Beginner’s Guide to Setup an SSL Certificate in GlassFish Server
Installing an SSL certificate on GlassFish allows you to enable HTTPS and establish secure connections between the server and clients. An SSL certificate helps encrypt sensitive information during transmission and authenticate your website identity. This guide will walk you through the steps to install an SSL certificate on the GlassFish application server.
Key Takeaways
- SSL certificates allow you to enable HTTPS and secure connections to your GlassFish server. They encrypt communication and authenticate your identity.
- To use SSL with GlassFish, you need to obtain an SSL certificate from a trusted Certificate Authority, such as Let’s Encrypt, Comodo, DigiCert, etc.
- You can generate a self-signed certificate for testing purposes, but they will present security warnings in browsers.
- Once you have the certificate files, you need to configure GlassFish to use the SSL certificate through the admin console or CLI.
- The certificate needs to be added to the default keystore in GlassFish. The password provided during certificate creation is required.
- After configuring the certificate, you need to enable secure listener ports for protocols like HTTP/S, IIOP/S, etc., and then restart the server.
- Finally, access your app over HTTPS by specifying the secure port and verify SSL is working as expected without warnings.
Prerequisites for Installing SSL Certificate
Before we dive into the steps for installing the SSL certificate, let’s look at some prerequisites:
- You will need an existing GlassFish server setup. GlassFish comes bundled with Java EE SDK or can be downloaded separately.
- An SSL certificate issued by a trusted Certificate Authority (CA) like Let’s Encrypt, Comodo, Digicert etc. If you don’t have one, you can generate a free SSL certificate from Let’s Encrypt.
- The SSL certificate files – this includes the certificate itself (.crt/.cer), private key (.key), and, if applicable, the intermediate certificate (.ca-bundle/.pem). The CA will provide these files.
- Administrative access to GlassFish through the web-based admin console or GlassFish command line interface (CLI).
- A basic understanding of SSL/HTTPS protocol, public-key cryptography, and certificates is helpful.
How to Convert Certificate Formats (if needed)
The first step is to ensure your SSL certificate files are in the right format for importing into GlassFish.
GlassFish requires certificates in PEM-encoded format. The private key should also be in unencrypted PKCS#8 format.
If your CA provided certificates in another encoding like DER, P7B, or PFX, they need to be converted to PEM format.
Here’s how:
Convert DER to PEM
For certificate:
openssl x509 -inform der -in certificate.cer -out certificate.pem
For private key:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
Convert PFX or P7B to PEM
To convert .pfx or .p7b files to .pem format:
openssl pkcs12 -in certname.pfx -out certname.pem -nodes
You may need to add -nocerts only output the private key or -nokeys only output the certificates.
This extracts the private key and certificates from the .pfx/.p7b file into .pem format.
The private key and cert will be output separately, so you may need to concatenate them.
How to Import the SSL Certificate into KeyStore
GlassFish uses Java keystores to store certificates that can be used for secure SSL connections.
The default keystore is domain-name-keystore.jks located in the GlassFish domains/domain1/config/ directory. This is where you need to import the SSL certificate and private key.
There are a couple of ways to import the SSL certificate – via Admin Console or command line.
Import via Admin Console
- Open the GlassFish Admin Console in your browser and login if required.
- Go to Configuration > Security > Certificates.
- Click on the “Import Certificate” button.
- Enter the alias to identify the certificate.
- For “Type”, choose “Key-Entry”.
- Select the SSL certificate file (in .pem or .crt format).
- Select the private key associated with the certificate.
- Enter the password for the private key when prompted.
- Click OK to import the certificate and key into the keystore.
Import via CLI
To import via the command-line interface:
- Go to the GlassFish bin directory:
cd /glassfish/bin
- Run the keytool command to import the cert:
./keytool -import -v -alias alias_name -file certificate.crt -keystore ../domains/domain1/config/domain_keystore.jks
- Enter the keystore password when prompted.
- When asked, “Trust this certificate?” – enter “yes.“
The certificate is now imported into the keystore.
How to Configure SSL Settings
Once the SSL certificate is added to the keystore, we need to configure GlassFish to use it for secure connections:
- Open the GlassFish Admin Console and go to Configuration > General Settings
- Under the SSL section, enter the following:
- SSL3 Enabled: False
- TLSV1 Enabled: True
- TLSV1.1 Enabled: True
- TLSV1.2 Enabled: True
- Default SSL Context: Change from default-ssl to your certificate alias
- Trust Algorithm: PKIX
- Trust Max Cert Length: 5
- SSL Client Auth: False
- Under the Security section, change the Master Password to the password for your imported private key.
- Click Save to apply the SSL settings.
Alternatively, you can use the CLI set command to configure each property above.
How to Configure HTTP/HTTPS listeners
To allow GlassFish to accept HTTPS connections, you need to enable a secure port with an HTTP/HTTPS listener.
- Go to Configuration > HTTP Service.
- Click on the New button to add a new HTTP listener.
- Enter the following values.
- Name: http-listener-ssl
- Port: 8181
- Secure: Checked
- Server Name: server1
- Default Virtual Server: server
- Click OK to add the listener.
- Go to Configuration > Virtual Servers.
- Click on the virtual server you want to secure, e.g., server.
- Under HTTP Listeners, enable the newly created HTTP listener, e.g., http-listener-ssl.
- Save the changes.
This will configure a secure HTTPS port 8181 that uses your imported SSL certificate.
Similarly, you can add secure ports for IIOP, JMX, etc.
How to Restart GlassFish
For the SSL settings to take effect, you need to restart the GlassFish server:
asadmin stop-domain domain1
asadmin start-domain domain1
The server will restart and come up ready to accept HTTPS connections.
How to Test the SSL Connection
Finally, open a browser and access your application secured over HTTPS:
https://yourdomain.com:8181
If the SSL certificate is properly configured, you should not see any security warnings. The browser will show the green padlock icon indicating a secure connection.
Click the lock, and you can inspect the certificate details to verify it is the one imported into GlassFish.
You can also use openssl to test connecting securely:
openssl s_client -connect localhost:8181
This confirms that your GlassFish server is now accepting secure HTTPS connections using the installed SSL certificate.
Troubleshooting Common SSL Issues
Here are some common problems faced when setting up SSL on GlassFish and how to troubleshoot them:
- If your browser shows security warnings, this means the SSL certificate is not trusted. Ensure you are using a valid certificate issued by a trusted CA. If you are using self-signed certificates, you need to add them to trust stores.
- HTTPS not enabled: Check that a secure port is configured with an HTTP/S listener and virtual server is set to use the listener. Restart the server after making changes.
- Incorrect SSL certificate: Verify the correct certificate alias is set under SSL settings. The browser should show your imported cert details.
- Application not accessible on HTTPS: Some apps are not configured for HTTPS URLs. Ensure your app works over both HTTP and HTTPS.
- Invalid keystore password: Double-check that the keystore password set in the master password field matches the imported private key password.
- SSLHandshakeException: This means the SSL handshake failed between client and server. It could be due to incorrect certificate import, mismatched keys, or other SSL configuration issues.
- No HTTPS port listening: Use a port scanner like nmap to check if the HTTPS port is open. nmap -p 8181 localhost should show the port as open.
- Server requiring client authentication: If the server is set to perform client auth, the browser may require a client certificate. Disable client auth or install a client certificate.
- Certificate chain issues: If you see TrustStore errors, it means the intermediate CA cert or entire chain is missing. Ensure you import the full certificate chain.
- Protocol or Cipher mismatch: The browser and GlassFish server may not support the same SSL protocols or encryption ciphers. Align the configurations on both sides.
- Hostname mismatch: The URL hostname must match the CN or SAN names specified in the SSL certificate, or you will see errors.
How to Renew an Expired SSL Certificate
SSL certificates have an expiry date set by the Certificate Authority, usually 1-3 years from issue.
As the expiry approaches, you will need to renew your SSL certificate to maintain secure HTTPS access to your domain.
The process for renewing an expired certificate is the same as installing a new one:
- Purchase and generate a renewed certificate from your CA.
- Download the new certificate files.
- Delete the previous expired certificate from the keystore.
- Import the new certificate into the keystore by following the same steps above.
- Restart the GlassFish server for changes to take effect.
Once the renewed certificate is installed, your server will be able to establish secure SSL connections again.
Be sure to renew certificates before they expire to avoid any downtime or security risks.
Final Thoughts
Installing an SSL certificate allows you to enable HTTPS, add encryption, and authenticate your GlassFish server. By following the steps outlined in this guide, you should be able to successfully import a trusted SSL certificate into the GlassFish keystore, configure secure listeners, and test the SSL connection.
Using valid certificates signed by trusted CAs gives your application visibility and trust cues in the browser. Renew certificates before expiration to maintain secure access at all times.
Proper SSL configuration hardens GlassFish’s security and guarantees your customers’ data is encrypted during transit across the public Internet.
Frequently Asked Questions (FAQ) Related to Installing SSL Certificate on GlassFish
Here are some common questions about setting up and managing SSL certificates on GlassFish:
Do I need to purchase an SSL certificate or can I use a self-signed certificate?
You can use a self-signed certificate for testing purposes, but it will present security warnings in the browser. To avoid those warnings, it is recommended that production sites purchase an SSL certificate from a trusted CA like Let’s Encrypt, Comodo, DigiCert, etc.
What is the difference between a domain-validated (DV) and an organization-validated (OV) certificate?
DV SSL certificates only validate domain ownership, whereas OV SSL certificates perform extended validation to validate the legal identity of the organization. OV certificates provide more identity assurance but cost more.
What certificate format does GlassFish require?
GlassFish requires certificates and keys to be in PEM encoded format. The private key should also be in unencrypted PKCS#8 format.
Can I use an intermediate certificate from my CA?
Yes, you can import the intermediate certificate along with your site certificate to establish the full certificate chain. This avoids trust errors.
How do I find the GlassFish keystore password?
The default keystore password is ‘changeit’. But you can also set a custom master password under GlassFish SSL settings.
How can I create a Java keystore (.jks) file for importing my certificates?
You can use the keytool command to generate a .jks file:
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks
Can I install multiple SSL certificates on the same GlassFish instance?
Yes, GlassFish allows you to install multiple SSL certificates by assigning a unique alias to each cert in the keystore.
What is the purpose of enabling SSL session caching in GlassFish?
SSL session caching improves performance by reusing previous SSL handshakes instead of re-negotiating on every new connection.
How can I resolve the failed hostname verification error in GlassFish?
This error occurs when the server hostname does not match the certificate CN/SAN. You can either update the certificate or disable hostname verification.
What causes the “End entity certificate not trusted” error during SSL setup?
This typically means the full certificate chain is not imported into the keystore. Importing your CA’s intermediate certificate should resolve it.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
