Grizzly AppDynamics SSL issue

I’ve been trying to get an SSL certification on our AppDynamics server, to no avail. on startup I just get the following, repeat, see code block below.

When I go back to the original self signed keystore.jks file in AppDynamics\Controller\appserver\glassfish\domains\domain1\config then AppDynamics starts up fine.

I’ve tried every way of getting the SSL certificate into the keystore, it imports without error, but then displays this on boot up in the server.log ‘ProtocolChain exception’.

I’ve tried extracting the private key and rebuilding the p12 file with that and the certificate, using openssl as the AppDynamics manual says:  openssl pkcs12 -inkey key.pem -in appdynamics_mmu_ac_uk.crt -export -out keystore.p12

[#|2016-01-28T22:14:08.356+0000|SEVERE|glassfish3.1.2|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=51;_ThreadName=Thread-5;|ProtocolChain exception
 java.lang.NullPointerException
 at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:352)
 at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:399)
 at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:159)
 at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
 at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
 at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
 at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
 at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
 at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
 at com.sun.grizzly.ContextTask.run(ContextTask.java:121)
 at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:554)
 at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:533)
 at java.lang.Thread.run(Unknown Source)
 |#]

Solution

Hidden in the manual, right at the very bottom, after the section which you are reading, it reminds you to make sure that your ‘s1as‘ certificate has the same password as the keystore..

https://docs.appdynamics.com/display/PRO42/Controller+SSL+and+Certificates

Changing the master password with asadmin changes the password for the keystore and for the s1as key. It does not change the password of any additional keys you have added to the keystore. However if you have added keys to the keystore, you need to change their password to match the new master password. Use the keytool to change their passwords as follows:

keytool -keypasswd -alias s1as -keystore keystore.jks
-storepass <new master password>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s