mavenglassfishcertificatejboss-arquillian

Arquillian Embedded Glassfish Certificate Expired


On Aug 14th, the gtecybertrust5ca certifcate used by Glassfish expired causing my Arquillian tests to print errors.

This problem is similar to this one: Certificate has expired” in log by starting Glassfish 3.1.2 except, I am using the Embedded version of Glassfish via Maven, Arquillian and SureFire to run unit and integration tests.

I have tried instructing Maven to use a local keystore, the one that comes with the JRE, in an effort to keep the expired cert from being used. I verified the expired certificate is not contained within this keystore:

C:\Java\jdk1.7.0_25\jre\lib\security>keytool -list -keystore cacerts

I instruct SureFire via Maven to start the JVM with arguments to use the cacerts trusted keystore:

         <plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-surefire-plugin</artifactId>
          <version>2.16</version>
          <configuration>                
              <argLine>
                -Djavax.net.ssl.trustStore=C:\Java\jdk1.7.0_25\jre\lib\security\cacerts
                -Djavax.net.ssl.trustStorePassword=changeit
              </argLine>
              ....
          </configuration>
      </plugin>

      <!-- Configure the Embedded GlassFish Maven plugin -->
      <plugin>
          <groupId>org.glassfish.embedded</groupId>
          <artifactId>maven-embedded-glassfish-plugin</artifactId>
          <version>4.0</version>
          <configuration>
              <app>${project.build.directory}/${project.build.finalName}.war</app>
              <port>7070</port>
              <containerType>web</containerType>
          </configuration>
      </plugin>

I also added JVM arguments where Maven is start within Maven's mvn.bat file:

@REM Use specified java cert trust
set MAVEN_OPTS=%MAVEN_OPTS% 
 -Djavax.net.ssl.trustStore=%JAVA_HOME%\jre\lib\security\cacerts 
 -Djavax.net.ssl.trustStorePassword=changeit

%MAVEN_JAVA_EXE% %MAVEN_OPTS% ...

Here's the Surefire invocation of the JVM used to run the unit tests:

Forking command line: cmd.exe /X /C "C:\Java\jdk1.7.0_25\jre\bin\java 
-Djavax.net.ssl.trustStore=C:\Java\jdk1.7.0_25\jre\lib\security\cacerts 
-Djavax.net.ssl.trustStorePassword=changeit ..."
Running com.networkfleet.ssp.activation.SelectedActivationTableBeanTest

The command line args do seem to match the expected system properties Glassfish expects per its com.sun.enterprise.security.ssl.impl.SecuritySupportImpl and com.sun.enterprise.server.pluggable.SecuritySupport classes:

@Contract
public abstract class SecuritySupport {

public static final String KEYSTORE_PASS_PROP = "javax.net.ssl.keyStorePassword";
public static final String TRUSTSTORE_PASS_PROP = "javax.net.ssl.trustStorePassword";
public static final String KEYSTORE_TYPE_PROP = "javax.net.ssl.keyStoreType";
public static final String TRUSTSTORE_TYPE_PROP = "javax.net.ssl.trustStoreType";
public static final String keyStoreProp = "javax.net.ssl.keyStore";
public static final String trustStoreProp = "javax.net.ssl.trustStore";

However, they do not appear to be picked up by Glassfish, because the expired cert is still being found in whatever trusted keystore it defaults to.

I would really appreciate some help. Thanks.


Solution

  • I finally got to the bottom of the issue by tracing the Glassfish code that loads the certs. The embedded, at least, version ignores any passed in parameters and looks to its classpath to find the trusted key store to load. It then writes it to a temp location and instructs the server to load and use it.

    To get rid of the error messages, grab the cacerts.jks file from its temp location (after running Maven and seeing the expired exception) I found it at: C:\Users\{myUserName}\AppData\Local\Temp\gfembed872323756359721458tmp\config\cacerts.jks.

    Copy this file to your project under resources/config/cacerts.jks (it will need to be loaded into your test classpath).

    From the command prompt in the directory where you copied the keystore, use your JDK keytool to remove the expired key as follows:

    keytool -delete -keystore cacerts.jks -alias gtecybertrust5ca

    The Embedded Glassfish should now pick up your updated keystore instead of its default hardcoded version.