Loading ...
Sorry, an error occurred while loading the content.

Glassfish with in-house CA

Expand Messages
  • Jeff Brower
    Greetings all, Last ditch effort, so please forgive the slightly off-focus question. I have a Glassfish install at a client site that does not want to use the
    Message 1 of 8 , Jul 16, 2013
    • 0 Attachment
      Greetings all,



      Last ditch effort, so please forgive the slightly off-focus question.



      I have a Glassfish install at a client site that does not want to use the
      self-signed certificate and does not want to use a commercial certificate
      either. They are their own CA and they produce their own SSL certs for
      their internal sites. I am the only non-Microsoft solution they have in a
      very large server farm. They don't speak Unix and they certainly don't
      speak Glassfish or Java.

      I generated a CSR with no problem (the way I always do for any internet
      site) and they returned back a signed certificate that I cannot get to work.
      I am used to an Internet SSL solution where I get a bundle of the signed
      certificate and all the intermediate certificates and everything just works.
      This time I am getting absolutely nowhere. They are creating the
      certificate (using my CSR) on a windows server and when I inspect the
      certificate I see that it points to an LDAP (something else I don't use).
      It appears to install correctly using keytool, but when I try to use it,
      Glassfish stops responding (and I have to restart the server). The log is
      silent.



      Is this configuration something that ANY on you have working, or am I
      chasing my tail on this one? Tips?



      --

      Jeff Brower





      [Non-text portions of this message have been removed]
    • John D Groenveld
      In message , Jeff Brower write ... What format does their CA spew? Can you interrogate it with openssl(1)?
      Message 2 of 8 , Jul 16, 2013
      • 0 Attachment
        In message <0e2e01ce8239$1ea54f20$5befed60$@...>, "Jeff Brower" write
        s:
        >It appears to install correctly using keytool, but when I try to use it,
        >Glassfish stops responding (and I have to restart the server). The log is
        >silent.

        What format does their CA spew?

        Can you interrogate it with openssl(1)?
        <URL:http://www.modssl.org/docs/2.8/ssl_faq.html#ToC32>

        Does your Glassfish work with a dummy self-signed certificate?
        <URL:http://docs.oracle.com/cd/E26576_01/doc.312/e24940/system-security.htm>

        John
        groenveld@...
      • Jeff Brower
        Hi John, THANK YOU SO MUCH FOR RESPONDING! This is running on a highly controlled government server and openssl is not installed - but I can list the
        Message 3 of 8 , Jul 16, 2013
        • 0 Attachment
          Hi John,



          THANK YOU SO MUCH FOR RESPONDING!



          This is running on a highly controlled government server and openssl is not
          installed - but I can list the certificate with keytool and it looks normal
          - other than referring to an LDAP server rather than a normal CA.



          The self-signed certificate works perfectly.



          I don't really know how to respond to the format question.



          --

          Jeff





          From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
          Behalf Of John D Groenveld
          Sent: Tuesday, July 16, 2013 1:38 PM
          To: solarisx86@yahoogroups.com
          Subject: Re: [solarisx86] Glassfish with in-house CA





          In message <0e2e01ce8239$1ea54f20$5befed60$@...
          <mailto:0e2e01ce8239%241ea54f20%245befed60%24%40PointHere.net> >, "Jeff
          Brower" write
          s:
          >It appears to install correctly using keytool, but when I try to use it,
          >Glassfish stops responding (and I have to restart the server). The log is
          >silent.

          What format does their CA spew?

          Can you interrogate it with openssl(1)?
          <URL:http://www.modssl.org/docs/2.8/ssl_faq.html#ToC32>

          Does your Glassfish work with a dummy self-signed certificate?
          <URL:http://docs.oracle.com/cd/E26576_01/doc.312/e24940/system-security.htm>

          John
          groenveld@... <mailto:groenveld%40acm.org>





          [Non-text portions of this message have been removed]
        • John D Groenveld
          In message , Jeff Brower write ... First install the client s CA software, Solaris and Glassfish on an
          Message 4 of 8 , Jul 16, 2013
          • 0 Attachment
            In message <11d801ce825a$1a65cdb0$4f316910$@...>, "Jeff Brower" write
            s:
            >This is running on a highly controlled government server and openssl is not
            >installed - but I can list the certificate with keytool and it looks normal
            >- other than referring to an LDAP server rather than a normal CA.
            >
            >
            >
            >The self-signed certificate works perfectly.
            >
            >
            >
            >I don't really know how to respond to the format question.

            First install the client's CA software, Solaris and Glassfish
            on an uncontrolled developer system and debug there before men
            with machine guns escort you away from the console.


            Do you know that the signed certificate references a
            queer LDAP server from reading the ASCII preface to the signed
            cert?
            If so, perhaps try deleting the lines before and after
            BEGIN CERT / END CERT and try re-importing with keytool
            in case Tom Kurian and company's keytool is borked and
            can't parse it.
            <URL:http://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates>

            You might also try exporting the working dummy cert,
            deleting it from the keystore, sanity checking the
            Glassfish's preferred cert and key format, and then
            re-importing.


            Glassfish is the kind of niche product that probably has a
            Communities.Oracle.COM or Java.NET support forum that
            Chuck Rozwat and company maybe staffs with more than 50 cent
            bloggers.

            Good luck,
            John
            groenveld@...
          • Jeff Brower
            Thanks John, especially about the part about the official escort! Yes, that is where I got it, the cert has a chain in it that refers to the CA by URL and LDAP
            Message 5 of 8 , Jul 16, 2013
            • 0 Attachment
              Thanks John, especially about the part about the official escort!



              Yes, that is where I got it, the cert has a chain in it that refers to the
              CA by URL and LDAP appears there. I know it is getting installed because I
              can see matching fingerprints and the dates of generation are right.



              I just came off of a conference call with admins out there and now he and I
              are scheduled to work on it together with a whole host of folks of varying
              technical backgrounds listening in and watching electronically while we both
              bang on the same command line on different coasts.



              Somebody shoot me please.



              --

              Jeff Brower





              From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
              Behalf Of John D Groenveld
              Sent: Tuesday, July 16, 2013 4:07 PM
              To: solarisx86@yahoogroups.com
              Subject: Re: [solarisx86] Glassfish with in-house CA





              In message <11d801ce825a$1a65cdb0$4f316910$@...
              <mailto:11d801ce825a%241a65cdb0%244f316910%24%40PointHere.net> >, "Jeff
              Brower" write
              s:
              >This is running on a highly controlled government server and openssl is not
              >installed - but I can list the certificate with keytool and it looks normal
              >- other than referring to an LDAP server rather than a normal CA.
              >
              >
              >
              >The self-signed certificate works perfectly.
              >
              >
              >
              >I don't really know how to respond to the format question.

              First install the client's CA software, Solaris and Glassfish
              on an uncontrolled developer system and debug there before men
              with machine guns escort you away from the console.

              Do you know that the signed certificate references a
              queer LDAP server from reading the ASCII preface to the signed
              cert?
              If so, perhaps try deleting the lines before and after
              BEGIN CERT / END CERT and try re-importing with keytool
              in case Tom Kurian and company's keytool is borked and
              can't parse it.
              <URL:http://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates>

              You might also try exporting the working dummy cert,
              deleting it from the keystore, sanity checking the
              Glassfish's preferred cert and key format, and then
              re-importing.

              Glassfish is the kind of niche product that probably has a
              Communities.Oracle.COM or Java.NET support forum that
              Chuck Rozwat and company maybe staffs with more than 50 cent
              bloggers.

              Good luck,
              John
              groenveld@... <mailto:groenveld%40acm.org>





              [Non-text portions of this message have been removed]
            • John D Groenveld
              In message , Jeff Brower write ... I don t grasp why Glassfish would fall over your signed cert s queer
              Message 6 of 8 , Jul 16, 2013
              • 0 Attachment
                In message <132801ce8267$cb6cca70$62465f50$@...>, "Jeff Brower" write
                s:
                >Yes, that is where I got it, the cert has a chain in it that refers to the
                >CA by URL and LDAP appears there. I know it is getting installed because I
                >

                I don't grasp why Glassfish would fall over your signed cert's
                queer certification chain.
                The client should obviously care enough to validate that your
                Glassfish's cert is signed by a trusted third party but Glassfish
                should work merrily without care.

                However, are you authenticating with client certificates?
                If so, then Glassfish certainly does need to check the
                signature chain.

                John
                groenveld@...
              • Jeff Brower
                That is bothered me too. I expected it would simply throw an error that the certificate failed and the connection is not trusted and then just move on without
                Message 7 of 8 , Jul 16, 2013
                • 0 Attachment
                  That is bothered me too. I expected it would simply throw an error that the
                  certificate failed and the connection is not trusted and then just move on
                  without SSL - but then I realized that I do force SSL. The opening screen
                  is a login and no non-secure traffic is allowed. I am guessing that the SSL
                  fails and since I force it to SSL, the server just gives up. That is all I
                  could come up with. Still - why is the log silent?



                  The authentication is done with login user id and password and not client
                  certificates (as far as Glassfish is concerned).



                  Working from memory here, I just create the key pair into its own keyfile
                  with the CN and alias set to the expected URL and then create the CSR from
                  it. I give them the CSR and they send me a single file in return which is
                  supposed to have everything I need. I import that and then import the key
                  pair from the first keyfile. Keytool finishes without throwing any errors
                  and the list looks OK to my eyes. Everything has the same default password.
                  I go into the administration panel and change the alias from s1as to the new
                  alias and restart the server. After that, I can't get into the application.
                  I do see a partial draw of the application login screen, but I think that it
                  is an image that is not SSL protected.



                  See anything obvious?

                  --

                  Jeff





                  From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
                  Behalf Of John D Groenveld
                  Sent: Tuesday, July 16, 2013 6:36 PM
                  To: solarisx86@yahoogroups.com
                  Subject: Re: [solarisx86] Glassfish with in-house CA





                  In message <132801ce8267$cb6cca70$62465f50$@...
                  <mailto:132801ce8267%24cb6cca70%2462465f50%24%40PointHere.net> >, "Jeff
                  Brower" write
                  s:
                  >Yes, that is where I got it, the cert has a chain in it that refers to the
                  >CA by URL and LDAP appears there. I know it is getting installed because I
                  >

                  I don't grasp why Glassfish would fall over your signed cert's
                  queer certification chain.
                  The client should obviously care enough to validate that your
                  Glassfish's cert is signed by a trusted third party but Glassfish
                  should work merrily without care.

                  However, are you authenticating with client certificates?
                  If so, then Glassfish certainly does need to check the
                  signature chain.

                  John
                  groenveld@... <mailto:groenveld%40acm.org>





                  [Non-text portions of this message have been removed]
                • Jeff Brower
                  Just wanted to complete the thread in case anyone searches for the same solution - using an internal CA on a Windows Server network on Glassfish SSL. Even
                  Message 8 of 8 , Jul 18, 2013
                  • 0 Attachment
                    Just wanted to complete the thread in case anyone searches for the same
                    solution - using an internal CA on a Windows Server network on Glassfish
                    SSL.



                    Even though the answer has always been "everything you need is already in
                    the certificate" when I asked for Root and Issuer (intermediate)
                    certificates, the solution was in adding those to the keystore - and making
                    sure they are added in the correct sequence one at a time. The LDAP thing
                    was no issue whatsoever, worrying about that was grasping at straws.



                    Note that it WILL install the private and public certificate without errors
                    and it will look like it worked, but without the root and issuer
                    certificates in the chain the reply is missing and it will fail. When you
                    telnet into 443 or 80 you can tell you have the server listening, but it
                    will not connect.



                    SO. (1) Generate the keypair in keystore.jks and create the CSR with both
                    the alias and the CN set to whatever you want to use in the URL. (2) Have
                    it signed. (3) Import the root certificate with the alias set to root. (4)
                    Import the intermediate (issuer) certificate WITHOUT AN ALIAS. (5) import
                    the signed public key with the same alias as the CN and alias above. (6)
                    Using the Glassfish Administration Panel change the SSL nickname to the
                    alias/CN that you used in step 1.



                    Bottom line, business as usual - just don't let them try to tell you that
                    you don't need the root and intermediate certificates because they don't
                    need them on any of their other machines. You need them, or it will not
                    work.



                    Thanks for talking it through with me John!



                    --

                    Jeff Brower



                    From: solarisx86@yahoogroups.com [mailto:solarisx86@yahoogroups.com] On
                    Behalf Of Jeff Brower
                    Sent: Tuesday, July 16, 2013 7:53 PM
                    To: solarisx86@yahoogroups.com
                    Subject: RE: [solarisx86] Glassfish with in-house CA





                    That is bothered me too. I expected it would simply throw an error that the
                    certificate failed and the connection is not trusted and then just move on
                    without SSL - but then I realized that I do force SSL. The opening screen
                    is a login and no non-secure traffic is allowed. I am guessing that the SSL
                    fails and since I force it to SSL, the server just gives up. That is all I
                    could come up with. Still - why is the log silent?

                    The authentication is done with login user id and password and not client
                    certificates (as far as Glassfish is concerned).

                    Working from memory here, I just create the key pair into its own keyfile
                    with the CN and alias set to the expected URL and then create the CSR from
                    it. I give them the CSR and they send me a single file in return which is
                    supposed to have everything I need. I import that and then import the key
                    pair from the first keyfile. Keytool finishes without throwing any errors
                    and the list looks OK to my eyes. Everything has the same default password.
                    I go into the administration panel and change the alias from s1as to the new
                    alias and restart the server. After that, I can't get into the application.
                    I do see a partial draw of the application login screen, but I think that it
                    is an image that is not SSL protected.

                    See anything obvious?

                    --

                    Jeff

                    From: solarisx86@yahoogroups.com <mailto:solarisx86%40yahoogroups.com>
                    [mailto:solarisx86@yahoogroups.com <mailto:solarisx86%40yahoogroups.com> ]
                    On
                    Behalf Of John D Groenveld
                    Sent: Tuesday, July 16, 2013 6:36 PM
                    To: solarisx86@yahoogroups.com <mailto:solarisx86%40yahoogroups.com>
                    Subject: Re: [solarisx86] Glassfish with in-house CA

                    In message <132801ce8267$cb6cca70$62465f50$@...
                    <mailto:132801ce8267%24cb6cca70%2462465f50%24%40PointHere.net>
                    <mailto:132801ce8267%24cb6cca70%2462465f50%24%40PointHere.net> >, "Jeff
                    Brower" write
                    s:
                    >Yes, that is where I got it, the cert has a chain in it that refers to the
                    >CA by URL and LDAP appears there. I know it is getting installed because I
                    >

                    I don't grasp why Glassfish would fall over your signed cert's
                    queer certification chain.
                    The client should obviously care enough to validate that your
                    Glassfish's cert is signed by a trusted third party but Glassfish
                    should work merrily without care.

                    However, are you authenticating with client certificates?
                    If so, then Glassfish certainly does need to check the
                    signature chain.

                    John
                    groenveld@... <mailto:groenveld%40acm.org> <mailto:groenveld%40acm.org>


                    [Non-text portions of this message have been removed]





                    [Non-text portions of this message have been removed]
                  Your message has been successfully submitted and would be delivered to recipients shortly.