glassfish
  1. glassfish
  2. GLASSFISH-15884

Unable to use a custom Keystore for SSL with embedded version

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1_b41
    • Fix Version/s: 3.1.1_b01
    • Component/s: web_container
    • Labels:
      None
    • Environment:

      Windows XP SP3
      Java 1.6 for business u18
      Glassfish-embedded-all-b41.jar

      Description

      Hello,

      I'm trying to use a custom keystore to configure a HTTPS listener in glassfish with the following code :

      GlassFish glassfish = GlassFishRuntime.bootstrap().newGlassFish();
      glassfish.start();

      // Create a web container, and https listener.
      WebContainer webcontainer = glassfish.getService(WebContainer.class);
      HttpsListener listener = new HttpsListener();
      listener.setPort(9191);
      listener.setId("https-listener-2");
      listener.setProtocol("https"); // enable security
      SslConfig sslConfig = new SslConfig();
      sslConfig.setKeyStore("C:\\temp
      mykeystore.jks");
      sslConfig.setKeyPassword("Abcd1234");
      sslConfig.setTrustStore(new File("C:\\temp
      mykeystore.jks"));
      listener.setSslConfig(sslConfig);
      webcontainer.addWebListener(listener);

      When a connect to my server in the 9191 port, the certificate used is not the one in my keystore, but the one located in

      {instanceRoot}

      /config/keystore.jks

      After digging in the open and resolved issues on Embedded-Glassfish, it appears that the issue is caused by the fix of "GLASSFISH-14572 - Unable to create https listeners in embedded glassfish" which force the value of the KeyStore/TrustStore properties through the jvm-options in the embedded domain.xml (in org.glassfish.embed package)

      After doing a rollback of the change (i.e removing the 2 jvm-options lines from the domain.xml) the glassfish server correctly use the system properties defined.

      However, setting the KeyStore/TrustStore/Password through the org.glassfish.embeddable.web.config.SslConfig object does not seem to have any impact. If the system properties are set, they take precedence. If they are not set, the following error is thrown :

      SEVERE: Failed to load keystore type JKS with path null due to null
      java.lang.NullPointerException
      at java.io.File.<init>(File.java:222)
      at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:326)
      at com.sun.grizzly.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:272)
      at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:203)
      ...

      Once the SslConfig usage is fixed, it would be nice to be able to change the KeyStore type to something else than JKS through the same object.

        Activity

        Hide
        Bhavanishankar added a comment -

        The fix for 14572 was to made so that HTTPS listener creation works out of the box. As you rightly pointed out, you can always specify -Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore when launching your embedded program.

        Assigning to web container to look into why the configurations specified programmatically via SslConfig don't take precedence over the system properties.

        Show
        Bhavanishankar added a comment - The fix for 14572 was to made so that HTTPS listener creation works out of the box. As you rightly pointed out, you can always specify -Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore when launching your embedded program. Assigning to web container to look into why the configurations specified programmatically via SslConfig don't take precedence over the system properties.
        Hide
        gastush added a comment -

        The problem with setting -Djavax.net.ssl.keyStore when launching the program is that it gets overrideng by the "default" values taken from the domain.xml file.
        Just do the following to see it in action :

        System.out.println(System.getProperty("javax.net.ssl.keyStore"));
        GlassFishRuntime gfr = GlassFishRuntime.bootstrap();
        GlassFish glassfish = gfr.newGlassFish();
        glassfish.start();
        System.out.println(System.getProperty("javax.net.ssl.keyStore"));

        run with java -Djavax.net.ssl.keyStore=somekeystore.jks argument

        And you will see that the value before and after are different, which is not what I was expecting.
        After starting the glassfish server, the javax.net.ssl.keyStore property contains the value defined in the domain.xml and not the one given on the command line.

        Show
        gastush added a comment - The problem with setting -Djavax.net.ssl.keyStore when launching the program is that it gets overrideng by the "default" values taken from the domain.xml file. Just do the following to see it in action : System.out.println(System.getProperty("javax.net.ssl.keyStore")); GlassFishRuntime gfr = GlassFishRuntime.bootstrap(); GlassFish glassfish = gfr.newGlassFish(); glassfish.start(); System.out.println(System.getProperty("javax.net.ssl.keyStore")); run with java -Djavax.net.ssl.keyStore=somekeystore.jks argument And you will see that the value before and after are different, which is not what I was expecting. After starting the glassfish server, the javax.net.ssl.keyStore property contains the value defined in the domain.xml and not the one given on the command line.
        Hide
        Bhavanishankar added a comment -

        Okay, I see. So, basically we have 2 issues here:

        1. keyStore & trustStore settings from domain.xml is always getting used.

        2. listener.setSslConfig(sslConfig) is not working as expected.

        Workaround for #1 is to get the domain.xml from http://embedded-glassfish.java.net/domain.xml and change keystore/truststore vm options and use it while embedding GlassFish, like this:

        GlassFishRuntime gfr = GlassFishRuntime.bootstrap();
        GlassFishProperties gfProps = new GlassFishProperties();
        gfProps.setConfigFileURI(new File("modified-domain.xml").toURI().toString());
        GlassFish glassfish = gfr.newGlassFish(gfProps);
        glassfish.start();

        IMO, #1 is a generic issue in the sense that any vm options supplied by the user should always take precedence over what is in domain.xml. So, I will file a separate issue for #1, and leave this issue for addressing #2.

        Show
        Bhavanishankar added a comment - Okay, I see. So, basically we have 2 issues here: 1. keyStore & trustStore settings from domain.xml is always getting used. 2. listener.setSslConfig(sslConfig) is not working as expected. Workaround for #1 is to get the domain.xml from http://embedded-glassfish.java.net/domain.xml and change keystore/truststore vm options and use it while embedding GlassFish, like this: GlassFishRuntime gfr = GlassFishRuntime.bootstrap(); GlassFishProperties gfProps = new GlassFishProperties(); gfProps.setConfigFileURI(new File("modified-domain.xml").toURI().toString()); GlassFish glassfish = gfr.newGlassFish(gfProps); glassfish.start(); IMO, #1 is a generic issue in the sense that any vm options supplied by the user should always take precedence over what is in domain.xml. So, I will file a separate issue for #1, and leave this issue for addressing #2.
        Hide
        Bhavanishankar added a comment -

        I meant "#1 is a generic issue in the sense that any 'system property' supplied by the user should always take precedence over what is in domain.xml's jvm-options."

        Show
        Bhavanishankar added a comment - I meant "#1 is a generic issue in the sense that any 'system property' supplied by the user should always take precedence over what is in domain.xml's jvm-options."
        Hide
        Amy Roh added a comment -

        The ability to configure SSL connector over the system properties will be implemented in 3.2.

        Show
        Amy Roh added a comment - The ability to configure SSL connector over the system properties will be implemented in 3.2.
        Hide
        Amy Roh added a comment -

        Fixed

        Sending web-embed/api/src/main/java/org/glassfish/embeddable/web/HttpsListener.java
        Sending web-embed/api/src/main/java/org/glassfish/embeddable/web/config/SslConfig.java
        Sending web-embed/impl/src/main/java/org/glassfish/web/embed/impl/WebContainerImpl.java
        Transmitting file data ...
        Committed revision 45006.

        Show
        Amy Roh added a comment - Fixed Sending web-embed/api/src/main/java/org/glassfish/embeddable/web/HttpsListener.java Sending web-embed/api/src/main/java/org/glassfish/embeddable/web/config/SslConfig.java Sending web-embed/impl/src/main/java/org/glassfish/web/embed/impl/WebContainerImpl.java Transmitting file data ... Committed revision 45006.

          People

          • Assignee:
            Amy Roh
            Reporter:
            gastush
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: