This topic describes how to install an SSL certificate on a GlassFish server, including downloading and uploading a certificate file, configuring related parameters on the GlassFish server, and verifying the installation result. The parameters are related to the certificate file, certificate chain, and certificate key. After the certificate is installed, you can access the GlassFish server over HTTPS, which ensures the security of data transmission.
In this topic, the default container domain1 of a GlassFish server that runs a Linux operating system and is deployed based on glassfish-4.1.2-web is used as an example to illustrate the installation. Installation operations vary based on the versions of servers and operating systems. If you have questions, contact your account manager.
Prerequisites
- A certificate is issued by using the Certificate Management Service console. For more information, see Purchase an SSL certificate and Submit a certificate application.
- DNS resolution is complete on the domain name that is bound to the certificate. The domain name is resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. For more information, see Verify the DNS record of your domain name.
Step 1: Download the certificate
- Log on to the Certificate Management Service console.
- In the left-side navigation pane, click SSL Certificates.
- On the Log on to the Certificate Management Service console. page, find the certificate that you want to manage and click Download in the Actions column.
Find Others in the Server Type column and click Download in the Actions column.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the CSR generation method that you use when you submit the certificate application.Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the PEM format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format. Certificate files in the PEM format are Base64-encoded text files.
Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.
If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate on the GlassFish server
Create a directory in the installation directory of GlassFish to store the certificate.
Go to the installation directory of GlassFish.
In this example, glassfish4 is installed in the home directory.
cd /home/glassfish4
Create a directory named cert.
mkdir cert
Upload the certificate file and private key file to the cert directory.
NoteYou can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.
In the cert directory, run the openssl command to convert the downloaded PEM certificate file to the PKCS12 format, and change the password of the file to changeit, the name of the file to mycert.p12, and the alias of the file to a1as.
NoteReplace domain_name.pem and domain_name.key with your certificate file and private key file.
changeit is the default password of the built-in certificate file for GlassFish servers. If you have changed the password, specify the new password.
openssl pkcs12 -export -in domain_name.pem -inkey domain_name.key -out mycert.p12 -passout pass:changeit -name s1as
In the cert directory, run the keytool command to convert the mycert.p12 file to the JKS format, and change the name of the file to keystore.jks and the alias of the file to a1as.
keytool -importkeystore -destkeystore keystore.jks -srckeystore mycert.p12 -srcstoretype PKCS12 -alias s1as
After you run the keytool command, you are prompted to specify the password of keystore.jks and enter the password of mycert.p12. Specify changeit for both passwords.
In the cert directory, run the keytool command to convert the downloaded PEM certificate file to the JKS format, and change the name of the file to cacerts.jks and the alias of the file to a1as.
Replace domain_name.pem with your certificate file.
keytool -importcert -trustcacerts -destkeystore cacerts.jks -file domain_name.pem -alias s1as
After you run the keytool command, you are prompted to specify the password of keystore.jks. Specify changeit for the password.
In the cert directory, run the following command to replace the cacerts.jks and keystore.jks files in the /home/glassfish4/glassfish/domains/domain1/config directory:
Replace cacerts.jks
cp ./cacerts.jks /home/glassfish4/glassfish/domains/domain1/config
Replace keystore.jks
cp ./keystore.jks /home/glassfish4/glassfish/domains/domain1/config
Modify the /home/glassfish4/glassfish/domains/domain1/config/domain.xml configuration file to change the port numbers.
Find network-listeners as shown in the following figure and change the port numbers based on the following sample code. Take note of the usage of port 80 and port 443.
<network-listeners> <network-listener protocol="http-listener-1" port="80" name="http-listener-1" thread-pool="http-thread-pool" transport="tcp"></network-listener> <network-listener protocol="http-listener-2" port="443" name="http-listener-2" thread-pool="http-thread-pool" transport="tcp"></network-listener> <network-listener protocol="admin-listener" port="4848" name="admin-listener" thread-pool="admin-thread-pool" transport="tcp"></network-listener> </network-listeners>
Go to the /home/glassfish4/glassfish/bin directory and run the following command to restart the server:
./asadmin restart-domain domain1
Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.
If a lock icon appears in the address bar, the certificate is installed.