Glassfish

EJBCA 6.x has not yet been officially deployed on Glassfish. The following notes can be used as hints for anyone interested in working on Glassfish support.

EJBCA 4.x has been tested with Glassfish v2.1.1.

Ensure to install Unlimited Strength Jurisdiction Policy Files for Java. For download, refer to the Oracle website.

Using Derby Database (Glassfish built-in)

Using Derby Database, follow the steps below:

  1. Start JavaDB and create the database instance:

    cd $APPSRV_HOME
    bin/asadmin start-database
    export DERBY_HOME=$APPSRV_HOME/javadb
    javadb/bin/ij
    ij> connect 'jdbc:derby://localhost:1527/ejbca;create=true';
    ij> quit;

  2. Start the application server:

    bin/asadmin start-domain

    The default user/password for the web console is admin/adminadmin. Access the Glassfish admin console at: http://127.0.0.1:4848/.

  3. Create a connection pool for your database by selecting Resources > JDBC > Connection Pools in the Admin console.
    When adding a Derby Pool, use the values: Name=EjbcaPool, Type=javax.sql.DataSource, Vendor=JavaDB.
    Properties: user=APP, password=APP, DatabaseName=ejbca
    Save and use the Ping-button for the pool. If you get Parameter wrong for this method : off, go to Additional Properties and delete Ssl. Alternatively, use the following CLI command:

    bin/asadmin create-jdbc-connection-pool --datasourceclassname org.apache.derby.jdbc.ClientDataSource --property user=APP:password=APP:DatabaseName=ejbca:ServerName=localhost:port=1527 EjbcaPool

  4. Create a datasource called jdbc/EjbcaDS under Resources > JDBC > JDBC Resources in the Admin console. Use the connection pool you just created.

    Alternatively, use the following CLI command:

    bin/asadmin create-jdbc-resource --connectionpoolid EjbcaPool jdbc/EjbcaDS

    If security is enabled, add the following:

    --user admin --passwordfile pwd.txt

    as command line parameters where pwd.txt contains AS_ADMIN_PASSWORD=adminadmin.

Using MySQL Database

Using MySQL Database, follow the steps below:

  1. Start the database and create the MySQL database "ejbca".

  2. Grant privileges to the "ejbca" user with password "ejbca_pwd" (ensure not to use this password in production!)

  3. Copy the MySQL JDBC JAR to APPSRV_HOME/lib/.

  4. Start the application server:

    asadmin start-domain

  5. Add the Connection Pool and DataSource from the Glassfish Admin Console (see "Derby"), or use command line:

    asadmin create-jdbc-connection-pool --datasourceclassname com.mysql.jdbc.jdbc2.optional.MysqlDataSource --property user=ejbca:password=ejbca_pwd:DatabaseName=ejbca:ServerName=localhost:port=3306 EjbcaPool
    asadmin create-jdbc-resource --connectionpoolid EjbcaPool jdbc/EjbcaDS

Configure EJBCA

  1. Edit conf/ejbca.properties and at least set appserver.home.

  2. Edit conf/log4j-glassfish.xml to configure EJBCA logging.

  3. Edit conf/database.properties and at least set the database settings for your chosen database. Derby and MySQL has been tested with Glassfish.

  4. Edit conf/web.properties and set the desired values and the http/s ports (default 8080 and 8181) for your installation.

Deploy and Setup

  1. If your appserver does not require a password for deployment (asadmin deploy), you can build and deploy EJBCA with:

    ant clean
    ant bootstrap

    or otherwise with an additional step:

    ant clean
    ant
    asadmin deploy --precompilejsp $EJBCA_HOME/dist/ejbca.ear

    Verify in APPSRV_HOME/domains/domain1/logs/server.log.

  2. To install EJBCA, run:

    ant install

  3. Configure SSL in Glassfish under Configuration > HTTP Service > HTTP Listeners > http-listener-2, SSL tab

    • Client Authentication: Enabled

    • Certificate Nickname: s1as (get alias name by running 'keytool -list -v -keystore $APPSRV_HOME/domains/domain1/config/keystore.jks', password changeit)

    • SSL3: Enabled

    • Ciphers Suite: All

    Add CA certificate to the cacerts file:

    cd $EJBCA_HOME
    keytool -exportcert -keystore p12/truststore.jks -file p12/managementca.der -storepass changeit -alias managementca

    Install the CA certificate in the application servers truststore. On Glassfish open source:

    keytool -delete -keystore $APPSRV_HOME/domains/domain1/config/cacerts.jks -alias managementca -storepass changeit
    (will fail if this hasn't been done before)
    keytool -importcert -keystore $APPSRV_HOME/domains/domain1/config/cacerts.jks -file p12/managementca.der -alias managementca -storepass changeit

    On Glassfish Enterprise:

    cd $APPSRV_HOME/domains/domain1/config

    /usr/sfw/bin/certutil -A -n managementca -t "p,p,p" -i p12/managementca.der -d .

    verify that managementca has been added to the store with:

    /usr/sfw/bin/certutil -L -d .

  4. (Optional) Replace the SSL keystore and truststore with default passwords.
    To change the keystore passwords in a production environment, edit both the http-listener and the IIOP-listeners:

    cd $EJBCA_HOME
    cp p12/tomcat.jks p12/keystore.jks
    keytool -list -keystore p12/keystore.jks -storepass serverpwd
    Read the alias for the "PrivateKeyEntry" e.g. 'localhost'.
    keytool -keypasswd -keystore p12/keystore.jks -alias localhost -storepass serverpwd -keypass serverpwd -new changeit
    keytool -storepasswd -keystore p12/keystore.jks -storepass serverpwd -new changeit
    keytool -changealias -keystore p12/keystore.jks -alias localhost -destalias s1as -keypass changeit -storepass changeit
    cp p12/keystore.jks $APPSRV_HOME/domains/domain1/config/keystore.jks

  5. Restart the server:

    asadmin stop-domain
    asadmin start-domain

  6. Access protected EJBCA pages:
    Import $EJBCA_HOME/p12/superadmin.p12 in your browser, go to https://127.0.0.1:8181/ejbca/ and click Administration to get to the Admin GUI

  7. (Optional) To change how often an EJBCA Service can run, select Configuration > EJB Container > EJB Timer Service > Minimum Delivery Interval:1000 and restart the application server.
    This can also be changed using the minimum-delivery-interval-in-millis attribute in the domain.xml file when the appserver is not running.

  8. (Optional) Apply a workaround to enable redeployment without application server restart. For more information, refer to ECA-1887.

Glassfish Ubuntu Package

The above instructions are tested on the official release from Glassfish's homepage.

If using the Glassfish package on Ubuntu, it may be needed to modify the following to make it work with the Ubuntu 9.04 Glassfish package.

  1. Modify /usr/bin/asadmin:

    #GF_DOMAIN_DIR=$HOME/glassfishv2 GF_DOMAIN_DIR=/var/lib/glassfishv2/domains

  2. Set APPSRV_HOME to /usr/share/glassfishv2

The Ubuntu package has the domains and binaries separated. When following the install instructions, point to /var/lib/glassfishv2/[directory] instead of $APPSRV_HOME/[directory].