Skip to main content

GlassFish 3.1: using the master password and managing instances

Posted by carlavmott on March 2, 2011 at 12:38 PM PST

GlassFish 3.1 supports creating and managing instances on multiple hosts from a central location (the DAS).

 

GlassFish 3.1 supports creating and managing instances on multiple hosts from a central location (the DAS). The server software uses SSH to communicate to the remote systems where the instances reside and Joe's blog contains useful information on setting up SSH in a way that GlassFish can take advantage.    In this blog I talk about managing those instances when the user sets the master password to something other than the default.

It is recommended that users change the default master password for security reasons.  Since GlassFish never transmits the master password or associated file over the network, the user must take action on the remote hosts to allow the system to manage the instances from a central location.  Commands such as start-instance do not have a mechanism that allows the user to enter the master password but they do look for a master password file in the agent directory of the node associated with that instance.  This means that each instance on that node uses the same master password.  We have updated the command change-master-password so that it creates the master-password file for a node. Commands with the --savemasterpassword option will create or update the master-password file.

Let's look at an example.  In this case, I create a new domain setting the master password to 'welcome1'  and start the domain.  I create an SSH node for the remote host I plan to use for the instances.   I then create an instance on a remote node using the command create-instance which I run on the DAS.    Note that I can create the instance from the DAS but I can not start it unless the master password for the instance matches the master password for the DAS.  At that point I have to go to the instance machine and run the change-master-password command with the --savemasterpassword option set to true so that the master-password file is created in the node's agent directory.  Once I do that I can go to the DAS machine and manage the instance.  Since the master pasword is associated with the node I can then create additional instances from the DAS machine and start or stop them without having to go to the remote host.  I have added the commands that need to be run below.

1) Create and start a domain with the master-password set to "welcome1" using the command .  Note that I did not set a password for admin user.

asadmin create-domain --savemasterpassword true domain2
asadmin start-domain domain2

2) Create an SSH node

 asadmin create-node-ssh --nodehost glassfish1.sfbay.sun.com --installdir /export/glassfish3 node2

3) Create an instance from the DAS.  This creates the instance configuration information and the instance file system.

asadmin create-instance --node node2 ins2

4) At this point the instance is created but it can not be started by the start-instance command because there is no master-password file in the agent directory for that node. That file must exist and it must have the same password as the master password on the DAS. To create that file run the following command on the instance machine.  If I try to start the instance I get the following error:

asadmin start-instance ins2
remote failure: Could not start instance ins2 on node node2 (glassfish1.sfbay.sun.com).

Command failed on node node1 (glassfish1.sfbay.sun.com): The Master Password is required to start the domain.  No console, no prompting possible.  You should either create the domain with --savemasterpassword=true or provide a password file with the --passwordfile option.Command start-local-instance failed.

To complete this operation run the following command locally on host glassfish1.sfbay.sun.com from the GlassFish install location /export/glassfish3:

 asadmin  start-local-instance --node node2 --sync normal ins2
Command start-instance failed.

Go to the instance machine (glassfish1.sfbay.sun.com in this case)  and create the master password file for node2 by typing the following command.

asadmin change-master-password --savemasterpassword true --nodedir /export/glassfish3/glassfish/nodes node2

Important note: At the prompt I have to enter the old master password ('welcome1') which is what I had set when I created domain2 on the DAS. It is not the default master password 'changeit'  because the keystore was copied over when the instance was created and it is encrypted with the master password from the DAS. So the passwords are the same but since start-instance doesn't have an option to take the master password it looks for a file called master-password in the agent directory to access the keystores. Once that file is created, start-instance can be run centrally (from the DAS).

5) Start the instance from the DAS

asadmin start-instance ins2

At this point you can create additional instances from the DAS and start them without going to the instance machine. 

A slightly different scenario is below.  In this case I will begin by creating a domain with the master password set to 'welcome1' as in the previous example, create an SSH node to point to the remote host where the instance will run but I will create the instance locally on the instance machine.  At some future time I want to manage the instance from the DAS so I still need the master-password file created in the node's agent directory. 

On DAS machine:

1) Create  and start a domain with the master-password set to "welcome1" using the command
 

asadmin create-domain --savemasterpassword true domain2
asadmin start-domain domain2

2) Create an ssh node  pointing to the remote host where the instances will run.
 

asadmin create-node-ssh --nodehost glassfish1.sfbay.sun.com --installdir /export/glassfish3 node2

Now we move to the instance machine and create the instance locally and as long as there is no master-password file in the node we need to create one. The command create-local-instance can do that for us.

asadmin --host DASHost create-local-instance --node node2 --savemasterpassword true insL2

In this case, the master password for the keystore in the instance is 'changeit' or the default. Nothing was copied over from the DAS so the password is what is on the instance machine. Again, once the file master-password has been created with the passwordthat matches the one on the DAS, then instance insL2 can be administered from the DAS. Additional instances can be created, started and stopped from the DAS machine.

If the master password is changed on the DAS then you must go to each instance machine and run the change-master-password command as in step 4 above to reset the master password file for each node.

 
 

Related Topics >>