Monday, January 30, 2012

Asadmin with Remote GlassFish

Now that I've been working more with Amazon EC2, I'm starting to appreciate how useful the GlassFish asadmin tool is with a remote system. Here are some steps to get GlassFish set up for secure, remote access. Note that I'm not covering any of the setup on the local machine besides unzipping the bundle -- there are other blogs and documentation out there about securing your installation at the OS level. The following applies to GlassFish 3.1.1:

Step 0: Setup

After starting up a remote machine, copy the GlassFish zip file there and unzip it. At this point, I only have the standard ssh and http ports open in my firewall ("security group" on Amazon EC2). If you start with port 4848 open, then someone could access the server through the admin console in a browser before you've had a chance to change the password or admin username.

Step 1: Secure admin

With GlassFish installed, start the server, then change the admin user's password and enable secure administration. Without secure administration on, remote systems cannot talk to the server at all. Here are the commands to run locally from your ssh session:
  • asadmin start-domain
  • asadmin change-admin-password
After changing the admin password, you may want to run asadmin login as well to avoid having to specify the password again and again. This will only affect local access to the server (e.g. your environment while ssh'ed into the remote machine). Next:
  • asadmin enable-secure-admin
  • asadmin restart-domain
For more information on secure admin, see Tim Quinn's blog on the subject.

Step 2: Enable access

You can now open port 4848 in the security group/firewall so that your local asadmin client can talk to the remote server. If you want to remove the 'admin' user and create an administrative user with a different name, you can now reach the admin console at port 4848 in a browser:
  1. Log in as 'admin' user.
  2. In the left-hand panel, open Configurations, server-config, Security, Realms, admin-realm.
  3. Click Manage Users on the right and create the new user in the asadmin group.
  4. Log out as 'admin' then log in as your new user to delete the 'admin' user.
If you change the admin user, use the new user name in place of 'admin' below.

Step 3: Set up local access

With secure administration turned on, you can now access the remote machine like this (note that the port argument is only needed if you have changed the admin port):

BobbyMac}> asadmin --host <hostname> --user admin --port 4848 --secure list-applications
Enter admin password for user "admin">
Nothing to list.
Command list-applications executed successfully.
Of course, you may not want to specify the command line options over and over and supply the password manually each time. You can specify these environment variables instead:

  • AS_ADMIN_SECURE (set to "true" without the quotes)
The last one should be set to the path of a file with these contents:
AS_ADMIN_PASSWORD=<your password>
Now you can access your remote server with simple asadmin commands with no other parameters:

BobbyMac}> asadmin list-applications
Nothing to list.

Command list-applications executed successfully.
Note: if you want to see all the parameters that are being used in the asadmin command, you can use the --echo option to have them printed:

BobbyMac}> asadmin --echo list-applications
asadmin --host <host> --port 4848 --user admin --passwordfile <path> --secure --interactive=true --echo=true --terse=false list-applications --long=false --terse=false --subcomponents=false --resources=falseNothing to list.Command list-applications executed successfully.
There are more options you can use with asadmin, but these are the basics to make remote administration easy. For all of the available options, run 'asadmin --help' on your local system. (If you're on a Mac, run 'asadmin --help | open -f" to bring up the help in a text editor for easy searching. See one of my earlier blogs for more information.)

Happy administering....

Tuesday, January 24, 2012

Hello World

Having left Oracle, my previous blog has reached its end. As far as I know it will still exist, and I still use my old GlassFish and Vaadin posts as references.

Looking forward, I'm now with EnterpriseDB and am working on a cloud database based on Postgres that ought to be live "real soon."