Glassfish

EJBCA 6.x has never been officially deployed on Glassfish yet. The below notes can work as hints for anyone interested working on Glassfish support.

EJBCA 4.x has been tested with Glassfish v2.1.1.

Don't forget to install 'Unlimited Strength Jurisdiction Policy Files' for Java.

Using Derby database (Glassfish built in)

  1. Start JavaDB and create the database instance.

    cd $APPSRV_HOME
    bin/asadmin start-database
    export DERBY_HOME=$APPSRV_HOME/javadb
    javadb/bin/ij
    ij> connect 'jdbc:derby://localhost:1527/ejbca;create=true';
    ij> quit;
     
  2. Start the application server:

    bin/asadmin start-domain

    The default user/password for the web console is admin/adminadmin.
    Access the Glassfish admin console at http://127.0.0.1:4848/.

  3. Create a connection pool for your database. In the admin console this is done in Resources->JDBC->Connection Pools.
    When adding a Derby Pool use values: Name=EjbcaPool, Type=javax.sql.DataSource, Vendor=JavaDB.
    Properties: user=APP, password=APP, DatabaseName=ejbca
    Save and use the Ping-button for the pool. If you get 'Parameter wrong for this method : off', go to Additional Properties and delete 'Ssl'.
    Command line alternative:

    bin/asadmin create-jdbc-connection-pool --datasourceclassname org.apache.derby.jdbc.ClientDataSource --property user=APP:password=APP:DatabaseName=ejbca:ServerName=localhost:port=1527 EjbcaPool
  4. Create a datasource called jdbc/EjbcaDS, in the admin console this is done in Resources->JDBC->JDBC Resources. Use the connection pool you just created.
    Command line alternative:

    bin/asadmin create-jdbc-resource --connectionpoolid EjbcaPool jdbc/EjbcaDS

    If security is enabled you have to add

    --user admin --passwordfile pwd.txt 

    as command line parameters where pwd.txt contains

    AS_ADMIN_PASSWORD=adminadmin

Using MySQL database

  1. Start the database and create the MySQL database "ejbca".

  2. Grant privileges to the "ejbca" user with password "ejbca_pwd" (don't use this password in production!)

  3. Copy the MySQL JDBC JAR to APPSRV_HOME/lib/.

  4. Start the application server:

    asadmin start-domain
  5. Add the Connection Pool and DataSource from the Glassfish Admin Console (see "Derby") or use command line:

    asadmin create-jdbc-connection-pool --datasourceclassname com.mysql.jdbc.jdbc2.optional.MysqlDataSource --property user=ejbca:password=ejbca_pwd:DatabaseName=ejbca:ServerName=localhost:port=3306 EjbcaPool
    asadmin create-jdbc-resource --connectionpoolid EjbcaPool jdbc/EjbcaDS

Configure EJBCA

  1. Edit conf/ejbca.properties, you should at least set appserver.home.

  2. Edit conf/log4j-glassfish.xml, to configure EJBCA logging.

  3. Edit conf/database.properties, you should at least set the database settings for your chosen database. Derby and MySQL has been tested with Glassfish.

  4. Edit conf/web.properties, you should set desired values and also the http/s ports (default 8080 and 8181) for your installation.

Deploy and setup

  1. If your appserver does not requires a password for deployment (asadmin deploy) you can build and deploy EJBCA with

    ant clean
    ant bootstrap

    or otherwise with an additional step.

    ant clean
    ant
    asadmin deploy --precompilejsp $EJBCA_HOME/dist/ejbca.ear

    You can check that everything was ok in APPSRV_HOME/domains/domain1/logs/server.log.

  2. Install EJBCA

    ant install

  3. Configure SSL in Glassfish
    Configuration->HTTP Service->HTTP Listeners->http-listener-2, SSL tab

    • Client Authentication: Enabled

    • Certificate Nickname: s1as (get alias name by running 'keytool -list -v -keystore $APPSRV_HOME/domains/domain1/config/keystore.jks', password changeit)

    • SSL3: Enabled

    • Ciphers Suite: All

    Add CA certificate to cacerts file:

           cd $EJBCA_HOME
    keytool -exportcert -keystore p12/truststore.jks -file p12/managementca.der -storepass changeit -alias managementca

    Install the CA certificate in the application servers truststore.
    On Glassfish open source:

           keytool -delete -keystore  $APPSRV_HOME/domains/domain1/config/cacerts.jks -alias managementca -storepass changeit
    (will fail if this hasn't been done before)
    keytool -importcert -keystore $APPSRV_HOME/domains/domain1/config/cacerts.jks -file p12/managementca.der -alias managementca -storepass changeit

    On Glassfish Enterprise:

    • cd $APPSRV_HOME/domains/domain1/config
    • /usr/sfw/bin/certutil -A -n managementca -t "p,p,p" -i p12/managementca.der -d .
    • verify that managementca has been added to the store with

      /usr/sfw/bin/certutil -L -d .
  4. (Optional) Replace the SSL keystore and truststore with default passwords.
    In a production environment you probably want to change the keystore passwords, to do this you must edit both the http-listener and the IIOP-listeners.

        cd $EJBCA_HOME
    cp p12/tomcat.jks p12/keystore.jks
    keytool -list -keystore p12/keystore.jks -storepass serverpwd
    Read the alias for the "PrivateKeyEntry" e.g. 'localhost'.
    keytool -keypasswd -keystore p12/keystore.jks -alias localhost -storepass serverpwd -keypass serverpwd -new changeit
    keytool -storepasswd -keystore p12/keystore.jks -storepass serverpwd -new changeit
    keytool -changealias -keystore p12/keystore.jks -alias localhost -destalias s1as -keypass changeit -storepass changeit
    cp p12/keystore.jks $APPSRV_HOME/domains/domain1/config/keystore.jks
  5. Restart server

        asadmin stop-domain
    asadmin start-domain
  6. Access protected EJBCA pages
    Import $EJBCA_HOME/p12/superadmin.p12 in your browser and go to url: https://127.0.0.1:8181/ejbca/
    You can now click Administration to get to the admin-GUI.

  7. (Optional) Change how often an EJBCA Service can run: Configuration -> EJB Container -> EJB Timer Service -> Minimum Delivery Interval: 1000.
    Restart application server.
    This can also be changed using the minimum-delivery-interval-in-millis attribute in the domain.xml file when the appserver isn't running.

  8. (Optional) Apply workaround to enable redeployment without application server restart: See ECA-1887.

Glassfish Ubuntu package

The above instructions are tested on the official release from Glassfish's homepage. We had this report from a user of the glassfish package on Ubuntu.

I had to modify the following to make it work with the Ubuntu 9.04 glassfish package.

  1. Modify /usr/bin/asadmin:

    #GF_DOMAIN_DIR=$HOME/glassfishv2 GF_DOMAIN_DIR=/var/lib/glassfishv2/domains
  2. Set APPSRV_HOME to /usr/share/glassfishv2

The Ubuntu package has the domains and binaries separated. When following the install instructions, when you do anything with the domain you have to point to /var/lib/glassfishv2/[directory] instead of $APPSRV_HOME/[directory].