Configuring WebServer 7.0 for GlassFish DAS Based Administration of HTTP Load Balancer

SJSWS 7.0 uses Network Security Services (NSS) to manage security database that stores the keys and certificates. GlassFish (V2) beta ,on the server side, uses Java Keystore (JKS) to manage it's security database.
GlassFish HTTP Load Balancer's advanced administration support, requires SSL setup between the WebServer and the Domain Administration Server (DAS). To set this up requires exporting and importing DAS certificate from the JKS system into the WebServer's NSS based one.

The under mentioned details enlist the steps that an administrator can use to configure this.

  • Configure GlassFish HTTP Load Balancer on WebServer 7.0 to accept DAS as a trusted client.

  1. Create a new HTTP listener and enable it for SSL. While doing so attach the default server certificate available with SJSWS 7.0 installation. For ease you can do this by using the WebServer's GUI based administration console.
  2. Use the JavaSE 5.0 security tool keytool for exporting the DAS certificate, named with alais “s1as”. While doing so select the -rfc option to export the certificate in printable encoding format, as defined by the Internet RFC 1421 standard..

    In its printable encoding format, the encoded certificate is bounded at the beginning by:

    and at the end by
    -----END CERTIFICATE-----

    Command (Solaris / Linux)
    <JAVA_HOME>/bin/keytool -export -rfc -alias s1as -keystore <GLASSFISH_HOME>/domains/<DOMAIN_NAME>/config/keystore.jks -file s1as.rfc

    <GLASSFISH_HOME> is the installation directory for GlassFish application server
    <DOMAIN_NAME> refers to the GlassFish domain, DAS, whose certificate is being exported. Also Note this takes into assumption that cluster profile is choosen for this created domain.

  3. Use the NSS security tool certutil to import the DAS certificate from the rfc file created.

    <WS_INSTALL_ROOT>/bin/certutil -A -a -n s1as -t "TC" -i s1as.rfc -d <WS_INSTALL_ROOT>/admin-server/config-store/<DEFAULT_CONFIG_NAME>/config
    where, <WS_INSTALL_ROOT> refers to the SJSWS 7.0 installation directory and
    <DEFAULT_CONFIG_NAME> refers to the config name created for the default WebServer

    You can check the presence of this certificate by using the following command, which would list s1as certificate along with other CA certificates including the default server certificate :
    <WS_INSTALL_ROOT>/bin/certutil -L -d <WS_INSTALL_ROOT>/admin-server/config-store/<DEFAULT_CONFIG_NAME>/config

    You can also use the SJSWS 7.0 GUI admin console to view this. Select the configuration to which the certificate has been imported to, in our case the default config, and then select the Certificates tab. You can now look at all the certificates available by selecting the Certificate Authorities sub tab. Following is screen shot for this :

    Following screen shot relates to the information on the imported DAS certificate nicknamed s1as:

  • Configuration changes to WebServer 7.0

  1. Append the following directives to obj.conf file :

    <Object ppath="\*lbconfigupdate\*">
    PathCheck fn="get-client-cert" dorequest="1" require="1"

    <Object ppath="\*lbgetmonitordata\*">
    PathCheck fn="get-client-cert" dorequest="1" require="1"

  • Deploy the configuration

  1. While doing the changes enlisted above, the admin console would mark this configuration to be deployed. Select the icon for “Deployment Pending”.
    This can also be done by executing the deploy-config WebServer command from WebServer's wadm CLI utility.

    >WS_INSTALL_ROOT>/bin/wadm deploy-config –user=<admin> <DEFAULT_CONFIG_NAME>
    where, <admin> is the admin user name.

  • Test the SSL connection

  1. Test this setup from GlassFish Domain Administration Server (DAS), to communicate over SSL with this configured GlassFish HTTP Load Balancer.
    Following is the screen shot for this “Test Connection” :


Hi, I've tested this configuration process, but I can't create the Http Listener with SSL enabled, just when I try to do so, the configuration dialog asks me to paste a DER or locate a file in the filesystem, but when I try to select the rfc file created here it refuses to continue. Is there another certificate installed?, where is the default certificate?

Posted by Alejandro Tellez on May 21, 2007 at 02:18 AM IST #

Tried this to the letter with SJWS 7.1 and GlassFish final release to the letter 3 times still test connection fails.

Posted by dave on September 27, 2007 at 02:24 AM IST #

I tried following this blog, but ran into an error starting the SJSWS 7 instance. I've started a thread at If you can, please take a look at it and let me know if you have any advice. Thanks.

Posted by Ryan on November 07, 2007 at 05:20 AM IST #

Well for those who have lost the faith... IT WORKED!!! FINALLY! after a $#%#""&&)(/ month of investigation ;)

For the record: in the device host field: is your LB server name and on the device admin port field: your instance port! (why don't ask me that's the way it worked with me :))

Posted by Lazha on October 29, 2009 at 03:57 PM IST #

If I understand your comment about looking at the size of the free list (Qcache_free_memory), I assume you mean to check it in combination with Qcache_lowmem_prunes, which makes sense. If you see prunes but have a lot of free space in the cache, the cache is probably fragmented.

Posted by aion kinah on March 05, 2010 at 06:44 AM IST #

For any size you can improve this with FLUSH QUERY CACHE, since that defragments the free list. Sometimes it might be worth doing that regularly with a larger size. FLUSH QUERY CACHE is a good way to quickly confirm that a too-large free list is an issue. You can expect to see a quick decrease in CPU usage if it is.

Posted by secureid3 on March 05, 2010 at 06:45 AM IST #

Post a Comment:
  • HTML Syntax: NOT allowed



Top Tags
« July 2016