To Update GlassFish Certificates

The WSIT message security mechanisms require the use of v3 certificates. The default GlassFish keystore and truststore do not contain v3 certificates at this time (but should before FCS). (GlassFish instances installed using JDK 1.6 do have a v3 certificate but the certificate lacks a particular extension required for supporting some secure WSIT mechanisms.) In order to use message security mechanisms with GlassFish, it is necessary to download keystore and truststore files that contain v3 certificates and import the appropriate certificates into the default GlassFish stores.

The XWSS keystores are sample keystores containing sample v3 certificates. These sample keystores can be used for development and testing of security with WSIT technology. Once an application is in production, you should definitely use your own v3 certificates issued by a trusted authority. In order to use WSIT security on GlassFish, you will have to import your trusted stores into GlassFish’s keystore and specify those certificates from NetBeans IDE.

To update the GlassFish certificates, follow these steps.

1. Download the zip file that contains the certificates and the Ant scripts (copyv3.zip) by going to this URL:

   https://xwss.dev.java.net/servlets/ProjectDocumentList?folderID=6645[amp ]expandFolder=6645[amp ]folderID=6645

2. Unzip this file and change into its directory, copyv3.

3. From the copyv3 directory, execute the Ant command that will copy the keystore and truststore files to the appropriate location, and import the appropriate certificates into the GlassFish keystore and truststore.

   This Ant command is as follows:

   as-install/lib/ant/bin/ant

   The command window will echo back the certificates that are being added to the keystore and truststore files, and should look something like this:

   [echo] WARNING: currently we add non-CA certs to GF truststore, this will not be required in later releases when WSIT starts supporting CertStore(s) [java] Added Key Entry :xws-security-server [java] Added Key Entry :xws-security-client [java] Added Trusted Entry :xwss-certificate-authority [java] Added Key Entry :wssip [java] Added Trusted Entry :xws-security-client [java] Added Trusted Entry :xws-security-server [java] Added Trusted Entry :wssip [echo] Adding JVM Option for https outbound alias, this will take at least One Minute. ...

4. To verify that the updates were successful, follow these steps:

   1. Change to the directory containing the GlassFish keystore and truststore files, as-install/domains/domain1/config.

   2. Verify that the v3 certificate has been imported into the GlassFish truststore. To do this, run the following keytool command (all on one line):

      java-home/bin/keytool -list -keystore cacerts.jks -alias wssip -storepass changeit

      If the certificates are successfully updated, your response will look something like this:

      wssip, Aug 20, 2007, trustedCertEntry, Certificate fingerprint (MD5): 1A:0E:E9:69:7D:D0:80:AD:5C:85:47:91:EB:0D:11:B1

      If the certificates were not successfully update, your response will look something like this:

      keytool error: java.lang.Exception: Alias <wssip> does not exist

   3. Verify that the v3 certificate has been imported into the GlassFish keystore. To do this, run the following keytool commands:

      java-home/bin/keytool -list -keystore keystore.jks -alias xws-security-server -storepass changeit java-home/bin/keytool -list -keystore keystore.jks -alias xws-security-client -storepass changeit

      If the certificates were successfully updated, your response should look something like this:

      xws-security-server, Aug 20, 2007, PrivateKeyEntry, Certificate fingerprint (MD5): E4:E3:A9:02:3C:B0:36:0C:C1:48:6E:0E:3E:5C:5E:84

      If your certificates were not successfully updated, your response will look more like this:

      keytool error: java.lang.Exception: Alias <xws-security-server> does not exist