Category: AppDynamics

Grizzly AppDynamics SSL issue

I’ve been trying to get an SSL certification on our AppDynamics server, to no avail. on startup I just get the following, repeat, see code block below.

When I go back to the original self signed keystore.jks file in AppDynamics\Controller\appserver\glassfish\domains\domain1\config then AppDynamics starts up fine.

I’ve tried every way of getting the SSL certificate into the keystore, it imports without error, but then displays this on boot up in the server.log ‘ProtocolChain exception’.

I’ve tried extracting the private key and rebuilding the p12 file with that and the certificate, using openssl as the AppDynamics manual says:¬† openssl pkcs12 -inkey key.pem -in appdynamics_mmu_ac_uk.crt -export -out keystore.p12

[#|2016-01-28T22:14:08.356+0000|SEVERE|glassfish3.1.2|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=51;_ThreadName=Thread-5;|ProtocolChain exception
 at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(
 at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(
 at com.sun.grizzly.filter.SSLReadFilter.execute(
 at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(
 at com.sun.grizzly.DefaultProtocolChain.execute(
 at com.sun.grizzly.DefaultProtocolChain.execute(
 at com.sun.grizzly.http.HttpProtocolChain.execute(
 at com.sun.grizzly.ProtocolChainContextTask.doCall(
 at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(
 at com.sun.grizzly.util.AbstractThreadPool$
 at Source)


Hidden in the manual, right at the very bottom, after the section which you are reading, it reminds you to make sure that your ‘s1as‘ certificate has the same password as the keystore..

Changing the master password with asadmin changes the password for the keystore and for the s1as key. It does not change the password of any additional keys you have added to the keystore. However if you have added keys to the keystore, you need to change their password to match the new master password. Use the keytool to change their passwords as follows:

keytool -keypasswd -alias s1as -keystore keystore.jks

If you’ve changed the password to s1as and it still does play ball, try changing the passwords to glassfish-instance and reporting-instance

Changing the Keystore’s alias key passwords after changing the main Glassfish password with asadmin – So all are the same:

keytool -keypasswd -alias glassfish-instance -keystore keystore.jks
Enter keystore password:
Enter key password for <glassfish-instance>
New key password for <glassfish-instance>:
Re-enter new key password for <glassfish-instance>:

keytool -keypasswd -alias reporting-instance -keystore keystore.jks
Enter keystore password:
Enter key password for <reporting-instance>
New key password for <reporting-instance>:
Re-enter new key password for <reporting-instance>: