Asadmin with Remote GlassFish

Now that I've been working more with Amazon EC2, I'm starting to appreciate how useful the GlassFish asadmin tool is with a remote system. Here are some steps to get GlassFish set up for secure, remote access. Note that I'm not covering any of the setup on the local machine besides unzipping the bundle -- there are other blogs and documentation out there about securing your installation at the OS level. The following applies to GlassFish 3.1.1:

Step 0: Setup

After starting up a remote machine, copy the GlassFish zip file there and unzip it. At this point, I only have the standard ssh and http ports open in my firewall ("security group" on Amazon EC2). If you start with port 4848 open, then someone could access the server through the admin console in a browser before you've had a chance to change the password or admin username.

Step 1: Secure admin

With GlassFish installed, start the server, then change the admin user's password and enable secure administration. Without secure administration on, remote systems cannot talk to the server at all. Here are the commands to run locally from your ssh session:

• asadmin start-domain
• asadmin change-admin-password

After changing the admin password, you may want to run asadmin login as well to avoid having to specify the password again and again. This will only affect local access to the server (e.g. your environment while ssh'ed into the remote machine). Next:

• asadmin enable-secure-admin
• asadmin restart-domain

For more information on secure admin, see Tim Quinn's blog on the subject.

Step 2: Enable access

You can now open port 4848 in the security group/firewall so that your local asadmin client can talk to the remote server. If you want to remove the 'admin' user and create an administrative user with a different name, you can now reach the admin console at port 4848 in a browser:

1. Log in as 'admin' user.
2. In the left-hand panel, open Configurations, server-config, Security, Realms, admin-realm.
3. Click Manage Users on the right and create the new user in the asadmin group.
4. Log out as 'admin' then log in as your new user to delete the 'admin' user.

If you change the admin user, use the new user name in place of 'admin' below.

Step 3: Set up local access

With secure administration turned on, you can now access the remote machine like this (note that the port argument is only needed if you have changed the admin port):

BobbyMac}> asadmin --host <hostname> --user admin --port 4848 --secure list-applications
Enter admin password for user "admin">
Nothing to list.
Command list-applications executed successfully.

Of course, you may not want to specify the command line options over and over and supply the password manually each time. You can specify these environment variables instead:

• AS_ADMIN_HOST
• AS_ADMIN_PORT
• AS_ADMIN_SECURE (set to "true" without the quotes)
• AS_ADMIN_USER
• AS_ADMIN_PASSWORDFILE

The last one should be set to the path of a file with these contents:

AS_ADMIN_PASSWORD=<your password>

Now you can access your remote server with simple asadmin commands with no other parameters:

BobbyMac}> asadmin list-applications
Nothing to list.
Command list-applications executed successfully.

Note: if you want to see all the parameters that are being used in the asadmin command, you can use the --echo option to have them printed:

BobbyMac}> asadmin --echo list-applications
asadmin --host <host> --port 4848 --user admin --passwordfile <path> --secure --interactive=true --echo=true --terse=false list-applications --long=false --terse=false --subcomponents=false --resources=falseNothing to list.Command list-applications executed successfully.

There are more options you can use with asadmin, but these are the basics to make remote administration easy. For all of the available options, run 'asadmin --help' on your local system. (If you're on a Mac, run 'asadmin --help | open -f" to bring up the help in a text editor for easy searching. See one of my earlier blogs for more information.)

Happy administering....