Glassfish 4.1.1 - 使用我自己的证书的DAS抛出“j_security_check”错误 [英] Glassfish 4.1.1 - DAS with my own certificate throws "j_security_check" error
问题描述
我有一个glassfish 4.1.1运行的实例,我将自己的证书添加到我的应用程序,直到那时一切正常..
但是,当我尝试访问glassfish管理员(DAS)连接不受信任,添加例外的按钮消失。
然后我发现了一些有趣的链接,比如:
- < a href =https://stackoverflow.com/questions/29278152/right-way-to-configure-glassfish-ssl-certificate-nickname>配置Glassfish SSL证书昵称的正确方法?
我试过这个:
asadmin enable- secure-admin --adminalias = myNewAlias --instancealias myNewAlias
asadmin restart-domain domain1
这样,不受信任的连接消息消失并且证书正确显示,但是当我尝试认证时抛出错误:
-
第2步:
显示以下行的服务器日志:
[2016-10-18T10:38:12.565 + 0200] [glassfish 4.1] [SEVERE] []
[org.glassfish.admingui] [tid:_ThreadID = 51
_ThreadName = admin-listener(2)] [timeMillis:1476779892565] [levelValue:1000] [[javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:PKIX路径构建失败:
sun.security.provider.certpath.SunCertPathBuilderException:无法
找到有效的证书请求目标的离子路径;
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:PKIX路径构建失败:
sun.security.provider.certpath.SunCertPathBuilderException:无法
找到要求目标的有效证明路径; restRequest:
endpoint = https:// localhost:4848 / management / domain /匿名用户启用
attrs = {} method = GET]]
解决方案我终于解决了它,为什么会发生这种情况?使用@Mike说明:
这是因为
GlassFish和管理控制台都有密钥库和信任库有效地使用双向SSL
身份验证进行初始登录。如果您更改s1as
证书,您还需要更改glassfish-instance
证书
在我的情况下,我试图使用自己的证书,但我没有在cacerts.jks和keystore.jks文件中正确删除最旧的证书。
我在没有先从文件中删除s1as和glassfish-instance的情况下运行代码,这是我的错误步骤......
asadmin enable-secure-admin --adminalias = myNewAlias --instancealias myNewAlias
使用您自己的证书运行Glassfish 4.1.1上的域管理服务器(DAS),您必须按照以下步骤操作:
1)将您自己的证书插入cacerts.jks和keystore.jks文件中:
在我的情况下,我使用的是证书pkcs12:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destke ystore keystore.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias
如果您有其他类型的证书,您必须搜索如何在这两个文件中插入您的证书类型:
$ GLASSFISH_HOME / domains / domain1 / config / cacerts.jks - truststore -
持有所有公钥
$ GLASSFISH_HOME / domains / domain1 / config / keystore.jks - keystore - 持有所有私钥
参考文献:
会话6.首次启动前的安全配置:
https://www.nabisoft.com/tutorials/glassfish/installing-gl assfish-41-on-ubuntu
http://peter-butkovic.blogspot.com.es/2013/02/glassfish-default-keystore-and.html
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3
https://glassfish.java.net/docs/4.0/security- guide.pdf
2)删除最早的自签名证书:
默认情况下,当您运行命令enabled-secur-admin时,分配给此实例的证书为 s1as ,公共 glassfish-instance ,如下所述@Mike到另一个stack-overflow问题即使您强行使用其他证书,证书仍然存在。使用以下命令删除两者:
#Restart您的域没有secure-admin
$ GLASSFISH_HOME / bin / asadmin disable- secure-admin
#转到您的域配置文件夹以删除证书:
cd $ GLASSFISH_HOME / domains / domain1 / config /
keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
keytool -delete -alias glassfish-instance -keystore keystore.jks -storepass changeit
keytool -delete -alias glassfish-instance -keystore cacerts.jks -storepass changeit
keytool -delete -alias s1as -keystore cacerts.jks -storepass changeit
参考文献:
谢谢@Mike:配置Glassfish SSL证书昵称的正确方法?
https://glassfish.java.n et / docs / 4.0 / security-guide.pdf (第80页)
3)使用您自己的别名集重新启动security-admin第一步
$ GLASSFISH_HOME / bin / asadmin enable-secure-admin --adminalias = myOwnAlias - instancealias myOwnAlias
$ GLASSFISH_HOME / bin / asadmin restart-domain
从理论上讲,它已经完成,您将能够使用自己的证书访问DAS ......;)
I have an instance of glassfish 4.1.1 running and I added my own certificate to my applications, until then everything is Ok..
But, when I tried to access the glassfish admin(DAS) the connection was unstrusted and the button to add exception disappears.
Then I found some interesting links talking about that, like :
I tried this:
asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias asadmin restart-domain domain1
This way the untrusted connection message disappears and the certicate properly appears, but when I try the authentication throw an error:
According to the comments of the answer from the link, it is very similar what that guy had but I could not solve it doing:
- Removing the s1as certificate from ~.gfclient/truststore
- Restart the domain with my new alias cert
How could I change the s1as certificate properly? In order to my DAS works...
I'am using Ubuntu 14 with java-1.8.0-openjdk-amd64.
Step 1:
Step 2:
The server log showing these lines:
[2016-10-18T10:38:12.565+0200] [glassfish 4.1] [SEVERE] [] [org.glassfish.admingui] [tid: _ThreadID=51 _ThreadName=admin-listener(2)] [timeMillis: 1476779892565] [levelValue: 1000] [[ javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; restRequest: endpoint=https://localhost:4848/management/domain/anonymous-user-enabled attrs={} method=GET]]
解决方案I finally solved it, why it was happening? Using the @Mike explanation:
That is because there is both a keystore and a truststore for GlassFish, and the Admin console effectively uses 2-way SSL authentication for the initial login. If you change the s1as certificate, you will also need to change the glassfish-instance certificate
In my case I was trying to use my own certificate but I did not delete the oldest certificates properly on cacerts.jks and keystore.jks files.
I was running the code bellow without firstly remove the s1as and glassfish-instance from files, that was my wrong step...
asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias
To your Domain Administration Server (DAS) on Glassfish 4.1.1 run with your own certificate you must follow these steps:
1) Insert your own certificate into cacerts.jks and keystore.jks files:
In my case I am using certificate pkcs12:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias
If you have another kind of certificate you must search how to insert inside this two files your certificate type:
$GLASSFISH_HOME/domains/domain1/config/cacerts.jks - truststore - holding all the public keys $GLASSFISH_HOME/domains/domain1/config/keystore.jks - keystore - holding all the private keys
References:
Session 6. Security configuration before first startup: https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-41-on-ubuntu
http://peter-butkovic.blogspot.com.es/2013/02/glassfish-default-keystore-and.html
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3
https://glassfish.java.net/docs/4.0/security-guide.pdf
2) Delete the oldest self-signed certificates:
By default, when you run the command enabled-secur-admin the certificate assigned to this instance is s1as and the public is glassfish-instance, as explained by @Mike into another stack-overflow question the certificates remains even if you force to run with another certificate. Delete both using these commands:
#Restart your domain without secure-admin $GLASSFISH_HOME/bin/asadmin disable-secure-admin #Go to your domain config folder to remove the certificates: cd $GLASSFISH_HOME/domains/domain1/config/ keytool -delete -alias s1as -keystore keystore.jks -storepass changeit keytool -delete -alias glassfish-instance -keystore keystore.jks -storepass changeit keytool -delete -alias glassfish-instance -keystore cacerts.jks -storepass changeit keytool -delete -alias s1as -keystore cacerts.jks -storepass changeit
References:
Thanks @Mike: Right way to configure Glassfish SSL certificate nickname?
https://glassfish.java.net/docs/4.0/security-guide.pdf (page ~80)
3) Restart the security-admin with your own alias set on the first step
$GLASSFISH_HOME/bin/asadmin enable-secure-admin --adminalias=myOwnAlias --instancealias myOwnAlias $GLASSFISH_HOME/bin/asadmin restart-domain
In theory, it is done, You'll be able to access the DAS with your own certificate... ;)
这篇关于Glassfish 4.1.1 - 使用我自己的证书的DAS抛出“j_security_check”错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!