talha06 talha06 - 17 days ago 5
Java Question

Right way to configure Glassfish SSL certificate nickname?

Glassfish lets to set the SSL certificate nickname through its admin console as it is highlighted in the pic below:

Glassfish Admin Console SSL Configuration UI

But almost every tutorials in the web mention that it is necessary to replace all occurrences of the default SSL nickname (

s1as
) with the one will be used(i.e.
mydomain.com
) in the
domain.xml
file.

So what is the proper way of setting certificate nickname?

Answer

It is very likely that the admin console is just updating the domain.xml file anyway. In either case, it is good practice to avoid modifying the domain.xml file wherever possible. There is no official advice in the Security Guide for GF4 and the only mention of the certificate nickname is:

If you enable secure admin on an SSL-enabled GlassFish Server installation, secure admin uses the existing value as the DAS admin alias for secure admin.

https://glassfish.java.net/docs/4.0/security-guide.pdf

Changing the nickname isn't actually necessary, from a functional perspective. When you import your key/cert to the keystores you can just use the same name to replace the existing cert, which is perfectly valid.


Edit: To change alias names with the asadmin command, you can use enable-secure-admin with either --instancealias myNewAlias or --adminalias myOtherNewAlias (or both).

The default for adminalias is s1as and the default for instancealias is glassfish-instance.

Comments