正确的方式来配置Glassfish SSL证书昵称? [英] Right way to configure Glassfish SSL certificate nickname?
问题描述
但是网上几乎所有教程都提到需要替换所有出现的默认SSL昵称( s1as
)都会被使用(即 mydomain.com
) domain.xml
文件。
那么设置证书昵称的正确方法是什么?
管理控制台很可能只是更新domain.xml文件。无论哪种情况,最好避免修改domain.xml文件。 GF4安全指南中没有提供任何官方建议,唯一提及的证书昵称是:
$ b
如果您启用了安全管理已启用SSL的GlassFish服务器
安装,安全管理员使用现有值
作为安全管理员的DAS管理别名。
https://glassfish.java.net/docs/4.0/security- guide.pdf
从功能角度来看,更改昵称实际上并不是必需的。将密钥/证书导入密钥库时,您可以使用相同的名称替换现有的证书,这是完全有效的。
编辑:要使用 asadmin
命令更改别名,可以使用 enable-secure-admin
与 - instancealias myNewAlias
或 - adminalias myOtherNewAlias
(或两者) p>
adminalias
的默认值为 s1as
,默认值为 instancealias
是 glassfish-instance
。
Glassfish lets to set the SSL certificate nickname through its admin console as it is highlighted in the pic below:
But almost every tutorials in the web mention that it is necessary to replace all occurrences of the default SSL nickname (s1as
) with the one will be used(i.e. mydomain.com
) in the domain.xml
file.
So what is the proper way of setting certificate nickname?
It is very likely that the admin console is just updating the domain.xml file anyway. In either case, it is good practice to avoid modifying the domain.xml file wherever possible. There is no official advice in the Security Guide for GF4 and the only mention of the certificate nickname is:
If you enable secure admin on an SSL-enabled GlassFish Server installation, secure admin uses the existing value as the DAS admin alias for secure admin.
https://glassfish.java.net/docs/4.0/security-guide.pdf
Changing the nickname isn't actually necessary, from a functional perspective. When you import your key/cert to the keystores you can just use the same name to replace the existing cert, which is perfectly valid.
Edit: To change alias names with the asadmin
command, you can use enable-secure-admin
with either --instancealias myNewAlias
or --adminalias myOtherNewAlias
(or both).
The default for adminalias
is s1as
and the default for instancealias
is glassfish-instance
.
这篇关于正确的方式来配置Glassfish SSL证书昵称?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!