Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Glassfish v4 & SSL - admin no longer works

I've gone through the steps to add an SSL certificate into glassfish v4. I've verified that it works via browsers and via my java swing client (i'm using apache's http client libraries on the client side)

what doesn't work is the admin console! Since successful import of the SSL, I can no longer connect to the admin console, http://www.myhost.com:4848, I still get the login screen, the admin username/password combo that always worked has ceased to work. I've also noticed issues when trying to deploy a web app from netbeans, but i haven't researched things enough to know if it's the same problem.

Following are the steps I took to add the ssl cert. These are directly lifted from the glassfish v4 security guide, p1-26 through p1-29. I did add a step to change the master password, but I should have done that earlier, but I'm including it here. I also omitted or changed certain folder names in the steps below for my privacy, but other than that, I've copied all this out of the terminal application.

Does anyone know what went wrong with the admin? One thing to note - following the admin and security guides for glassfish said that I could ovrwrite the s1as alias. you'll notice that i used that alias when working with the cert in the steps below

thanks in advance for your help!

step 1 - stop the server

/usr/home/myhost                                                                                                                                                                                                                                           
110 % glassfish4/bin/asadmin stop-domain domain1
Waiting for the domain to stop .
Command stop-domain executed successfully.

step 2 - update master password

/usr/home/myhost
110 % glassfish4/bin/asadmin
Use "exit" to exit and "help" for online help.
asadmin> change-master-password domain1
Enter the current master password>
Enter the new master password>
Enter the new master password again>
Command change-master-password executed successfully.
asadmin> exit
Command multimode executed successfully.

step 3 - change to directory of keyfile

/usr/home/myhost
111 % cd glassfish4/glassfish/domains/domain1/config/

step 4 - remove s1as from keystore

/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
113 % keytool -delete -alias s1as -keystore keystore.jks
Enter keystore password:

step 5 - Generate a new key pair

/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
114 % keytool -genkey -alias s1as -keyalg RSA -keystore keystore.jks -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]:  www.myhost-dev.com
What is the name of your organizational unit?
[Unknown]:  development
What is the name of your organization?
[Unknown]:  myhost, inc
What is the name of your City or Locality?
[Unknown]:  mycity
What is the name of your State or Province?
[Unknown]:  mystate
What is the two-letter country code for this unit?
[Unknown]:  us
Is CN=www.myhost-dev.com, OU=development, O="myhost, inc", L=mycity, ST=mystate, C=us correct?
Enter key password for <s1as>
(RETURN if same as keystore password): 

Step 6 - Generate a Certificate Signing Request (CSR)

/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
115 % keytool -certreq -alias s1as -file toSymantec02.csr -keystore keystore.jks
Enter keystore password: 

Step 7 - submit CSR to symantec

step 8 - copy intermediate and ssl cert from symantec into config directory

step 9 - import intermediate cert

/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
115 % keytool -import -trustcacerts -alias Intermediate -keystore keystore.jks -file IntermediateCA.crt
Enter keystore password:
Certificate was added to keystore

step 10 - import ssl cert

/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
116 % keytool -import -trustcacerts -alias s1as -keystore keystore.jks -file ssl_certificate.crt
Enter keystore password:
Certificate reply was installed in keystore

step 11 - restart the server

/usr/home/myhost
118 % glassfish4/bin/asadmin start-domain domain1
Enter master password (3) attempt(s) remain)>
Waiting for domain1 to start ...............................
Successfully started the domain : domain1
domain  Location: /usr/home/myhost/glassfish4/glassfish/domains/domain1
Log File:/usr/home/myhost/glassfish4/glassfish/domains/domain1/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.
like image 789
cotfessi Avatar asked Jan 21 '16 22:01

cotfessi


1 Answers

The problem is almost certainly that the distinguished name (DN) of the s1as certificate has changed, but the secure admin principal has not been updated.

There is an asadmin command (enable-secure-admin-principal) which allows you to manually update this, but you can also just run enable-secure-admin again (even though secure admin is already enabled). This command will call the same code as the previous one and replace the secure admin principals with the correct ones from whatever the admin certificate alias is (s1as).

You will then need to restart GlassFish for the change to take effect, but you will then be able to log in to the admin console.

The root cause is that the admin console is essentially doing 2-way SSL along with your login, so your username and password is verified for you, the admin user, then the admin console itself is verified with the DN as a user ID and the s1as key as a password. This is because the admin console communicates with the DAS over REST and needs to identify itself as a trusted client.


Hope all that background helps, but the TL;DR is as follows:

  1. Run enable-secure-admin once more
  2. Restart the domain
like image 137
Mike Avatar answered Sep 18 '22 21:09

Mike