Skip to main content

Glassfish 3.1.1.3 looking in wrong .jks file for certificate alias

No replies
danbeddoe
Offline
Joined: 2012-10-03
Points: 0

We have a server certificate alias called 'server_cert' which is our replacement of the default 's1as' in keystore.jks. Our aim is to secure the GlassFish admin console with the command 'enable-secure-admin'. This is how we are using it:

/opt/SUNWappserver/glassfish/bin/asadmin --user admin --passwordfile /opt/SUNWappserver/glassfish/private/passwordfile --port 4848 enable-secure-admin --adminalias server_cert --instancealias glassfish-instance

With these JVM options:

-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks

For reference, these are the commands we run to show that the server_cert alias is in the keystore.jks file but not the cacerts.jks file.

keytool -list -keystore /opt/SUNWappserver/glassfish/domains/domain1/config/keystore.jks | grep 'server_cert'
Enter keystore password: **************
server_cert, Nov 12, 2008, PrivateKeyEntry,
keytool -list -keystore /opt/SUNWappserver/glassfish/domains/domain1/config/cacerts.jks | grep 'server_cert'
Enter keystore password: **************

This is the error we receive back from asadmin when trying to run the enable-secure-admin command:

remote failure: Error enabling secure admin : org.jvnet.hk2.config.TransactionFailure: java.lang.RuntimeException: java.lang.IllegalArgumentException: Could not find the alias server_cert in the trust store
java.lang.RuntimeException: java.lang.IllegalArgumentException: Could not find the alias server_cert in the trust store
Command enable-secure-admin failed.

What is most confusing is that we never had this issue before we upgraded to GlassFish 3.1.1.3 (build 2). This method of enabling secure admin listener works on 3.1 (build 43). Is this a bug introduced by Oracle in the new version of GlassFish I wonder?

And, just for referencing sake, we tried putting the alias into the truststore file (cacerts.jks) which works, but it is not what we want to do. We can ONLY have it in the keystore.jks file.

Thanks very much for any help given.