I've faced issue while working with Amazon EC2, I'm starting to appreciate how useful theGlassFish asadmin tool is with a remote system. Here are some steps to get GlassFish set up for secure, remote access.
Step 1: Setup
After starting up a remote machine, copy the GlassFish zip file there and unzip it. At this point, I only have the standard ssh and http ports open in my firewall ("security group" on Amazon EC2). If you start with port 4848 open, then someone could access the server through the admin console in a browser before you've had a chance to change the password or admin username.
Step 2: Secure admin
With GlassFish installed, start the server, then change the admin user's password and enable secure administration. Without secure administration on, remote systems cannot talk to the server at all. Here are the commands to run locally from your ssh session:
Step 1: Setup
After starting up a remote machine, copy the GlassFish zip file there and unzip it. At this point, I only have the standard ssh and http ports open in my firewall ("security group" on Amazon EC2). If you start with port 4848 open, then someone could access the server through the admin console in a browser before you've had a chance to change the password or admin username.
Step 2: Secure admin
With GlassFish installed, start the server, then change the admin user's password and enable secure administration. Without secure administration on, remote systems cannot talk to the server at all. Here are the commands to run locally from your ssh session:
· asadmin start-domain
· asadmin change-admin-password
After changing the admin password, you may want to run asadmin login as well to avoid having to specify the password again and again. This will only affect local access to the server (e.g. your environment while ssh'ed into the remote machine). Next:
· asadmin enable-secure-admin
· asadmin restart-domain
For more information on secure admin, see Tim Quinn's blog on the subject.
Step 3: Enable access
You can now open port 4848 in the security group/firewall so that your local asadmin client can talk to the remote server. If you want to remove the 'admin' user and create an administrative user with a different name, you can now reach the admin console at port 4848 in a browser:
Step 3: Enable access
You can now open port 4848 in the security group/firewall so that your local asadmin client can talk to the remote server. If you want to remove the 'admin' user and create an administrative user with a different name, you can now reach the admin console at port 4848 in a browser:
1. Log in as 'admin' user.
2. In the left-hand panel, open Configurations, server-config, Security, Realms, admin-realm.
3. Click Manage Users on the right and create the new user in the asadmin group.
4. Log out as 'admin' then log in as your new user to delete the 'admin' user.
If you change the admin user, use the new user name in place of 'admin' below.
Step 4: Set up local access
With secure administration turned on, you can now access the remote machine like this (note that the port argument is only needed if you have changed the admin port):
Step 4: Set up local access
With secure administration turned on, you can now access the remote machine like this (note that the port argument is only needed if you have changed the admin port):
ip-sec> asadmin --host <hostname> --user admin --port 4848 --secure list-applications
Enter admin password for user "admin">
Nothing to list.
Command list-applications executed successfully.
Enter admin password for user "admin">
Nothing to list.
Command list-applications executed successfully.
Of course, you may not want to specify the command line options over and over and supply the password manually each time. You can specify these environment variables instead:
· AS_ADMIN_HOST
· AS_ADMIN_PORT
· AS_ADMIN_SECURE (set to "true" without the quotes)
· AS_ADMIN_USER
· AS_ADMIN_PASSWORDFILE
The last one should be set to the path of a file with these contents:
AS_ADMIN_PASSWORD=<your password>
Now you can access your remote server with simple asadmin commands with no other parameters:
ip-sec}> asadmin list-applications
Nothing to list.
Command list-applications executed successfully.
Nothing to list.
Command list-applications executed successfully.
Note: if you want to see all the parameters that are being used in the asadmin command, you can use the --echo option to have them printed: