This page describes the steps for setting up SSL on a GlassFish server. The SSL Certificate used is a GoDaddy certificate. If you are using a different CA then the steps should be similar.
These steps apply to GlassFish 2 and GlassFish 3.
Preliminary Steps:
- Backup your directory: <glassfish_install>\domains\domain1\config
- Stop the GlassFish server
The following fields will change based on your installation. For this example, we are using:
- CSR file name: mywebsite.csr
- dname: information on about your server install, where cn=<fully qualified domain name>
- certificate file: mywebsite.com.crt
- keystore file: mycompanystore.jks
Note: These variables will be displayed in red bold in the following steps. Be sure to change the values based on your server environment.
Steps:
Open MS-DOS window (Run As Administrator)
cd <glassfish_install>\domains\domain1\config
Step 1: Generate key
keytool -genkey -dname "cn=mywebsite.com, ou=My Company Name, o=My Company Name, L=Philadelphia, ST=PA, C=US" -keyalg RSA -keysize 2048 -alias mykey -keypass changeit -keystore mycompanystore.jks -storepass changeit -validity 365
Step 2: Generate CSR file
keytool -certreq -alias mykey -keypass changeit -keystore mycompanystore.jks -storepass changeit -file mywebsite.csr
Email the file “mywebsite.csr” to the Certificate Authority (CA). The CA will eventually send you an email to download the certificates. You’ll use those in step 3.
Step 3: Download the GoDaddy certificate zip file
The zip file includes:
- gd_bundle.crt
- mywebsite.com.crt
Unzip the zip file. Copy these files to <glassfish_install>\domains\domain1\config
Import Go Daddy root certificate
keytool -import -trustcacerts -alias root -file gd_bundle.crt -keystore mycompanystore.jks -keypass changeit -storepass changeit
Step 4: Import your domain certificate
keytool -import -trustcacerts -alias mykey -file mywebsite.com.crt -keystore mycompanystore.jks -keypass changeit -storepass changeit
Step 5: Change the server config to point to the new mycompanystore.jks file.
Edit the file cd <glassfish_install>\domains\domain1\config\domain.xml
<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/mycompanystore.jks</jvm-options>
Step 6: Change the server config to use new SSL nickname.
Perform a global replace of “s1as” with “mykey”. “mykey” is the alias you used in the previous steps.
<ssl cert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
Step 7: Restart the GlassFish server
Step 8: Visit the SSL URL in your browser
https://<yourdomainname>:8181
By default, GlassFish SSL port is on 8181. If you’d like, you can change it to port 443 which is the browser default for the secure https:// protocol.
I tried your steps in Glassfish 4.0. The non-ssl port connects but the ssl port with https gives a connection error.
Hi Jeff,
I haven’t tested this with GlassFish 4. However, please take a look at the GlassFish 4 Security Guide. https://glassfish.java.net/docs/4.0/security-guide.pdf