Glassfish v4 & SSL - admin no longer works

Question

I\'ve gone through the steps to add an SSL certificate into glassfish v4. I\'ve verified that it works via browsers and via my java swing client (i\'m using apache\'s http

Answer 1

Thank you so much guys @cotfessi and @Mike, your posts really helped me to install an SSL certificate in Glassfish 4.1... so thanks a lot!

I only want to add some extra steps that I had to do, these are:

After step 10 - import ssl cert

• Export the alias s1as from keystore.jks

keytool -export -alias s1as -file server.cer -keystore keystore.jks

• Delete the alias s1as from cacerts.jks

keytool -delete -alias s1as -keystore cacerts.jks

• Import the alias s1as to cacerts.jks using the server.cer

keytool -import -v -trustcacerts -alias s1as -keystore cacerts.jks -file server.cer

later continue with step 11 - restart the server

---

I also want to add some information that could be useful to who buy the SSL certificate in GoDaddy...

• Well, I bought the SSL in GoDaddy and I had to send them my (CSR) as @cotfessi describes in Step 6 and Step 7, so I received and email with some instructions for downloading the zip with the certificate, so when I went to download it I found that they have a list option in the form that said Server type and it had multiple options like Apache, Tomcat, IIS... and Other, so I chose the other option and downloaded the zip, when I extracted it I noticed that there were 2 files, one called 4a0BlaBlaBlaBla8.crt (Bla is only for exaple purposes) that contained only one section with ---BEGIN/END CERTIFICATE--- and the other one had a name like gd_bundle-g2-g1.crt that contained 3 ---BEGIN/END CERTIFICATE--- sections, so I used the 4a0BlaBlaBlaBla8.crt as my ssl_certificate.crt and gd_bundle-g2-g1.crt as my IntermediateCA.crt. I want to share this because it could be a little confuse for GoDaddy users (I think...)

I also want to recomend this post that helped me to redirect my HTTP trafic to HTTPS without doing extra configuration to Glassfish (only to my web app): how to redirect http to https with glassfish v4

Answer 2

The problem is almost certainly that the distinguished name (DN) of the s1as certificate has changed, but the secure admin principal has not been updated.

There is an asadmin command (enable-secure-admin-principal) which allows you to manually update this, but you can also just run enable-secure-admin again (even though secure admin is already enabled). This command will call the same code as the previous one and replace the secure admin principals with the correct ones from whatever the admin certificate alias is (s1as).

You will then need to restart GlassFish for the change to take effect, but you will then be able to log in to the admin console.

The root cause is that the admin console is essentially doing 2-way SSL along with your login, so your username and password is verified for you, the admin user, then the admin console itself is verified with the DN as a user ID and the s1as key as a password. This is because the admin console communicates with the DAS over REST and needs to identify itself as a trusted client.

---

Hope all that background helps, but the TL;DR is as follows:

1. Run enable-secure-admin once more
2. Restart the domain