问题
Glassfish lets to set the SSL certificate nickname through its admin console as it is highlighted in the pic below:
But almost every tutorials in the web mention that it is necessary to replace all occurrences of the default SSL nickname (s1as) with the one will be used(i.e. mydomain.com) in the domain.xml file.
So what is the proper way of setting certificate nickname?
回答1:
It is very likely that the admin console is just updating the domain.xml file anyway. In either case, it is good practice to avoid modifying the domain.xml file wherever possible. There is no official advice in the Security Guide for GF4 and the only mention of the certificate nickname is:
If you enable secure admin on an SSL-enabled GlassFish Server installation, secure admin uses the existing value as the DAS admin alias for secure admin.
https://glassfish.java.net/docs/4.0/security-guide.pdf
Changing the nickname isn't actually necessary, from a functional perspective. When you import your key/cert to the keystores you can just use the same name to replace the existing cert, which is perfectly valid.
Edit: To change alias names with the asadmin command, you can use enable-secure-admin with either --instancealias myNewAlias or --adminalias myOtherNewAlias (or both).
The default for adminalias is s1as and the default for instancealias is glassfish-instance.
回答2:
http-listener-2 is the default http listener (glassfish or payara) with ssl enabled on port 8181, if you have created another change for it in the bellow command.
asadmin set "configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=yourNickName"
来源:https://stackoverflow.com/questions/29278152/right-way-to-configure-glassfish-ssl-certificate-nickname