Thursday, February 14, 2013

Glassfish: default keystore and truststore

Q: Do you need to use keystores/truststores of the glassfish OSE?

There are 2 files you should be interested in (please note domain1 used by me):
  • $GLASSFISH_HOME/domains/domain1/config/cacerts.jks - truststore - holding all the public keys
  • $GLASSFISH_HOME/domains/domain1/config/keystore.jks - keystore - holding all the private keys

The default alias used for the secured http-listeners is called: s1as.

To examine the contents


To list truststore contents use:
keytool -list -v -storepass changeit -keystore $GLASSFISH_HOME/domains/domain1/config/keystore.jks
keytool -list -v -storepass changeit -keystore $GLASSFISH_HOME/domains/domain1/config/cacerts.jks
Please note that you need to adapt path to keystores, depending on domains used as well as password you have configured for glassfish to protect the keystore/truststore.

Digging deeper


Default keys are generated during domain creation via asadmin's create-domain command.

Implementation is present in (in my case I refer to version 3.1.1): https://svn.java.net/svn/glassfish~svn/tags/3.1.1/admin/server-mgmt/src/main/java/com/sun/enterprise/admin/servermgmt/KeystoreManager.java
see methods:
createKeyStore()
createTrustStore()

No comments: