For example, to specify the password for the domain administration server DAS , add an entry similar to the following to the password file, where adminadmin is the administrator password:. Save the password file. You can now specify the password file in an asadmin subcommand.
In this example, passwords. Storing passwords in cleartext format in system configuration files is common in many open source projects. However, storing and passing passwords in cleartext can be a security risk, and may violate some corporate security policies.
In such cases, you can use password aliases. The password corresponding to the alias name is stored in an encrypted form in the domain configuration file. The create-password-alias subcommand takes both a secure interactive form, in which users are prompted for all information, and a more script-friendly form, in which the password is propagated on the command line.
You can also use the set subcommand to remove and replace the password in the configuration file. For example:.
Go to the directory where the configuration file resides. Create the password alias by using the create-password-alias subcommand.
Add the alias to a password file. For example, assume the use of a password file such as passwords. To continue the example of the previous step, you would then run the create-file-user subcommand. You could use this method to create several users user1, user2, and so forth , all with the same password. You can also view the full syntax and options of the subcommand by typing asadmin help create-password-alias at the command line. Use the list-password-aliases subcommand in remote mode to list existing the password aliases.
List password aliases by using the list-password-aliases subcommand. You can also view the full syntax and options of the subcommand by typing asadmin help list-password-aliases at the command line. Use the delete-password-alias subcommand in remote mode to delete an existing password alias.
List all aliases by using the list-password-aliases subcommand. Delete a password alias by using the list-password-aliases subcommand. You can also view the full syntax and options of the subcommand by typing asadmin help delete-password-alias at the command line. Use the update-password-alias subcommand in remote mode to change the password for an existing password alias.
The update-password-alias subcommand takes both a secure interactive form, in which the user is prompted for all information, and a more script-friendly form, in which the password is propagated on the command line. Update an alias by using the update-password-alias subcommand. You can also view the full syntax and options of the subcommand by typing asadmin help update-password-alias at the command line.
Use the create-audit-module subcommand in remote mode to create an audit module for the add-on component that implements the audit capabilities. Create an audit module by using the create-audit-module subcommand. Information about properties for this subcommand is included in this help page. You can also view the full syntax and options of the subcommand by typing asadmin help create-audit-module at the command line.
Use the list-audit-modules subcommand in remote mode to list the audit modules on one of the following targets:. List the audit modules by using the list-audit-modules subcommand.
You can also view the full syntax and options of the subcommand by typing asadmin help list-audit-modules at the command line. Use the delete-audit-module subcommand in remote mode to delete an existing audit module.
Delete an audit module by using the delete-audit-module subcommand. In the developer profile, the GlassFish Server 5. In all profiles, the client side appclient or stand-alone uses the JSSE format. By default, the keytool utility creates a keystore file in the directory where the utility is run. Change to the directory that contains the keystore and truststore files. Always generate the certificate in the directory containing the keystore and truststore files.
Generate the certificate in the keystore file, keystore. Use any unique name as your keyAlias. If you have changed the keystore or private key password from the default changeit , substitute the new password for changeit.
The default key password alias is s1as. A prompt appears that asks for your name, organization, and other information. Export the generated certificate to the server. If a certificate signed by a certificate authority is required, see To Sign a Certificate by Using keytool. Create the cacerts. If you have changed the keystore or private key password from the default changeit , substitute the new password.
Information about the certificate is displayed and a prompt appears asking if you want to trust the certificate. Type yes , then press Enter. Information similar to the following is displayed:. To apply your changes, restart GlassFish Server. After creating a certificate, the owner must sign the certificate to prevent forgery.
E-commerce sites, or those for which authentication of identity is important, can purchase a certificate from a well-known Certificate Authority CA. If authentication is not a concern, for example if private secure communications are all that is required, you can save the time and expense involved in obtaining a CA certificate by using a self-signed certificate.
For example, "mypass". Note that s1as is the default alias of the GlassFish Server keystore. Generate a new key pair for the application server:. For example, In addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias. For HTTPS hostname verification, it is important to ensure that the name of the certificate CN matches the fully-qualified hostname of your site fully-qualified domain name.
If the names do not match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. For example, changeit. In response, you should receive a signed server certificate. Make sure to import into your browser the CA certificate of the CA if not already present and any intermediate certificates indicated by the CA in the reply.
Download the CA certificate and any intermediate CA certificates and store them in local files. Import the CA certificate if not already present and any intermediate CA certificates if not already present indicated by the CA into the truststore cacerts. Replace the original self-signed certificate with the certificate you obtained from the CA, as stored in a file such as s1as.
After running the command, you should see that the certificate s1as in the keystore is no longer the original self-signed certificate, but is now the response certificate from the CA.
Consider the following example that compares an original s1as certificate with a new s1as certificate obtained from VeriSign:. Certificates are often stored using the printable encoding format defined by the Internet Request for Comments RFC standard instead of their binary encoding.
This certificate format, also known as Base 64 encoding, facilitates exporting certificates to other applications by email or through some other mechanism.
The reply format defined by the Public Key Cryptography Standards 7, Cryptographic Message Syntax Standard, includes the supporting certificate chain in addition to the issued certificate. This enables the administrator to set up third-party plug-in modules to perform authorization. You should not delete these default providers. Any JACC providers you create with the create-jacc-provider subcommand are in addition to these two default providers. Select the server configuration for which you want to administer JACC providers and expand the entry.
The existing JACC providers are shown on this page. To create a new provider, click New. Enter the Name, Policy Configuration the class that implements the policy configuration factory and the Policy Provider the class that implements the policy factory for the new JACC provider. To create a JACC provider, use the create-jacc-provider subcommand.
To delete a JACC provider, use the create-jacc-provider subcommand. To list the available providers, use the list-jacc-providers subcommand. The following example shows how to list JACC providers for the default domain:. About System Security in GlassFish Server Security is about protecting data, that is, how to prevent unauthorized access or damage to data that is in storage or in transit.
Authentication Authentication is the way in which an entity a user, an application, or a component determines that another entity is who it claims to be. Authentication Types Within its deployment descriptors, an application can specify the type of authentication that it uses. Passwords Passwords are your first line of defense against unauthorized access to the components and data of GlassFish Server.
Password Aliases To avoid storing passwords in the domain configuration file in clear text, you can create an alias for a password. Single Sign-on With single sign-on, a user who logs in to one application becomes implicitly logged in to other applications that require the same authentication information.
Authorization Authorization, also known as access control, is the means by which users are granted permission to access data or perform operations. Roles A role defines which applications and what parts of each application users can access and what those users or groups can do with the applications.
Working With the server. Contents of server. This server. Should be refined later. RuntimePermission "getProtectionDomain"; permission com. DynamicAccessPermission "access"; permission java. RuntimePermission "loadLibrary.
RuntimePermission "queuePrintJob"; permission java. RuntimePermission "modifyThreadGroup"; permission java. RuntimePermission "getClassLoader"; permission java.
RuntimePermission "setContextClassLoader"; permission javax. MBeanPermission "[com. PrivateCredentialPermission "javax. Auditing Auditing is the means used to capture security-related events for the purpose of evaluating the effectiveness of security measures. For administration instructions, see Administering Audit Modules. Firewalls A firewall controls the flow of data between two or more networks, and manages the links between the networks. Certificates and SSL The following topics are addressed here:.
Certificates Certificates, also called digital certificates, are electronic files that uniquely identify people and resources on the Internet. Personal certificates are used by individuals.
Certificate Chains A certificate chain is a series of certificates issued by successive CA certificates, eventually ending in a root CA certificate. Keystore file The keystore. Truststore file The cacerts. The server responds by sending its certificate including its public key. The server decrypts the message using its private key and recovers the session key.
A suitable login decision can be made here. Administration Console The Administration Console is a browser-based utility used to configure security for the entire server. The asadmin utility The asadmin command-line utility performs many of the same tasks as the Administration Console. The policytool utility The policytool Java SE graphical utility is used for managing system-wide Java security policies.
Administering Passwords There are multiple ways to administer passwords. To Change the Master Password The master password gives access to the keystore used with the domain. When the master password is saved, it is saved in the master-password file. Master password changed for domain44ps.
Via the master-password file By entering it interactively Via the asadmin passwordfile. Change the master password on the DAS and save it with --savemasterpassword. Try to start the instance using the start-instance subcommand.
An error results. Using start-instance and start-cluster With a Password File Assume that you have changed the master password on the DAS and you want to make the same change for all instances. To Change an Administration Password Use the change-admin-password subcommand in remote mode to change an administration password.
Enter the old and new admin passwords when prompted. Command change-admin-password executed successfully. To Set a Password From a File Instead of typing the password at the command line, you can access the password for a command from a file such as passwords. Ensure that the server is running. Remote subcommands require a running server. Type the password for the alias when prompted.
This example creates the new jms-password alias for the admin user:. To List Password Aliases Use the list-password-aliases subcommand in remote mode to list existing the password aliases. To Delete a Password Alias Use the delete-password-alias subcommand in remote mode to delete an existing password alias.
This example deletes the password alias jmspassword-alias :. To Update a Password Alias Use the update-password-alias subcommand in remote mode to change the password for an existing password alias. Type the password when prompted. This example updates the password for the jmspassword-alias alias:. Administering Audit Modules The following topics are addressed here:.
To Create an Audit Module Use the create-audit-module subcommand in remote mode to create an audit module for the add-on component that implements the audit capabilities. This example creates an audit module named sampleAuditModule :. You can choose to type the password manually when required, or to obscure the password in a password file. If there is no password file, you are prompted for the master password. If there is a password file, but you want to change access to require prompting, remove the file.
The default master password is changeit. Use the change-master-password subcommand in local mode to modify the master password. When the master password is changed, it is re-saved in the master-password keystore, which is a Java JCEKS type keystore.
Change the master password for the domain by using the change-master-password 1 subcommand. The change-master-password subcommand is interactive in that you are prompted for the old master password as well as the new master password. This example changes the master password for domain44ps :. If you have already logged into the domain using the login login 1 subcommand, you are prompted for the new master password:. If you are not logged into the domain, you are prompted for both the old and the new master passwords:.
You can also view the full syntax and options of the subcommand by typing asadmin help change-master-password at the command line. Use the change-admin-password subcommand in remote mode to change the administration password. The default administration password is admin. You are prompted for the old and new admin passwords, with confirmation.
If you accepted the default admin user with no password during zip installation, you can add a password to this user. If there is a single user called admin that does not have a password, you are not prompted for login information.
Any other situation requires login. If you want to change the admin password before creating an alias for the password encrypting , you can use the set subcommand with syntax similar to the following:. Change the admin password by using the change-admin-password 1 subcommand. This example changes the admin password for user anonymous from adminadmin to newadmin :.
You can also view the full syntax and options of the subcommand by typing asadmin help change-admin-password at the command line. Instead of typing the password at the command line, you can access the password for a command from a file such as passwords. The --passwordfile option of the asadmin utility takes the name of the file that contains the passwords. For example, to specify the password for the domain administration server DAS , add an entry similar to the following to the password file, where adminadmin is the administrator password:.
You can now specify the password file in an asadmin subcommand. In This example, passwords. A password alias is used to indirectly access a password so that the password itself does not appear in cleartext in the domain's domain. Storing passwords in cleartext format in system configuration files is common in many open source projects.
However, storing and passing passwords in cleartext can be a security risk, and may violate some corporate security policies. The above error occurs when the keystore does not have the intermediate certificates otherwise known as the CA bundle needed to establish the full chain. There is a process already using the admin port — it probably is another instance of a GlassFish server.
Command start-domain failed. If you cannot start the domain with this error being displayed, you will need to kill the java process manually. First, run this command to locate the process:. Copy the PID of java running on your GlassFish ports in the above screenshot , and run this command to kill the process:.
You will now be able to start the domain using the usual asadmin commands. This will contain sufficient information on the SSL errors; however, if you feel it is not enough, you can set the debug level to SSL in domain. You can check the content of a keystore with this command:. This will give you a short list of all entries in the keystore. To get more information on each entry e. In the below example, the keystore example. For the certificate to work, the GlassFish master password for the domain, the keystore password, and the private key password must all be the same.
To make sure all three passwords are the same, you can use the commands below to change them. For further reading, you can refer to the documentation listed below:. Importing the certificate The certificate files should be uploaded to your server so they can be imported into the keystore.
The CA bundle can be imported with this command: keytool -import -trustcacerts -alias ca -file file. When the CA bundle is imported, you can import the certificate with the following command: keytool -import -trustcacerts -alias myalias -file file. The following command is used to import one keystore into another: keytool -importkeystore -srckeystore mykeystore.
You will receive a confirmation saying the import was successful, as shown below: Once your keystore is imported, GlassFish configuration needs to be updated to start using the new certificate. Editing domain. Before opening the file, we recommend stopping the GlassFish service for this domain with the following command: asadmin stop-domain example.
If the file contains references to port , you can also update them to If all aliases are updated to your alias, the certificate will also be installed for the GlassFish Administration Console.
Save the changes in domain. Optional configuration Using your own keystore Instead of importing your keystore into the default GlassFish keystore keystore.
Troubleshooting This section covers several more or less common errors that can be encountered during installation, checking errors, and guidelines for password changes.
0コメント