glassfish
  1. glassfish
  2. GLASSFISH-17132

CLONE -Admin console not loading after enabling secure-admin

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 3.1
    • Fix Version/s: None
    • Component/s: admin
    • Labels:
      None
    • Environment:

      Server: FreeBSD 8.2 x64
      Client: Mac OS X 10.6.7

      Description

      • Download and install Glassfish 3.1 final (b43)
      • asadmin start-domain
      • asadmin enable-secure-admin
      • asadmin stop-domain
      • asadmin start-domain
      • open Safari web-browser and try to connect to the admin console via https on port 4848

      Result: the admin console GUI won't load: error 404: "Failed to open page"

      The result is the same whether you use Glassfish's own self-signed certificate or if you use an authority signed certificate.

      On Firefox everything works perfectly. It connects to the admin console GUI just fine.

      No error or exception can be found in server.log.

        Activity

        Hide
        ref added a comment - - edited

        Tim McQuinn: I always run the browser remotely. (server: FreeBSD or Linux; client: OS X).

        • Running the browser (Lynx) locally works like a charm.
        • Running Safari on OS X remotely doesn't work.
          a) On some machines it doesn't work at all (timeout or 404)

        b) On others it starts to load the site and I get to see some content but it always asks me for a certificate:

        "The website <name> requires a client certificate.
        -----------------------------------------
        This website requires a certificate to validate your identity. Select the certificate to use when you connect to this website, and the click Continue."

        And this is where I get stuck.

        • Works perfectly when using Firefox on OS X.

        UPDATE: On one Mac it works perfectly when using Safari.

        UPDATE 2: Found something interesting:
        On one of the Macs where the GUI admin console requires me to select a certificate, I just added a new item to my OS X keychain (URL of my admin GUI with username and password, example: https://myserver.tld:4848 with usr/pw) and tried to access the admin console again:

        • It asks me one time to provide a certificate
        • I cancel/ignore
        • It works! I can access the admin console

        UPDATE 2b:
        The keychain contained already an item for https://myserver.tld:8181

        • I delete that keychain item (so that there's no more item for the GlassFish server and domain)
        • I try again to access the admin GUI using Safari
        • It asks me one time to provide a certificate
        • I cancel/ignore
        • Works fine!
        Show
        ref added a comment - - edited Tim McQuinn: I always run the browser remotely. (server: FreeBSD or Linux; client: OS X). Running the browser (Lynx) locally works like a charm. Running Safari on OS X remotely doesn't work. a) On some machines it doesn't work at all (timeout or 404) b) On others it starts to load the site and I get to see some content but it always asks me for a certificate: "The website <name> requires a client certificate. ----------------------------------------- This website requires a certificate to validate your identity. Select the certificate to use when you connect to this website, and the click Continue." And this is where I get stuck. Works perfectly when using Firefox on OS X. UPDATE: On one Mac it works perfectly when using Safari. UPDATE 2: Found something interesting: On one of the Macs where the GUI admin console requires me to select a certificate, I just added a new item to my OS X keychain (URL of my admin GUI with username and password, example: https://myserver.tld:4848 with usr/pw) and tried to access the admin console again: It asks me one time to provide a certificate I cancel/ignore It works! I can access the admin console UPDATE 2b: The keychain contained already an item for https://myserver.tld:8181 I delete that keychain item (so that there's no more item for the GlassFish server and domain) I try again to access the admin GUI using Safari It asks me one time to provide a certificate I cancel/ignore Works fine!
        Hide
        Tim Quinn added a comment -

        It sounds as if there might be a couple things going on here which different browsers might handle differently.

        The server is identifying itself to your browser using a certificate. If it is a self-signed cert (which is the default) then most browsers warn you - at least once - asking you whether you want to trust that self-signed cert or not. You also might have the option of remembering that decision for that cert or having the browser ask you every time it receives that cert from the server.

        Separately from that, after you enable secure admin the server allows (but does not require) the client (browser) to also authenticate itself to the server using a cert instead of prompting for an admin username and password. This should be an option to you, rather than a requirement. It sounds like that is working for you based on your updates.

        Show
        Tim Quinn added a comment - It sounds as if there might be a couple things going on here which different browsers might handle differently. The server is identifying itself to your browser using a certificate. If it is a self-signed cert (which is the default) then most browsers warn you - at least once - asking you whether you want to trust that self-signed cert or not. You also might have the option of remembering that decision for that cert or having the browser ask you every time it receives that cert from the server. Separately from that, after you enable secure admin the server allows (but does not require) the client (browser) to also authenticate itself to the server using a cert instead of prompting for an admin username and password. This should be an option to you, rather than a requirement. It sounds like that is working for you based on your updates.
        Hide
        ref added a comment -

        I use a root-signed certificate. But the problem has been the same with a self-signed certificate.

        It indeed looks like a browser issue and my problem has finally been resolved.

        But what's strange is the fact that it has worked fine until GlassFish 3.1 got released.

        Show
        ref added a comment - I use a root-signed certificate. But the problem has been the same with a self-signed certificate. It indeed looks like a browser issue and my problem has finally been resolved. But what's strange is the fact that it has worked fine until GlassFish 3.1 got released.
        Hide
        Tim Quinn added a comment -

        ref,

        Beginning with 3.1 GlassFish enforces the restriction that you must enable secure admin before it will accept remote admin requests. When you enable secure admin GlassFish automatically uses SSL/TLS to encrypt the admin traffic between the admin client (asadmin or browsers) and the server. And part of SSL/TLS is this whole certificate business, asking you (as the user of the browser or asadmin) whether you trust the server's certificate and what happens if you make a client cert available to your browser for it to send to the server.

        That's why you see the difference from 3.0.1 to 3.1 (and 3.1.1).

        Show
        Tim Quinn added a comment - ref, Beginning with 3.1 GlassFish enforces the restriction that you must enable secure admin before it will accept remote admin requests. When you enable secure admin GlassFish automatically uses SSL/TLS to encrypt the admin traffic between the admin client (asadmin or browsers) and the server. And part of SSL/TLS is this whole certificate business, asking you (as the user of the browser or asadmin) whether you trust the server's certificate and what happens if you make a client cert available to your browser for it to send to the server. That's why you see the difference from 3.0.1 to 3.1 (and 3.1.1).
        Hide
        Tim Quinn added a comment -

        Because I cannot reproduce this, and the symptoms vary for the original poster from one environment to the next, I'm going to close this bug as not reproducible.

        If you find that this issue recurs reliably please re-open it.

        Show
        Tim Quinn added a comment - Because I cannot reproduce this, and the symptoms vary for the original poster from one environment to the next, I'm going to close this bug as not reproducible. If you find that this issue recurs reliably please re-open it.

          People

          • Assignee:
            Tim Quinn
            Reporter:
            psartini
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 2 hours
              2h
              Remaining:
              Remaining Estimate - 2 hours
              2h
              Logged:
              Time Spent - Not Specified
              Not Specified