Java applications that use ssl to consume web services via jax-ws or use HTTP clients may check the SSL certificate of the server in runtime. In case if your certificate is self signed or Common Name of the certificate does not match the domain name you will get connection errors.
To be able to develop applications you may need to run them on dev/qa servers and then allow your Java application consume these services. To do it you will need to import their SSL certificates into your local Java keyring (the same way you add exception rules into your browser).
How to generate a self signed SSL certificate and put into glassfish keyring
To import certificates to Java keyring you use keytool. Glassfish v3 also uses same keyring file format to store its SSL certificates and private keys. The problem is that keytool does not allow adding existing private keys into a keystore. Well at least i could not find a way to do it. So if you have self signed SSL certificate (generated using openssl command) you can't use it as glassfish SSL server certificate. You need to use keytool to generate a new one and put into keyring with the private key.
You can run the following command. Please replace SOMEALIASNAME with any alias name you want and path to point to the keystore:
keytool -genkey -alias SOME_ALIAS_NAME -validity 1000 -keyalg RSA -keysize 1024 -keystore /opt/......./domain1/config/keystore.jks
You have to put your domain name in the common name field or it will cause validation errors. So when asked for your name put the domain name that you will be using to access the SSL service from Java.
Changing the SSL certificate in Glassfish v3
Then go to the Glassfish web administration console and go to: Configuration / Networking Config / Network Listeners / SSL tab
Then put SOME_ALIAS_NAME into the Certificate nickname field on the SSL tab on the network listener which is designated for your applications SSL traffic.
This should work, and your web app will start using the certificate.
Obtaining server's SSL certificate to add an exception rule
If you now go to your application's url you should get new SSL warning in your browser as the certificate has changed. Add exception rule to allow the traffic. You can also export the certificate in the browser (on the details view in firefox there is export button).
You can also run the following replacing host/port for your server's name and port:
openssl s_client -connect YOUR_HOSTNAME:PORTNUM 2>&1
Then grab the lines with cert like:
-----BEGIN CERTIFICATE----- MIIE5zCCA8+gAwIBAgIEAOJk2zANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMC VVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNV .... I8LFuzs02dJlCpDhGquvQ0W6o4uuvjSP28HfGBcmKholG0GT9wyZZCBvUlFyV6kq /KNTisOW4so6I+Q= -----END CERTIFICATE-----
and put them into a file on local drive. If you exported it from the browser you dont have to do it from command line any more.
Adding self signed SSL certificate to local Java keystore
Finally you have to add this certificate to java keystore so that all Java programs on your machine would accept this self signed SSL certificate. On MacOSX it would like this:
sudo $JAVA_HOME/bin/keytool -trustcacerts -import -alias "any_alias_name" -file myserver.crt -keystore /Library/Java/Home/lib/security/cacerts
This should solve the problem and you should not get any SSL connection / handshake errors any more.
Hope it helps :)
About the author
Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!
If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.