Glassfish v4& SSL - 管理员不再有效 [英] Glassfish v4 & SSL - admin no longer works
问题描述
我已经完成了向glassfish v4添加SSL证书的步骤。我已经验证它通过浏览器和我的java swing客户端(我在客户端使用apache的http客户端库)工作。
不起作用的是管理控制台!由于成功导入SSL,我无法再连接到管理控制台, http://www.myhost.com: 4848 ,我仍然得到登录屏幕,始终工作的管理员用户名/密码组合已停止工作。我在尝试从netbeans部署Web应用程序时也注意到了一些问题,但我还没有研究过足够的东西以确定它是否是同一问题。
以下是我用来添加ssl证书的步骤。这些将直接从glassfish v4安全指南,p1-26到p1-29中解除。我确实添加了一个步骤来更改主密码,但我应该早点完成,但我在这里包含它。我还在下面的步骤中省略或更改了某些文件夹名称,以保护我的隐私,但除此之外,我已将所有这些复制到终端应用程序中。
有没有人知道管理员出了什么问题?有一点需要注意 - 遵循glassfish的管理员和安全指南表示,我可以覆写s1的别名。你会发现我在使用下面的步骤中的证书时使用了别名
感谢您的帮助!
第1步 - 停止服务器
/ usr / home / myhost
110%glassfish4 / bin / asadmin停止域domain1
等待域停止。
命令停止域成功执行。
第2步 - 更新主密码
/ usr / home / myhost
110%glassfish4 / bin / asadmin
使用exit退出并在线帮助。
asadmin> change-master-password domain1
输入当前主密码>
输入新的主密码>
再次输入新的主密码>
命令change-master-password已成功执行。
asadmin>退出
命令多模成功执行。
第3步 - 更改为密钥文件目录
/ usr / home / myhost
111%cd glassfish4 / glassfish / domains / domain1 / config /
第4步 - 从keystore中删除s1as
/ usr / home / myhost / glassfish4 / glassfish / domains / domain1 / config
113%keytool -delete -alias s1as -keystore keystore.jks
输入密钥库密码:
第5步 - 生成新的密钥对
/ usr / home / myhost / glassfish4 / glassfish / domains / domain1 / config
114%keytool -genkey -alias s1as -keyalg RSA -keystore keystore.jks -keysize 2048
输入密钥库密码:
你的名字和姓氏是什么?
[未知]:www.myhost-dev.com
组织单位的名称是什么?
[未知]:开发
贵组织的名称是什么?
[未知]:myhost,inc
您的城市或地区的名称是什么?
[未知]:mycity
您的州或省的名称是什么?
[未知]:mystate
本机的双字母国家代码是什么?
[Unknown]:us
CN = www.myhost-dev.com,OU = development,O =myhost,inc,L = mycity,ST = mystate,C =我们正确吗?
为< s1as>输入密钥密码
(如果与密钥库密码相同,则返回):
第6步 - 生成证书签名请求(CSR)
/ usr / home / myhost / glassfish4 / glassfish / domains / domain1 / config
115%keytool -certreq -alias s1as -file toSymantec02.csr -keystore keystore.jks
输入密钥库密码:
第7步 - 将CSR提交给赛门铁克
$ b 第8步 - 复制中间人以及从赛门铁克的ssl证书到config目录
第9步 - 导入中间证书
/ usr / home / myhost / glassfish4 / glassfish / domains / domain1 / config
115%keytool -import -trustcacerts -alias Intermediate -keystore keystore.jks -file IntermediateCA.crt
输入密钥库密码:
证书已添加到密钥库
步骤10 - import ssl cert
/ usr / home / my host / glassfish4 / glassfish / domains / domain1 / config
116%keytool -import -trustcacerts -alias s1as -keystore keystore.jks -file ssl_certificate.crt
输入密钥库密码:
证书回复是安装在keystore中
第11步 - 重新启动服务器
/ usr / home / myhost
118%glassfish4 / bin / asadmin start-domain domain1
输入主密码(3)尝试留下)>
等待domain1启动...............................
成功启动域:domain1
域位置:/ usr / home / myhost / glassfish4 / glassfish / domains / domain1
日志文件:/usr/home/myhost/glassfish4/glassfish/domains/domain1/logs/server.log
管理端口:4848
命令启动域成功执行。
问题几乎可以肯定的是, code> DN )已更改,但安全管理员主体尚未更新。
有一个asadmin命令( enable-secure-admin-principal ),它允许你手动更新它,但你也可以运行 enable-secure-admin (即使已启用安全管理员)。这个命令将调用与前一个相同的代码,并使用任何管理员证书别名(s1as)中的正确密码替换安全管理员主体。
然后,您将需要重新启动GlassFish才能使更改生效,但是您将能够登录到管理控制台。
根本原因在于管理控制台本质上使用双向SSL和您的登录名,因此您的用户名和密码已经过验证(管理员用户),然后管理控制台本身通过 DN 作为用户进行验证ID和s1as密钥作为密码。这是因为管理控制台通过REST与DAS通信,并需要将自己标识为受信任的客户端。
希望所有该背景有帮助,但 TL; DR 如下所示:
- 运行
启用-secure-admin再次 - 重新启动域名
I've gone through the steps to add an SSL certificate into glassfish v4. I've verified that it works via browsers and via my java swing client (i'm using apache's http client libraries on the client side)
what doesn't work is the admin console! Since successful import of the SSL, I can no longer connect to the admin console, http://www.myhost.com:4848, I still get the login screen, the admin username/password combo that always worked has ceased to work. I've also noticed issues when trying to deploy a web app from netbeans, but i haven't researched things enough to know if it's the same problem.
Following are the steps I took to add the ssl cert. These are directly lifted from the glassfish v4 security guide, p1-26 through p1-29. I did add a step to change the master password, but I should have done that earlier, but I'm including it here. I also omitted or changed certain folder names in the steps below for my privacy, but other than that, I've copied all this out of the terminal application.
Does anyone know what went wrong with the admin? One thing to note - following the admin and security guides for glassfish said that I could ovrwrite the s1as alias. you'll notice that i used that alias when working with the cert in the steps below
thanks in advance for your help!
step 1 - stop the server
/usr/home/myhost
110 % glassfish4/bin/asadmin stop-domain domain1
Waiting for the domain to stop .
Command stop-domain executed successfully.
step 2 - update master password
/usr/home/myhost
110 % glassfish4/bin/asadmin
Use "exit" to exit and "help" for online help.
asadmin> change-master-password domain1
Enter the current master password>
Enter the new master password>
Enter the new master password again>
Command change-master-password executed successfully.
asadmin> exit
Command multimode executed successfully.
step 3 - change to directory of keyfile
/usr/home/myhost
111 % cd glassfish4/glassfish/domains/domain1/config/
step 4 - remove s1as from keystore
/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
113 % keytool -delete -alias s1as -keystore keystore.jks
Enter keystore password:
step 5 - Generate a new key pair
/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
114 % keytool -genkey -alias s1as -keyalg RSA -keystore keystore.jks -keysize 2048
Enter keystore password:
What is your first and last name?
[Unknown]: www.myhost-dev.com
What is the name of your organizational unit?
[Unknown]: development
What is the name of your organization?
[Unknown]: myhost, inc
What is the name of your City or Locality?
[Unknown]: mycity
What is the name of your State or Province?
[Unknown]: mystate
What is the two-letter country code for this unit?
[Unknown]: us
Is CN=www.myhost-dev.com, OU=development, O="myhost, inc", L=mycity, ST=mystate, C=us correct?
Enter key password for <s1as>
(RETURN if same as keystore password):
Step 6 - Generate a Certificate Signing Request (CSR)
/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
115 % keytool -certreq -alias s1as -file toSymantec02.csr -keystore keystore.jks
Enter keystore password:
Step 7 - submit CSR to symantec
step 8 - copy intermediate and ssl cert from symantec into config directory
step 9 - import intermediate cert
/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
115 % keytool -import -trustcacerts -alias Intermediate -keystore keystore.jks -file IntermediateCA.crt
Enter keystore password:
Certificate was added to keystore
step 10 - import ssl cert
/usr/home/myhost/glassfish4/glassfish/domains/domain1/config
116 % keytool -import -trustcacerts -alias s1as -keystore keystore.jks -file ssl_certificate.crt
Enter keystore password:
Certificate reply was installed in keystore
step 11 - restart the server
/usr/home/myhost
118 % glassfish4/bin/asadmin start-domain domain1
Enter master password (3) attempt(s) remain)>
Waiting for domain1 to start ...............................
Successfully started the domain : domain1
domain Location: /usr/home/myhost/glassfish4/glassfish/domains/domain1
Log File:/usr/home/myhost/glassfish4/glassfish/domains/domain1/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.
The problem is almost certainly that the distinguished name (DN) of the s1as certificate has changed, but the secure admin principal has not been updated.
There is an asadmin command (enable-secure-admin-principal) which allows you to manually update this, but you can also just run enable-secure-admin again (even though secure admin is already enabled). This command will call the same code as the previous one and replace the secure admin principals with the correct ones from whatever the admin certificate alias is (s1as).
You will then need to restart GlassFish for the change to take effect, but you will then be able to log in to the admin console.
The root cause is that the admin console is essentially doing 2-way SSL along with your login, so your username and password is verified for you, the admin user, then the admin console itself is verified with the DN as a user ID and the s1as key as a password. This is because the admin console communicates with the DAS over REST and needs to identify itself as a trusted client.
Hope all that background helps, but the TL;DR is as follows:
- Run
enable-secure-adminonce more - Restart the domain
这篇关于Glassfish v4& SSL - 管理员不再有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
