Some problems with migration to payara-6

theirman · May 19, 2025, 7:51am

Hello

I have some problems when i tried to migrate my configuration scripts from payara-server-5.2022.5-jdk17 to payara-server-6.2022.2-jdk17.

the ssl configuration failed. i tried several actions to resolve it but nothing works. here is the last code i tried

#!/bin/bash

mkdir -p ${SSL_CERT_DIR}
chown -R payara:payara ${PAYARA_HOME_DIR}

# create self-signed certificate
openssl req -x509 -sha256 -nodes -days ${SSL_CERT_VALIDITY} -newkey rsa:${SSL_DEFAUT_BITS} -keyout ${SSL_CERT_DIR}/${SSL_CERT}.key -out ${SSL_CERT_DIR}/${SSL_CERT}.crt -subj "${SSL_SUBJECT}" -addext "subjectAltName=${SSL_SUBJECT_ALT_NAME}"
# create pkcs12 certificate bundle
openssl pkcs12 -export -in ${SSL_CERT_DIR}/${SSL_CERT}.crt -inkey ${SSL_CERT_DIR}/${SSL_CERT}.key -out /tmp/pkcs.p12 -name ${SSL_CERT} -passin pass:`cat /tmp/keypass-p12` -passout pass:`cat /tmp/keypass-p12`
# add new certificates
keytool -importkeystore -noprompt -srckeystore /tmp/pkcs.p12 -srcstorepass `cat /tmp/keypass-p12` -srcstoretype PKCS12 -destkeystore ${PAYARA_HOME_DIR}/appserver/glassfish/domains/${PAYARA_DOMAIN_NAME}/config/cacerts.jks  -deststorepass `cat /tmp/keypass-p12` -alias ${SSL_CERT} -trustcacerts
keytool -importkeystore -noprompt -srckeystore /tmp/pkcs.p12 -srcstorepass `cat /tmp/keypass-p12` -srcstoretype PKCS12 -destkeystore ${PAYARA_HOME_DIR}/appserver/glassfish/domains/${PAYARA_DOMAIN_NAME}/config/keystore.jks -deststorepass `cat /tmp/keypass-p12` -alias ${SSL_CERT}

# secure payara with new certificate
cat /tmp/paypass-admin > ${PAYARA_PASS_FILE}
${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=/tmp/paypass-changeadminpassword change-admin-password --domain_name=${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user ${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 start-domain ${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=${SSL_CERT} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls13-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-preload=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-subdomains=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.security-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 enable-secure-admin --adminalias=${SSL_CERT} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 stop-domain ${PAYARA_DOMAIN_NAME}

here is the error generated :

 > [ 8/15] RUN /bin/bash /opt/payara/scripts/payara-configure-ssh.sh:                                                                                                                                                                                                                                                          
14.85 Generating a RSA private key                                                                                                                                                                                                                                                                                             
14.86 ......++++                                                                                                                                                                                                                                                                                                               
14.96 .............++++                                                                                                                                                                                                                                                                                                        
15.03 writing new private key to '/opt/payara/appserver/glassfish/domains/production/config/ssl/sicpa-interop_cati_inrae_fr/sicpa-interop_cati_inrae_fr.key'                                                                                                                                                                   
15.03 -----
15.17 Importing keystore /tmp/pkcs.p12 to /opt/payara/appserver/glassfish/domains/production/config/cacerts.jks...
15.36 
15.36 Warning:
15.36 The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/payara/appserver/glassfish/domains/production/config/cacerts.jks -destkeystore /opt/payara/appserver/glassfish/domains/production/config/cacerts.jks -deststoretype pkcs12".
15.51 Importing keystore /tmp/pkcs.p12 to /opt/payara/appserver/glassfish/domains/production/config/keystore.jks...
16.37 Command change-admin-password executed successfully.
17.04 Waiting for production to start .......
23.48 Successfully started the domain : production
23.48 domain  Location: /opt/payara/appserver/glassfish/domains/production
23.48 Log File: /opt/payara/appserver/glassfish/domains/production/logs/server.log
23.48 Admin Port: 4848
23.48 Command start-domain executed successfully.
25.99 configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=sicpa-interop_cati_inrae_fr
25.99 Command set executed successfully.
26.61 Command set failed.
26.61 remote failure: No configuration found for configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl

did someone have an idea of the problem ?

have a nice day
TH

theirman · May 22, 2025, 1:43pm

I’ve changed my approach to the subject

I start with the latest version 6.2025.5
I delete my SSL certificate (delete-ssl) and try to recreate an ssl certificate (create-ssl)

this is the page describing “create-ssl”: create-ssl :: Payara Community Documentation

the command should look like this

asadmin [asadmin-options] create-ssl [--help]
[--target target]
--type listener_or_service_type
--certname cert_name
[--ssl2enabled={false|true}] [--ssl2ciphers ss12ciphers]
[--ssl3enabled={true|false}] [--tlsenabled={true|false}]
[--ssl3tlsciphers ssl3tlsciphers]
[--tlsrollbackenabled={true|false}]
[--clientauthenabled={false|true}]
[listener_id]

when I display the command 'asadmin create-ssl --help :

$ docker exec -it sicpa-interop-production asadmin create-ssl --help
Enter admin user name> 
Enter admin password> 
NAME
 create-ssl

SYNOPSIS
 Usage: create-ssl --certname=certname --type=type [--ssl3tls
 ciphers=ssl3tlsciphers] [--tlsrollbackenabled=true] [--clien
 tauthenabled=false] [--target=server] [listener_id]

OPTIONS
     --certname
     --type
     --ssl3tlsciphers
     --tlsrollbackenabled
     --clientauthenabled
     --target
OPERANDS
 listener_id
Command create-ssl executed successfully.

I really have a problem moving forward if :

on the one hand, I can’t configure my SSL with commands like “set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.*”
on the other hand, if I can’t do a “create-ssl” with the right options (without ssl, without tls1.1, with tls1.2 and 1.3, with hsts).

please can someone help me ?

theirman · May 23, 2025, 6:44am

between payara 5 and 6, the ssl configuration changed location. this is not described in the documentation or described in an off-the-radar location.

here’s how I’ve just corrected my problem :

   ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=/tmp/paypass-changeadminpassword change-admin-password --domain_name=${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user ${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 start-domain ${PAYARA_DOMAIN_NAME} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 delete-ssl --type http-listener http-listener-2 || true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 create-ssl --type http-listener --certname="${SSL_CERT}" http-listener-2 \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls13-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-preload=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.hsts-subdomains=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.protocols.protocol.http-listener-2.security-enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-1.enabled=false \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 set configs.config.server-config.network-config.network-listeners.network-listener.http-listener-2.enabled=true \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 enable-secure-admin --adminalias=${SSL_CERT} \
&& ${PAYARA_DIR}/bin/asadmin --user=${PAYARA_ADMIN_USER} --passwordfile=${PAYARA_PASS_FILE} --port=4848 stop-domain ${PAYARA_DOMAIN_NAME}

Topic		Replies	Views
PayaraMicro - deploy with certbot SSL (HTTPS) Payara Micro	2	151	April 20, 2024
Cannot configure cert-nickname in 5.2022.5 Technical Discussion security	1	59	August 29, 2024
Facing difficulty while enabling SSL connection for DB in payara 6.2023.9 Technical Discussion security	1	190	September 19, 2024
IUCLID6 on Ubuntu: Payara Server: need Secure Admin enabled to access the DAS remotely General security	1	357	June 29, 2022
Secure admin console stopped working Technical Discussion	0	379	April 4, 2024

Some problems with migration to payara-6

Related topics