Some problems with migration to payara-6

theirman · May 19, 2025, 7:51am

Hello

I have some problems when i tried to migrate my configuration scripts from payara-server-5.2022.5-jdk17 to payara-server-6.2022.2-jdk17.

the ssl configuration failed. i tried several actions to resolve it but nothing works. here is the last code i tried

#!/bin/bash

mkdir -p ${SSL_CERT_DIR}
chown -R payara:payara ${PAYARA_HOME_DIR}

# create self-signed certificate
openssl req -x509 -sha256 -nodes -days ${SSL_CERT_VALIDITY} -newkey rsa:${SSL_DEFAUT_BITS} -keyout ${SSL_CERT_DIR}/${SSL_CERT}.key -out ${SSL_CERT_DIR}/${SSL_CERT}.crt -subj "${SSL_SUBJECT}" -addext "subjectAltName=${SSL_SUBJECT_ALT_NAME}"
# create pkcs12 certificate bundle
openssl pkcs12 -export -in ${SSL_CERT_DIR}/${SSL_CERT}.crt -inkey ${SSL_CERT_DIR}/${SSL_CERT}.key -out /tmp/pkcs.p12 -name ${SSL_CERT} -passin pass:`cat /tmp/keypass-p12` -passout pass:`cat /tmp/keypass-p12`
# add new certificates
keytool -importkeystore -noprompt -srckeystore /tmp/pkcs.p12 -srcstorepass `cat /tmp/keypass-p12` -srcstoretype PKCS12 -destkeystore ${PAYARA_HOME_DIR}/appserver/glassfish/domains/${PAYARA_DOMAIN_NAME}/config/cacerts.jks  -deststorepass `cat /tmp/keypass-p12` -alias ${SSL_CERT} -trustcacerts
keytool -importkeystore -noprompt -srckeystore /tmp/pkcs.p12 -srcstorepass `cat /tmp/keypass-p12` -srcstoretype PKCS12 -destkeystore ${PAYARA_HOME_DIR}/appserver/glassfish/domains/${PAYARA_DOMAIN_NAME}/config/keystore.jks -deststorepass `cat /tmp/keypass-p12` -alias ${SSL_CERT}

# secure payara with new certificate
cat /tmp/paypass-admin > ${PAYARA_PASS_FILE}
${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=/tmp/paypass-changeadminpassword change-admin-password --domain_name=${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user ${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 start-domain ${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=${SSL_CERT} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls13-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-preload=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-subdomains=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.security-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 enable-secure-admin --adminalias=${SSL_CERT} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 stop-domain ${PAYARA_DOMAIN_NAME}

here is the error generated :

 > [ 8/15] RUN /bin/bash /opt/payara/scripts/payara-configure-ssh.sh:                                                                                                                                                                                                                                                          
14.85 Generating a RSA private key                                                                                                                                                                                                                                                                                             
14.86 ......++++                                                                                                                                                                                                                                                                                                               
14.96 .............++++                                                                                                                                                                                                                                                                                                        
15.03 writing new private key to '/opt/payara/appserver/glassfish/domains/production/config/ssl/sicpa-interop_cati_inrae_fr/sicpa-interop_cati_inrae_fr.key'                                                                                                                                                                   
15.03 -----
15.17 Importing keystore /tmp/pkcs.p12 to /opt/payara/appserver/glassfish/domains/production/config/cacerts.jks...
15.36 
15.36 Warning:
15.36 The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/payara/appserver/glassfish/domains/production/config/cacerts.jks -destkeystore /opt/payara/appserver/glassfish/domains/production/config/cacerts.jks -deststoretype pkcs12".
15.51 Importing keystore /tmp/pkcs.p12 to /opt/payara/appserver/glassfish/domains/production/config/keystore.jks...
16.37 Command change-admin-password executed successfully.
17.04 Waiting for production to start .......
23.48 Successfully started the domain : production
23.48 domain  Location: /opt/payara/appserver/glassfish/domains/production
23.48 Log File: /opt/payara/appserver/glassfish/domains/production/logs/server.log
23.48 Admin Port: 4848
23.48 Command start-domain executed successfully.
25.99 configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=sicpa-interop_cati_inrae_fr
25.99 Command set executed successfully.
26.61 Command set failed.
26.61 remote failure: No configuration found for configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl

did someone have an idea of the problem ?

have a nice day
TH

theirman · May 22, 2025, 1:43pm

I’ve changed my approach to the subject

I start with the latest version 6.2025.5
I delete my SSL certificate (delete-ssl) and try to recreate an ssl certificate (create-ssl)

this is the page describing “create-ssl”: create-ssl :: Payara Community Documentation

the command should look like this

asadmin [asadmin-options] create-ssl [--help]
[--target target]
--type listener_or_service_type
--certname cert_name
[--ssl2enabled={false|true}] [--ssl2ciphers ss12ciphers]
[--ssl3enabled={true|false}] [--tlsenabled={true|false}]
[--ssl3tlsciphers ssl3tlsciphers]
[--tlsrollbackenabled={true|false}]
[--clientauthenabled={false|true}]
[listener_id]

when I display the command 'asadmin create-ssl --help :

$ docker exec -it sicpa-interop-production asadmin create-ssl --help
Enter admin user name> 
Enter admin password> 
NAME
 create-ssl

SYNOPSIS
 Usage: create-ssl --certname=certname --type=type [--ssl3tls
 ciphers=ssl3tlsciphers] [--tlsrollbackenabled=true] [--clien
 tauthenabled=false] [--target=server] [listener_id]

OPTIONS
     --certname
     --type
     --ssl3tlsciphers
     --tlsrollbackenabled
     --clientauthenabled
     --target
OPERANDS
 listener_id
Command create-ssl executed successfully.

I really have a problem moving forward if :

on the one hand, I can’t configure my SSL with commands like “set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.*”
on the other hand, if I can’t do a “create-ssl” with the right options (without ssl, without tls1.1, with tls1.2 and 1.3, with hsts).

please can someone help me ?

theirman · May 23, 2025, 6:44am

between payara 5 and 6, the ssl configuration changed location. this is not described in the documentation or described in an off-the-radar location.

here’s how I’ve just corrected my problem :

   ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=/tmp/paypass-changeadminpassword change-admin-password --domain_name=${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user ${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 start-domain ${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 delete-ssl --type http-listener http-listener-2 || true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 create-ssl --type http-listener --certname="${SSL_CERT}" http-listener-2 \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls13-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-preload=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-subdomains=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.security-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 enable-secure-admin --adminalias=${SSL_CERT} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 stop-domain ${PAYARA_DOMAIN_NAME}

jsierratrujillo · October 30, 2025, 1:45pm

Hi @theirman,

Glad to know you tracked the issue and found a solution. As you can see in the error message, the first set command worked correctly, but the second failed because the TLS3 configuration option was removed in Payara 6.2022.1.alpha3. Also, some configurations have changed; you can find everything related to protocol configurations in the following Documentation Payara 6.2022.2

Best Regards,
Juan Carlos Sierra

Topic		Replies	Views
Facing difficulty while enabling SSL connection for DB in payara 6.2023.9 Technical Discussion security	1	204	September 19, 2024
Why is there a default master password in payara-6.2023.11.zip; and what is it? Technical Discussion	4	326	April 7, 2025
Secure admin console stopped working Technical Discussion	0	438	April 4, 2024
PayaraMicro - deploy with certbot SSL (HTTPS) Payara Micro	2	161	April 20, 2024
Migrating Payara 5 CE to Payara 6 CE Technical Discussion	1	42	April 7, 2025

Some problems with migration to payara-6

Related topics