glassfish
  1. glassfish
  2. GLASSFISH-657

Ability to specify keystore/truststore for each SSL listener

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 9.0pe
    • Fix Version/s: V3
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: Macintosh

    • Issuezilla Id:
      657

      Description

      Currently, the SSL configuration for glassfish appears to rely on the JVM-wide
      system properties for keystore and truststore. Each "<ssl.../>" listener can
      specify an alias to use for its server certificate – that works OK.

      It would be useful to be able to specify at least a separate trust store for
      each listener. This would allow for the case where the system may have a
      publically-facing listener for Internet requests and a private-network-facing
      listener for internal requests. The public ones may require real
      Verisign/Thawte client certificates while the private ones may require a
      specific private CA.

      Tomcat allows each SSL listener to specify its own keystore, keystore type,
      keystore password, truststore, truststore type, and truststore password. It
      would be nice if glassfish offered equivalent functionality.

        Activity

        Hide
        jfarcand added a comment -

        Re-assign to security to see if it can be implemented. Re-assign to webcontainer
        if this is douable.

        Show
        jfarcand added a comment - Re-assign to security to see if it can be implemented. Re-assign to webcontainer if this is douable.
        Hide
        jluehe added a comment -

        This sounds like a good idea and seems doable in GlassFish!

        I believe the reason Glassfish currently doesn't allow you to specify individual
        keystore and truststore properties per HTTPS listener is due to a limitation of
        the definition of the <ssl> element in the domain.xml DTD, which does not have
        any "property" subelements, and whose attributes don't cover any key/truststore
        properties.

        An easy way to fix this would be by changing the definition of the <ssl> element
        in the domain.xml DTD from

        <!ELEMENT ssl EMPTY>

        to

        <!ELEMENT ssl (property*)>

        or by defining the various store properties as <ssl> attributes. This would
        allow an admin to override the system-wide settings.

        I am going to send a formal proposal for this in a separate email.

        Jan

        Show
        jluehe added a comment - This sounds like a good idea and seems doable in GlassFish! I believe the reason Glassfish currently doesn't allow you to specify individual keystore and truststore properties per HTTPS listener is due to a limitation of the definition of the <ssl> element in the domain.xml DTD, which does not have any "property" subelements, and whose attributes don't cover any key/truststore properties. An easy way to fix this would be by changing the definition of the <ssl> element in the domain.xml DTD from <!ELEMENT ssl EMPTY> to <!ELEMENT ssl (property*)> or by defining the various store properties as <ssl> attributes. This would allow an admin to override the system-wide settings. I am going to send a formal proposal for this in a separate email. Jan
        Hide
        jfarcand added a comment -

        Re-assign to myself. In v3, we are planning to add a new element called Grizzly
        config which should support this RFE.

        Show
        jfarcand added a comment - Re-assign to myself. In v3, we are planning to add a new element called Grizzly config which should support this RFE.
        Hide
        jfarcand added a comment -

        This will be fixed when we add support for grizzly-config (soon).

        Show
        jfarcand added a comment - This will be fixed when we add support for grizzly-config (soon).
        Hide
        oleksiys added a comment -

        grizzly-config has been integrated.

        Show
        oleksiys added a comment - grizzly-config has been integrated.

          People

          • Assignee:
            oleksiys
            Reporter:
            djhagberg
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: