This page describes the steps for setting up SSL on a GlassFish server. The SSL Certificate used is a GoDaddy certificate. If you are using a different CA then the steps should be similar.

These steps apply to GlassFish 2 and GlassFish 3.

Preliminary Steps:

  • Backup your directory: <glassfish_install>\domains\domain1\config
  • Stop the GlassFish server

The following fields will change based on your installation. For this example, we are using:

  • CSR file name: mywebsite.csr
  • dname: information on about your server install, where cn=<fully qualified domain name>
  • certificate file: mywebsite.com.crt
  • keystore file: mycompanystore.jks

Note: These variables will be displayed in red bold in the following steps. Be sure to change the values based on your server environment.

Steps:

Open MS-DOS window (Run As Administrator)

cd <glassfish_install>\domains\domain1\config

Step 1:  Generate key

keytool -genkey -dname "cn=mywebsite.com, ou=My Company Name, o=My Company Name, L=Philadelphia, ST=PA, C=US" -keyalg RSA -keysize 2048 -alias mykey -keypass changeit -keystore mycompanystore.jks -storepass changeit -validity 365

Step 2:  Generate CSR file

keytool -certreq -alias mykey -keypass changeit -keystore mycompanystore.jks -storepass changeit -file mywebsite.csr

Email the file “mywebsite.csr” to the Certificate Authority (CA). The CA will eventually send you an email to download the certificates. You’ll use those in step 3.

Step 3:  Download the GoDaddy certificate zip file

The zip file includes:

  • gd_bundle.crt
  • mywebsite.com.crt

Unzip the zip file. Copy these files to <glassfish_install>\domains\domain1\config

Import Go Daddy root certificate

keytool -import -trustcacerts -alias root -file gd_bundle.crt -keystore mycompanystore.jks -keypass changeit -storepass changeit

Step 4: Import your domain certificate

keytool -import -trustcacerts -alias mykey -file mywebsite.com.crt -keystore mycompanystore.jks -keypass changeit -storepass changeit

Step 5:  Change the server config to point to the new mycompanystore.jks file.

Edit the file cd <glassfish_install>\domains\domain1\config\domain.xml

<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/mycompanystore.jks</jvm-options>

Step 6:  Change the server config to use new SSL nickname.

Perform a global replace of “s1as” with “mykey”. “mykey” is the alias you used in the previous steps.
<ssl cert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

Step 7: Restart the GlassFish server

Step 8: Visit the SSL URL in your browser

https://<yourdomainname>:8181

By default, GlassFish SSL port is on 8181. If you’d like, you can change it to port 443 which is the browser default for the secure https:// protocol.