On configuring Glassfish keystores...
Ok, so you like glassfish . You really think that message based security is pretty cool. You've even tried the security samples (successfully!). Now you're ready to take the next big step. Try creating your own secure application and attempting interoperability. Except that there is one problem.
You don't have the certificates and keys you need to interoperate in the glassfish keystore and truststores! You're thinking what do I do now? Well, just read on....
Let's see what we know. For an application to interoperate, you need to know the keys to be used for encryption and digital signing. The certificates and keys to be used are typically negotiated out of band between both parties. So you should have the certificates with you. If you have them in a JKS format, here's what you can do to configure your keystore.
In a snapshot, what you need to do is get the copyv3 module, modify the ant script so that you import the correct keys into the default glassfish keystore and truststore.
Let's say your client alias is alice and server alias is bob. The client trusts bob and server trusts alice.
Here's roughly how the updated script looks like-
<project name="keycopy" default="main" basedir=".">
<property environment="env" />
<property name="proxy.host" value="webcache.sfbay.sun.com" />
<property name="proxy.port" value="8080" />
<property name="AS_HOME" value="${env.GF_HOME}" />
<target name="main" description="copy v3 keypair to GF Keystore">
<setproxy proxyhost="${proxy.host}" proxyport="${proxy.port}" />
<java classname="KeyImport" dir="." fork="true">
<arg value="srcstore=server-keystore.jks" />
<arg value="dststore=${AS_HOME}/domains/domain1/config/keystore.jks" />
<arg value="srcalias=bob" />
<arg value="dstalias=bob" />
<classpath>
<pathelement location="./test.jar" />
</classpath>
</java>
<java classname="KeyImport" dir="." fork="true">
<arg value="srcstore=client-keystore.jks" />
<arg value="dststore=${AS_HOME}/domains/domain1/config/keystore.jks" />
<arg value="srcalias=alice" />
<arg value="dstalias=alice" />
<classpath>
<pathelement location="./test.jar" />
</classpath>
</java>
<java classname="KeyImport" dir="." fork="true">
<arg value="srcstore=server-truststore.jks" />
<arg value="dststore=${AS_HOME}/domains/domain1/config/cacerts.jks" />
<arg value="srcalias=alice" />
<arg value="dstalias=alice" />
<arg value="trustedentry=true" />
<classpath>
<pathelement location="./test.jar" />
</classpath>
</java>
<java classname="KeyImport" dir="." fork="true">
<arg value="srcstore=server-truststore.jks" />
<arg value="dststore=${AS_HOME}/domains/domain1/config/cacerts.jks" />
<arg value="srcalias=xws-security-client" />
<arg value="dstalias=xws-security-client" />
<arg value="trustedentry=true" />
<classpath>
<pathelement location="./test.jar" />
</classpath>
</java>
<java classname="KeyImport" dir="." fork="true">
<arg value="srcstore=client-truststore.jks" />
<arg value="dststore=${AS_HOME}/domains/domain1/config/cacerts.jks" />
<arg value="srcalias=bob" />
<arg value="dstalias=bob" />
<arg value="trustedentry=true" />
<classpath>
<pathelement location="./test.jar" />
</classpath>
</java>
</target>
</project>
Get set (glassfish home), on your mark (edit aliases, source JKS keystore names), go (run the script)!
Now you are all set to test out your secure application! Security can be a tricky thing. Let me know if you thought this was confusing....and do share your ideas if you think this could be made any simpler!
Posted at 02:34PM Mar 29, 2007 by Manveen Kaur in Sun | Comments[1]
Posted by Arun Gupta's Blog on March 29, 2007 at 05:10 PM PDT #