificate management tool. Keytool is available in a variety of versions of the Java Platform, Standard Edition (Java SE) Development Kit (JDK). However, Java SE 6 added some of the necessary functionality to the Keytool. The following tutorials are based on the JDK 6 version of Keytool. For more information about Keytool, see JDK Tools and Utilities.

When the application server uses developer configuration, you can use the following steps to make GlassFish v2 an SSL server.

Use the following command to remove the default self-signed certificate (note: For formatting purposes, the following commands are displayed in more than two lines in the next step):

Keytool-delete-alias S1as-keystore Keystore.jks

-storepass

Where,<store_passwd> is a keystore password, such as Mypass. Note: s1as is the default alias for GlassFish v2 KeyStore.

Use the following command to generate the XINMI key pair for the application server:

Keytool-genkeypair-keyalg

-keystore Keystore.jks-validity-alias s1as

Where,<key_alg> is the algorithm used to generate the key pair, such as RSA. <val_days> valid days for certificates, such as 365.