Monday, January 30, 2012

Asadmin with Remote GlassFish

Now that I've been working more with Amazon EC2, I'm starting to appreciate how useful the GlassFish asadmin tool is with a remote system. Here are some steps to get GlassFish set up for secure, remote access. Note that I'm not covering any of the setup on the local machine besides unzipping the bundle -- there are other blogs and documentation out there about securing your installation at the OS level. The following applies to GlassFish 3.1.1:

Step 0: Setup

After starting up a remote machine, copy the GlassFish zip file there and unzip it. At this point, I only have the standard ssh and http ports open in my firewall ("security group" on Amazon EC2). If you start with port 4848 open, then someone could access the server through the admin console in a browser before you've had a chance to change the password or admin username.

Step 1: Secure admin

With GlassFish installed, start the server, then change the admin user's password and enable secure administration. Without secure administration on, remote systems cannot talk to the server at all. Here are the commands to run locally from your ssh session:
  • asadmin start-domain
  • asadmin change-admin-password
After changing the admin password, you may want to run asadmin login as well to avoid having to specify the password again and again. This will only affect local access to the server (e.g. your environment while ssh'ed into the remote machine). Next:
  • asadmin enable-secure-admin
  • asadmin restart-domain
For more information on secure admin, see Tim Quinn's blog on the subject.

Step 2: Enable access

You can now open port 4848 in the security group/firewall so that your local asadmin client can talk to the remote server. If you want to remove the 'admin' user and create an administrative user with a different name, you can now reach the admin console at port 4848 in a browser:
  1. Log in as 'admin' user.
  2. In the left-hand panel, open Configurations, server-config, Security, Realms, admin-realm.
  3. Click Manage Users on the right and create the new user in the asadmin group.
  4. Log out as 'admin' then log in as your new user to delete the 'admin' user.
If you change the admin user, use the new user name in place of 'admin' below.

Step 3: Set up local access

With secure administration turned on, you can now access the remote machine like this (note that the port argument is only needed if you have changed the admin port):

BobbyMac}> asadmin --host <hostname> --user admin --port 4848 --secure list-applications
Enter admin password for user "admin">
Nothing to list.
Command list-applications executed successfully.
Of course, you may not want to specify the command line options over and over and supply the password manually each time. You can specify these environment variables instead:


  • AS_ADMIN_HOST
  • AS_ADMIN_PORT
  • AS_ADMIN_SECURE (set to "true" without the quotes)
  • AS_ADMIN_USER
  • AS_ADMIN_PASSWORDFILE
The last one should be set to the path of a file with these contents:
AS_ADMIN_PASSWORD=<your password>
Now you can access your remote server with simple asadmin commands with no other parameters:

BobbyMac}> asadmin list-applications
Nothing to list.

Command list-applications executed successfully.
Note: if you want to see all the parameters that are being used in the asadmin command, you can use the --echo option to have them printed:

BobbyMac}> asadmin --echo list-applications
asadmin --host <host> --port 4848 --user admin --passwordfile <path> --secure --interactive=true --echo=true --terse=false list-applications --long=false --terse=false --subcomponents=false --resources=falseNothing to list.Command list-applications executed successfully.
There are more options you can use with asadmin, but these are the basics to make remote administration easy. For all of the available options, run 'asadmin --help' on your local system. (If you're on a Mac, run 'asadmin --help | open -f" to bring up the help in a text editor for easy searching. See one of my earlier blogs for more information.)

Happy administering....

4 comments:

  1. I find GF pretty good too but I'm also thinking of moving an app to the EC2 cloud and wondering if maybe I ought to go for JBoss now rather than suffer pain later. How have you found GF 3 and EC2 ?

    ReplyDelete
  2. Hi
    I've started using EC2 few days ago and now I have a problem I can't solve on my own...
    I'm using Jenkins for CI and as one of my steps I use AWS plugin to create a new instance based on AMI image I created earlier. Since instance has a different local IP each time I create it I can't preinstall GF and simply start it after instance is created.
    So I'm using template files where pull, install and then start GF.
    There is only one problem, If I do so I have to manualy do change-admin-password and enable-secure-admin... I wanted to do this during setup but can't figure out how to set template file to force CloudFormation to set new admin password and this secure access...
    Any ideas?
    I'm using AMI with ubuntu

    Thanks

    ReplyDelete
    Replies
    1. Hi Piotr,

      Why can't you install GF, change admin password, etc, and then create the AMI from that instance? That's what we do, so I can start up a machine image and it already has the secure admin enabled and a non-default password.

      I need to change $AS_ADMIN_HOST to access it remotely, but that's to be expected.

      Cheers,
      Bobby

      Delete