Installing Glassfish 3.0.1 on Ubuntu

This tutorial is outdated. The latest version is available here: Installing Glassfish 4.1 on Ubuntu 14.04 LTS.

This Tutorial will explain how to install a Glassfish 3.0.1 Server on an Ubuntu Server. It will also cover some but not all security concerns. The steps have been executed successfully on both Ubuntu 8.04 LTS and Ubuntu 10.04 LTS Server edition (64-bit). But it should also work for later versions (also for desktop versions). I have tested everything by using Parallels Virtual Machines - you might want to use Virtual Machines as well. You can use this tutorial for setting up a Glassfish server which is reachable via internet for everybody. Both Ubuntu root servers and Ubuntu virtual servers should be fine for this tutorial, so you can choose any hosting package offered by the provider of your choice. In all cases you need to make sure to have root access to your server. You should also be familiar with the Unix/Linux command line because you will have to execute lots of commands on the shell. After having this tutorial completed you can use your new Glassfish installation to host your own Java EE 6 compliant applications.


Table of contents:


Creating this tutorial meant a lot of effort. Consider the time spent to find out about the security concerns described here... I hope it will help others. If you have any questions do not hesitate to contact me. Any feedback is welcome! Also feel free to leave a comment (see below). For helping me to maintain my tutorials any donation is welcome. But now enough words - enjoy the tutorial.


1. Setting up the OS environment

Before you start doing anything you should think about a security concept. A detailed security concept is out of scope for this tutorial. Very important from security point of view is not to run your Glassfish server as root. This means you need to create a user with restricted rights which you can use for running Glassfish. Once you have added a new user, let's say glassfish, you might also want to add a new group called glassfishadm. You can use this group for all users that shall be allowed to "administer" your Glassfish in full depth. In full depth means also modifying different files in the Glassfish home directory. Below you find user and group related commands that you might want to use.

#Add a new user called glassfish
sudo adduser --home /home/glassfish --system --shell /bin/bash glassfish

#add a new group for glassfish administration
sudo groupadd glassfishadm

#add your users that shall be Glassfish adminstrators
sudo usermod -a -G glassfishadm $myAdminUser

#in case you want to delete a group some time later (ignore warnings):
#delgroup glassfishadm

Glassfish allows some of the configuration tasks to be managed via a web based Administration GUI. We will simply call it AdminGUI from now on. You can reach the AdminGUI by visiting http://www.yourserver.com:4848/ in your browser (please replace www.yourserver.com with localhost or where ever your Glassfish server is). As you can see port 4848 is used. Of course, we don't want anyone to access our AdminGUI. Therefore we have to restrict access to the AdimnGUI. A way do this is to block port 4848 via the firewall. Anything you can do via AdminGUI is also available via the asadmin tool that ships with Glassfish. So you don't have to worry about not being able to configure Glassfish if you block the AdminGUI.

Usually you want to run Glassfish on port 80. But since we don't suggest to run Glassfish as root we cannot run Glassfish on port 80. But there are still ways to run Glassfish as a non-root user and still receive http requests on port 80. One option could be mod_jk, but this would only be another component that needs to be managed. An easy way is to use a simple iptables redirection rule, that redirects requests on port 80 to port 8080 (http) and requests on port 443 to port 8181 (https).

You should make sure that you do not block other important ports, for example your ssh port which usually runs on port 22. Changing the ssh port to some other is actually a good idea, but for now we wil simply suggest your ssh port is 22. Another helpfull iptables rule related to your ssh port 22 is to slow down connection tries from an ip if they fail 3 times. I found a rule for that on the web and added it below. Although I will not mention it here you should also use other techniques and tools to secure your ssh port. I will post a tutorial about that later if I find the time.

Now we have created a lot of rules. You could enter them always one by one, but we don't want this kind of effort. I suggest to enter the following iptables rules in a separate file which contains all of our iptables related ideas we discussed so far:

#!/bin/bash

# ATTENTION: flush/delete all existing rules
iptables -F

################################################################
# set the default policy for each of the pre-defined chains
################################################################
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT

################################################################
#individual ports tcp
################################################################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#uncomment next line to enable AdminGUI on port 4848:
#iptables -A INPUT -p tcp --dport 4848 -j ACCEPT

################################################################
#slow the amount of ssh connections by the same ip address:
#wait 60 seconds if 3 times failed to connect
################################################################
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 --rttl -j DROP

#drop everything else
iptables -A INPUT -j DROP

################################################################
#Redirection Rules
################################################################
#1. redirection rules (allowing forwarding from localhost)
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -o lo -p tcp --dport 443 -j REDIRECT --to-port 8181

#2. redirection http
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

#3. redirection https
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181


################################################################
#save the rules somewhere and make sure
#our rules get loaded if the ubuntu server is restarted
################################################################
iptables-save > /etc/my-iptables.rules
iptables-restore < /etc/my-iptables.rules

#List Rules to see what we have now
iptables -L

I suggest to create a file called iptables.DISABLE_4848.rules which contains exactly everything from the code box above. Then you could also create a file called iptables.ENABLE_4848.rules which has line 28 uncommented (everything else is just the same). Of course, you have to make both files executable with the command chmod +x $filename (please replace $filename). Then you can simply run one of the scripts when ever you want to disable or enable the AdminGUI on port 4848, i.e. sudo ./iptables.DISABLE_4848.rules

Please also do not forget that all your iptables rules should also be activated if your Ubuntu server is restarted. Otherwise you would have to remember to run your iptables rules manually after each restart. If you forget to run them all manually, or if you have simply forgotten that your server has been restarted, then your firewall is open for everyone. If you are lucky nothing will happen, if not you might get some successful instrusion attacks. Lines 58 and 59 will help you to make sure your rules are automatically loaded after each restart. But this is not everything for iptables configuration on startup. You also need to create a file at /etc/network/if-pre-up.d/iptablesload and one at /etc/network/if-post-down.d/iptablessave. For more information please have a look at the official Ubuntu help sites for iptables. The following two code boxes show the content of our two files. As you can see in both code boxes line 2 is refering to the file /etc/my-iptables.rules, which we have defined in line 58 and 59 of our files iptables.DISABLE_4848.rules and iptables.ENABLE_4848.rules respectively. I have added /sbin/ in front of the iptables commands (see below) because i was facing the problem that iptables commands without /sbin/ could not be found at the time when the files iptablesload or iptablessave were executed during the Ubuntu server startup process.

#!/bin/sh
/sbin/iptables-restore < /etc/my-iptables.rules
exit 0
#!/bin/sh
/sbin/iptables-save -c > /etc/my-iptables.rules
if [ -f /etc/iptables.downrules ]; then
   /sbin/iptables-restore < /etc/iptables.downrules
fi
exit 0

Finally you have to make sure that both files are executable. For that you only need to execute the following commands once.

sudo chmod +x /etc/network/if-post-down.d/iptablessave
sudo chmod +x /etc/network/if-pre-up.d/iptablesload

At this point you can try what happens if you reboot your Ubuntu server (sudo reboot). After Ubuntu has restarted just try sudo iptables -L on the shell. It should show you the rules we have defined. You should see something like this if you hit sudo ./iptables.DISABLE_4848.rules before rebooting:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: sshprobe side: source
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW recent: SET name: sshprobe side: source
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8181
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Your firewall settings are loaded automatically whenever Ubuntu is starting up. We can continue with the next steps. Please do not forget that these are only some minimum firewall settings. For maximum security you might need to add your own iptables rules.


2. Setting up Java

The next step is to set up Java. Glassfish requires at least JDK 6. It is certified with JDK 1.6.0_20. Any JDK above JDK 1.6.0_20 should also work fine. I suggest to remove the ObenJDK first if you have it installed and install the Sun JDK and JRE.


#remove OpenJDK if installed
sudo apt-get remove openjdk-6-jre openjdk-6-jdk

#install Sun JDK
sudo apt-get install sun-java6-jdk  sun-java6-jre

#get rid of several automatically installed packages that are not needed anymore
sudo apt-get autoremove

#check JDK by looking in the /etc/alternatives/ directory
cd /etc/alternatives
ls -lrt java*

For Ubuntu 10.04 LTS you have to change line five to the following (see Ubuntu 10.04 LTS Release Notes for more details):

#maybe you have to execute this here first, else 
#add-apt-repository might fail
sudo apt-get install python-software-properties

#add new repository that contains sun java
sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner"

#update to know about new repository
sudo apt-get update

#now install Sun JDK
sudo apt-get install sun-java6-jdk  sun-java6-jre

3. Downloading and Installing Glassfish

Now we can download Glassfish. I suggest to switch the user now to glassfish, which we have created in the first step. We want to download the Glassfish zip installation file to /home/glassfish/downloads/. Afterwards the zip file has to be extracted and the content can be moved to /home/glassfish/ - this is everything needed for installing Glassfish. Usually the zip file is extracted to a directory called ./glassfishv3/. Make sure to move the content of ./glassfishv3/ and not ./glassfishv3/ itself to /home/glassfish/.
#if you dont't have "unzip" installed run this here first
sudo apt-get install unzip

#now switch user to the glassfish user we created (see step 1)
sudo su glassfish

#change to home dir of glassfish
cd /home/glassfish/

#create new directory if not already available
mkdir downloads

#go to the directory we created
cd /home/glassfish/downloads/

#download Glassfish and unzip
wget http://download.java.net/glassfish/3.0.1/release/glassfish-3.0.1.zip
unzip glassfish-3.0.1.zip

#move the relevant content to home directory
mv /home/glassfish/downloads/glassfishv3/* /home/glassfish/
#if something has not been moved, then move it manually, i.e.:
mv /home/glassfish/downloads/glassfishv3/.org.opensolaris,pkg /home/glassfish/.org.opensolaris,pkg

#exit from glassfish user
exit

#change group of glassfish home directory to glassfishadm
sudo chgrp -R glassfishadm /home/glassfish

#just to make sure: change owner of glassfish home directory to glassfish
sudo chown -R glassfish /home/glassfish

#make sure the relevant files are executable
sudo chmod -R +x /home/glassfish/bin/
sudo chmod -R +x /home/glassfish/glassfish/bin/

At this point you can give it a try and start you Glassfish server. But do not forget to stop it again before you continue with the next steps. Here are the commands for starting and stopping Glassfish:

#now switch user to the glassfish user
sudo su glassfish

#start glassfish
/home/glassfish/bin/asadmin start-domain domain1
#check the output...

#stop glassfish
/home/glassfish/bin/asadmin stop-domain domain1
#check the output...

#exit from glassfish user
exit


4. Setting up an init script

Let's create an init script for now. It helps you to start, stop and restart your Glassfish easily. We also need this to make Glassfish start up automatically whenever Ubuntu is rebooting. The file we need to create is /etc/init.d/glassfish. For starting and stopping Glassfish we will use the asadmin tool that ships with Glassfish (we used it a little in the previous step). As you can see we do not use the --secure option yet. You should add it later because we will enable https later. Later, if you won't use --secure, you will get some messages printed to the terminal - adding --secure will supress them.
#create and edit file
sudo vi /etc/init.d/glassfish

#(paste the lines below into the file and save it...):

#! /bin/sh

#if you face any problems add the path to your Java
#this way (see Jeffrey's comments below)
export AS_JAVA=/usr/lib/jvm/java-6-sun

GLASSFISHPATH=/home/glassfish/bin

case "$1" in
start)
echo "starting glassfish from $GLASSFISHPATH"
sudo -u glassfish $GLASSFISHPATH/asadmin start-domain domain1
#we need to use this later when we enable https
#sudo -u glassfish $GLASSFISHPATH/asadmin --secure start-domain domain1
;;
restart)
$0 stop
$0 start
;;
stop)
echo "stopping glassfish from $GLASSFISHPATH"
sudo -u glassfish $GLASSFISHPATH/asadmin stop-domain domain1
#we need to use this later when we enable https
#sudo -u glassfish $GLASSFISHPATH/asadmin --secure stop-domain domain1
;;
*)
echo $"usage: $0 {start|stop|restart}"
exit 3
;;
esac
:

As you can see Glassfish is started with the user glassfish. It's always a bad idea to run a webserver with root. You should always use a restricted user - in our case this will be the user glassfish. You will learn how to use the script we just created in the next steps.


5. Glassfish autostart: adding init script to default runlevels

The init script is set up. Now we can add it to the default run levels. This way our Glassfish will startup whenever Ubuntu is restarted.
#make the init script file executable
sudo chmod a+x /etc/init.d/glassfish

#configure Glassfish for autostart on ubuntu boot
sudo update-rc.d glassfish defaults

#if apache2 is installed:
#stopping apache2
sudo /etc/init.d/apache2 stop
#removing apache2 from autostart
update-rc.d -f apache2 remove

From now on you can start, stop or restart your Glassfish like this (Ubuntu will also do it this way):

#start
/etc/init.d/glassfish start

#stop
/etc/init.d/glassfish stop

#restart
/etc/init.d/glassfish restart

6. Security configuration before first startup

Even now we should not really use Glassfish in production. We will now begin the configuration of Glassfish itself. You should always run these steps, for example changing the default passwords, enabling https, changing the default ssl certificate to be used for https etc. We will also put our attention on Glassfish obfuscation.

Our first step is to change the master password. Glassfish uses it to protect the domain-encrypted files from unauthorized access, i.e. the certificate store which contains the certificates for https communication. When Glassfish is starting up it tries to read such "secured" files - for exactly this purpose Glassfish needs to be provided with the master password either in an intertactive way or in a non-interactive way. I will choose the non-interactive way because we want our Glassfish to start up on Ubuntu reboot as a deamon (in the Windows world this would be called a service). This is necessary so that the start-domain command can start the server without having to prompt the user. To accpmplish this we need to set the savemasterpassword option to true. This option indicates whether the master password should be written to the file system. The file is called master-password and can be found at <DOMAIN-DIR>/config/. To change the master password you have to ensure that Glassfish is not running - only then you can call the command change-master-password which will interactivly ask you for the new password.

#switch user to glassfish (stay with this user for complete Step 6!)
sudo su glassfish

#change master password, default=empty
/home/glassfish/bin/asadmin change-master-password --savemasterpassword=true
#prompt: choose your new master password ==> myMasterPwd

The next step is to change the administration password with change-admin-password. Because this command is a remote command we need to ensure that Glassfish is running before we can execute the command. Since we want "automatic login" we will create an admin password file allowing us to login without being asked for credetials.

#now we have to start Glassfish
/home/glassfish/bin/asadmin start-domain domain1

#change admin password
/home/glassfish/bin/asadmin change-admin-password
#1. enter "admin" for user (default)
#2. hit enter because default pwd is empty
#3. choose you new pwd ==> myAdminPwd

#login for automatic login...
/home/glassfish/bin/asadmin login
#prompt:
#user = admin
#password = myAdminPwd
#==> stores file to /home/glassfish/.asadminpass

#now stop Glassfish
/home/glassfish/bin/asadmin stop-domain domain1


Glassfish is coming with a pre-configured certificate which is used for ssl (https). You can see it in the keystore.jks file if you check for the alias s1as. But that also means that everybody else can get this certificate, the public key, private key, etc. With that information you could never be safe because "others" could "read" your data sent to Glassfish via https. That means you should always make sure to replace that pre-configured s1as entry in your keystore. But you should not delete it as long as the alias "s1as" is still in use (and it is by default in use for https...). I faced some strange behaviour as I did not think of that at the beginning when I simply deleted s1as - learn from my mistake and do not delete it for now... But we can help us with generating a new alias first (myAlias) and when ever needed or wanted we could change each occurrence of s1as to myAlias (i.e. via admin console) and then we could finally delete that s1as.

The following code box shows you the commands we need for modifying our Glassfish keystore. As you can see we first delete our pre-configured s1as entry (Glassfish mustn't be running!). Later a new s1as entry is generated - it is now unique for us!

#create new cert for https
cd /home/glassfish/glassfish/domains/domain1/config/
keytool -list -keystore keystore.jks -storepass myMasterPwd
keytool -delete -alias s1as -keystore keystore.jks -storepass myMasterPwd
keytool -keysize 2048 -genkey -alias myAlias -keyalg RSA -dname "CN=nabisoft,O=nabisoft,L=Mannheim,S=Baden-Wuerttemberg,C=Germany" -validity 3650 -keypass myMasterPwd -storepass myMasterPwd -keystore keystore.jks
keytool -keysize 2048 -genkey -alias s1as -keyalg RSA -dname "CN=nabisoft,O=nabisoft,L=Mannheim,S=Baden-Wuerttemberg,C=Germany" -validity 3650 -keypass myMasterPwd -storepass myMasterPwd -keystore keystore.jks
keytool -list -keystore keystore.jks -storepass myMasterPwd

Now we want to enable https for the admin console. Once we have done that we can be sure that nobody can listen to our data sent via https because nobody else has our certificate, i.e. nobody can decrypt our password used for entering the admin console via browser (in case someone cought our data packages). But this is not all we want to do here. We want to change some of the default JVM Options and we want to make our Glassfish not telling too much ("obfuscation").

The first JVM Option we will change is replacing the -client option with the -server option. I expect the java option -server to be the better choice when it comes to performance. I have also decided to change -Xmx512m (Glassfish default) to a higher value: -Xmx2048m. Furthermore I have added -Xms1024m. For more information about these options please check the documentation for the java launcher options.
All JVM Options so far are optional. But at least adding -Dproduct.name="" is a good idea for everyone. If you would not add this then each http/https response will contain a header field like this: Server: GlassFish Server Open Source Edition 3.0.1
This is some great piece of information for hackers - that's why you should disable it. We do not want Glassfish to talk too much for security reasons!

We also don't want Glassfish to send the header X-Powered-By: Servlet/3.0 because this is telling everyone we are using a Servlet 3.0 container and that we are (of course) using Java. So we have to disable sending x-powered-by in the http/https headers - this is accomplished with the last three asadmin commands in the code box below. Now our Glassfish is working in silent mode - it is not telling too much any more. Glassfish obfuscation accomplished.

# the commands here change the file at
# /home/glassfish/glassfish/domains/domain1/config/domain.xml

#first we have to start Glassfish
/home/glassfish/bin/asadmin start-domain domain1

# enable https for admin console
/home/glassfish/bin/asadmin set server-config.network-config.protocols.protocol.admin-listener.security-enabled=true
#==> now you have always to use "asadmin --secure ..."
#so enable line 15 and 25 in the file /etc/init.d/glassfish and
#disable in the same file line 13 and 23

#change JVM Options
#list current jvm options
/home/glassfish/bin/asadmin --secure list-jvm-options
#now start setting some important jvm settings
/home/glassfish/bin/asadmin --secure delete-jvm-options -- -client
/home/glassfish/bin/asadmin --secure create-jvm-options -- -server
/home/glassfish/bin/asadmin --secure delete-jvm-options -- -Xmx512m
/home/glassfish/bin/asadmin --secure create-jvm-options -- -Xmx2048m
/home/glassfish/bin/asadmin --secure create-jvm-options -- -Xms1024m
#get rid of http header field value "server" (Glassfish obfuscation)
/home/glassfish/bin/asadmin --secure create-jvm-options -Dproduct.name=""
#restart to take effect
/home/glassfish/bin/asadmin --secure stop-domain domain1
/home/glassfish/bin/asadmin --secure start-domain domain1
#what jvm options are configured now?
/home/glassfish/bin/asadmin --secure list-jvm-options

#disable sending x-powered-by in http header (Glassfish obfuscation)
/home/glassfish/bin/asadmin --secure set server.network-config.protocols.protocol.http-listener-1.http.xpowered-by=false
/home/glassfish/bin/asadmin --secure set server.network-config.protocols.protocol.http-listener-2.http.xpowered-by=false
/home/glassfish/bin/asadmin --secure set server.network-config.protocols.protocol.admin-listener.http.xpowered-by=false

#we are done with user glassfish
exit

7. Run Glassfish

Finally we have come to where we wanted. We have installed, secured and configured our Glassfish installation.
#starting glassfish
sudo /etc/init.d/glassfish start

#remove glassfish from autostart
#update-rc.d -f glassfish remove

Comments
Iptables
posted by KevinMorton
Mon Jun 17 16:30:22 UTC 2013
Hi thanks for your work! 

I got through eventing but the IP tables I'm not sure what I should be doing. 

Would you be able to do a step by step on that part, id appreciate it. 

and the java install no longer works with Ubuntu 13. 
thank you
posted by Cristi
Mon Apr 22 21:13:28 UTC 2013
Thank you for this great tutorial. it helped me a lot.
Amazing job!!!
posted by CyberGriZzly
Tue Sep 18 21:36:24 UTC 2012
Thank you very much for this tutorial! It works like a charm. Awesome job!
How to uninstall?
posted by Roberto Oropeza
Thu Jun 21 18:15:04 UTC 2012
Thanks a lot, I've used this steps and successfully installed on Ubuntu 12.04, now I want to uninstall it (I will use the NetBeans' glassfish for developing). How do I uninstall it?
default master password
posted by zekeriya koç
Fri Apr 06 13:07:48 UTC 2012
with the version 3.1.2 default master password is not empty. it is "changeit"

and thanks for this great guide. i followed it and i have a running server now without any problems of installation.
Glassfish 3.1.2 installation
posted by Nabi
Fri Mar 09 07:52:42 UTC 2012
Please see here: https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-311-on-ubuntu

The tutorial is actually for GF 3.1.1 but maybe it works also for 3.1.2 (I still have to validate that).
Thank to share this tutorial
posted by Abhijeet
Thu Mar 08 16:33:41 UTC 2012
Thank to share this tutorial. This is very helpful to us for configure security of glassfish and iptable configuration. It is very fine work for glassfish-3.0.1.  

 I have one problem. 
AS per your tutorial i was try on glassfish 3.1.2.
when i execute following command, 
"/home/glassfish/bin/asadmin set server-config.network-config.protocols.protocol.admin-listener.security-enabled=true"

gives error 
"java.net.socketexception unexpected end of file from server" 

 if you have any solution on this please give me replay.

Once again thanks to share this tutorial.
RE: What about changing certificate for 8181?
posted by Nabi
Tue Mar 06 09:00:12 UTC 2012
hi S.M.O.G.,
i have created another tutorial for gf 3.1.1 on ubuntu 10.04 lts, so you may want to check it: https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-311-on-ubuntu

it should contain everything you need. this one here only works 100% for gf 3.0.1 - i think it's a good idea to keep it archived here instead of deleting it...

@everybody: in the top right corner you can see an info box titled with "Glassfish Tutorials" which tells you about the GF installation tutorials i have created so far. this one here is kind of outdated, since (as you can see in the info box) i also offer a tutorial about gf 3.1.1 on ubuntu 10.04 lts (it should also work for gf 3.1.2 but i still have to verifys that...).
how to deploy project on glassfish after set security
posted by Abhi
Tue Mar 06 06:48:51 UTC 2012
hi
  how to deploy application on glassfish after set security  rules for glassfish and ubuntu 11.04. or on which port open glassfish to deploy application.
  
What about changing certificate for 8181?
posted by S.M.O.G.
Mon Mar 05 11:25:37 UTC 2012
Hi folks!
This tutorial is just great! It helped me so badly in configuring my glassfish server, and you should integrate the step in touchdown's comment, cause they are needed for it to work with Glassfish 3.1+

I have a question:
Thanks to your steps I've been able to change the certificate for admin remote access to the ones I wanted to, but I'd like to change the 8181 ones also, cause they seems to be still the old default ones.
Any clue on how to do it?

Thank you so much again!
all good
posted by vladinooo
Wed Feb 15 13:06:14 UTC 2012
Great tutorial Nabi! And thanks to touchdown all works now.
PS: don't forget to restart your glassfish after touchdown's step 3.
install glassfish
posted by nellysa
Wed Oct 12 05:27:10 UTC 2011
yeah
Differences 3.0.1 / 3.1 and SSL problems
posted by touchdown
Sun Apr 17 00:37:23 UTC 2011
I think I solved the problems I had. So with version 3.1 it is a bit different:

1) I could change the master password right after unzipping glassfish before touching anything (and sorry for the typo in my previous post for the default value, it is "changeit").

2) In the "keystore.jks" there is another certificate with the alias "glassfish-instance". Instead of creating a custom alias I just remade the existing certificates:

keytool -delete -alias s1as -keystore keystore.jks -storepass <pass>
keytool -delete -alias glassfish-instance -keystore keystore.jks -storepass <pass>
keytool -keysize 2048 -genkey -alias s1as -keyalg RSA -dname "CN=X,O=X,L=Muenchen,S=Bayern,C=Germany" -validity 3650 -keypass <pass> -storepass <pass> -keystore keystore.jks
keytool -keysize 2048 -genkey -alias glassfish-instance -keyalg RSA -dname "CN=X,O=X,L=Muenchen,S=Bayern,C=Germany" -validity 3650 -keypass <pass> -storepass <pass> -keystore keystore.jks

But that did not work at first (Could not access admin page). I had to update the certificates in "cacerts.jks" (I do not know if they have to be the same as in "keystore.jks", so I just used them):

keytool -export -alias glassfish-instance -file glassfish-instance.cert -keystore keystore.jks -storepass <pass>
keytool -export -alias s1as -file s1as.cert -keystore keystore.jks -storepass <pass>
keytool -delete -alias glassfish-instance -keystore cacerts.jks -storepass <pass>
keytool -delete -alias s1as -keystore cacerts.jks -storepass <pass>
keytool -import -alias s1as -file s1as.cert -keystore cacerts.jks -storepass <pass>
keytool -import -alias glassfish-instance -file glassfish-instance.cert -keystore cacerts.jks -storepass <pass>

3) "/home/glassfish/bin/asadmin set server-config.network-config.protocols.protocol.admin-listener.security-enabled=true" seems to be replaced with "/home/glassfish/bin/asadmin enable-secure-admin" in 3.1.
It seems to work slightly different, the listener is configured non-SSL (as seen in the admin gui), but calling http://xxx:4848 redirects to https://xxx:4848. You can also call asadmin with or without "--secure", both seems to work, but according to the documentation "enable-secure-admin" secures remote access and encrypts admin traffic.
Cannot change master password
posted by touchdown
Sat Apr 16 14:59:58 UTC 2011
I cannot change the master password on a new installation of GlassFish 3.1 (btw. the default password is "chageit").
I get the following error:

./asadmin change-master-password --savemasterpassword=true
Enter the current master password>
Enter the new master password>
Enter the new master password again>
Keystore was tampered with, or password was incorrect
Command change-master-password failed.
Glassfish 3.1 Differences
posted by Helge
Thu Apr 14 15:10:30 UTC 2011
add "enable-secure-admin" after setting admin-listener.
Then it should work OK.
Glassfish 3.1 Differences
posted by Andy
Fri Mar 18 22:49:49 UTC 2011
I've configured a couple of Glassfish 3.0.1 servers with these instructions without any problem.  However when I try applying these instructions to a version 3.1 server, I seem to keep getting stuck at securing the server.  In particular, there are some differences.

1)  There are two keys in the default keystore.  The 's1as' key is still there, but another named 'glassfish-instance' is also there.  When I saw this, I deleted and recreated them both along with a 'myAlias' key which I was going to use where needed.

2)  When turning the security on it seems like part of the server thinks it's on, but others don't.  For instances:

$ /home/glassfish/bin/asadmin set server-config.network-config.protocols.protocol.admin-listener.security-enabled=true
server-config.network-config.protocols.protocol.admin-listener.security-enabled=true
Command set executed successfully.

$ /home/glassfish/bin/asadmin get server-config.network-config.protocols.protocol.admin-listener.security-enabled
server-config.network-config.protocols.protocol.admin-listener.security-enabled=true
Command get executed successfully.

$ /home/glassfish/bin/asadmin --secure list-jvm-options
It appears that server [localhost:4848] does not accept secure connections. Retry with --secure=false.
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Command list-jvm-options failed.

$ /home/glassfish/bin/asadmin --secure=false list-jvm-options
-XX:MaxPermSize=192m
-client
-Djavax.management.builder.initial=com.sun.enterprise.v3.admin.AppServerMBeanServerBuilder
-XX: UnlockDiagnosticVMOptions
-Djava.endorsed.dirs=${com.sun.aas.installRoot}/modules/endorsed${path.separator}${com.sun.aas.installRoot}/lib/endorsed
-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
-Xmx512m
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks
-Djava.ext.dirs=${com.sun.aas.javaRoot}/lib/ext${path.separator}${com.sun.aas.javaRoot}/jre/lib/ext${path.separator}${com.sun.aas.in
stanceRoot}/lib/ext
-Djdbc.drivers=org.apache.derby.jdbc.ClientDriver
-DANTLR_USE_DIRECT_CLASS_LOADING=true
-Dcom.sun.enterprise.config.config_environment_factory_class=com.sun.enterprise.config.serverbeans.AppserverConfigEnvironmentFactory
-Dorg.glassfish.additionalOSGiBundlesToStart=org.apache.felix.shell,org.apache.felix.gogo.runtime,org.apache.felix.gogo.shell,org.apache.felix.gogo.command
-Dosgi.shell.telnet.port=6666
-Dosgi.shell.telnet.maxconn=1
-Dosgi.shell.telnet.ip=127.0.0.1
-Dgosh.args=--nointeractive
-Dfelix.fileinstall.dir=${com.sun.aas.installRoot}/modules/autostart/
-Dfelix.fileinstall.poll=5000
-Dfelix.fileinstall.log.level=2
-Dfelix.fileinstall.bundles.new.start=true
-Dfelix.fileinstall.bundles.startTransient=true
-Dfelix.fileinstall.disableConfigSave=false
-XX:NewRatio=2
Command list-jvm-options executed successfully.

Also the admin console responds only to http (not https) requests.

Thoughts?
 
Glassfish Tutorial
posted by Mike
Fri Mar 18 06:15:24 UTC 2011
Nabi Zamani,

You are amazing.  This worked so well and saved me so much time and angst.  BTW, I did not have enough memory on my server to increase the memory on JVM, so I stuck with lower values.  I have to wait and see how the performance is when the server gets loaded.

PS. This was so good, I'm going to go through your other tutorials too.

Thanks,

Mike
Trouble deleting iptable rules
posted by John
Fri Mar 18 00:22:38 UTC 2011
First of all, thanks for the great tutorial. It is fantastic !

After going through the whole process, I realized, that for our particular setup, we needed to redirect to 8443 instead of 8181.

When I want back to change the iptables, I noticed the REDIRECT rules were being appended.

So it turns out the iptables -F command only deletes the filter rules that are created, but not the redirect rules.

You also need to do...
iptables -F -t nat

And that will clear the other rules.  IT took me about 3 hours to figure out how to do that, and just wanted to save someone else that headache.

Cheers
Missing piece...
posted by Karl
Sat Mar 05 21:46:15 UTC 2011
Hi Nabi,
Going through this, I noticed a bit that you might want to add to the replacement of OpenJDK with Sun JDK, you need to run this:
sudo update-java-alternatives -v -s java-6-sun

to make sure your environment is pointed to a valid install if you are replacing.

Thanks for your work on this. So far so good (except this one bit). I'm primarily interested in how this will work in my Netbeans environment. First attempt at installing the Netbeans 6.9/Glassfish 3.0.1 bundle was a disaster. Trying to do this separately using your instructions here.
Problem while creating the iptables settings (1. Setting up the OS environment)
posted by Philipp
Sun Feb 20 23:11:37 UTC 2011
Hey!

This is a wonderful tutorial, especially for unexperienced linux users like me.

I want to get in touch with Java EE 6 development in the next weeks. And since I operate a small file server here at home, my idea is to use this machine also for running Glassfish 3.
So, I've installed Ubuntu Server Edition 10.10 running in a VM. But since I only know the basic concepts of linux, I already have problems while performing the first step (1. Setting up the OS environment) of your tutorial.

I'm about to setup the iptables. So, I created two files on my Win7 laptop (iptables.DISABLE_4848.rules & iptables.ENABLE_4848.rules) with the mentioned contents. Then, I've uploaded these files to my webspace in order to download them on my ubuntu machine.

Now, I'm at my ubuntu machine I do the following:

pt@ubuntu:~$ mkdir ./ipscripts
pt@ubuntu:~$ cd ipscripts
pt@ubuntu:~/ipscripts$ wget http://mywebspace.com/iptables.DISABLE_4848.rules
pt@ubuntu:~/ipscripts$ wget http://mywebspace.com/iptables.ENABLE_4848.rules
pt@ubuntu:~/ipscripts$ ls
iptables.DISABLE_4848.rules   iptables.ENABLE_4848.rules
pt@ubuntu:~/ipscripts$ chmod +x ./iptables.DISABLE_4848.rules
pt@ubuntu:~/ipscripts$ chmod +x ./iptables.ENABLE_4848.rules

So, now I have both files on my ubuntu machine and both files may be executed.

But when I run one of those files, I get a strange error:
pt@ubuntu:~/ipscripts$ sudo ./iptables.DISABLE_4848.rules
[sudo] password for pt: TYPING_IN_PASSWORD
sudo: unable to execute ./iptables.DISABLE_4848.rules: No such file or directory

I don't understand this, because obviously the file is available.

I appreciate your support and sorry for my bad English! :-)

Best regards from Germany!
Philipp
Great Info
posted by Kenneth
Sat Feb 05 11:57:17 UTC 2011
Thanks for the tutorial, I've been looking for such information but none have such yours levels of details. 

Great info. for Glassfish Server installation !
fail to start glassfish server after stopping it
posted by Jay
Tue Feb 01 13:51:11 UTC 2011
I have stopped the glassfish server using ./asadmin stop-domain command, my server stopped. Now i am again starting the same server using ./asadmin stsrt-domain, but now its unable to start. In the console first its showing Starting Domain domain1, please wait.. than popup box is coming showing error as Host is not communicating..

Please help me, i am not able to restart the server again.. :(
some more surity settings
posted by Christoph Bernhofer
Tue Jan 11 15:28:24 UTC 2011
disable TRACE in HTTP Protocol:
network-config>protocols>protocol>http-listener>http>trace --> uncheck

use only stronger SSL cipher Suites:
network-config>protocols>protocol>http-listener>
Select suites you want (at least 128bit)
--> but later you need to modify the domain.xml and remove the "+" in front of the ciper suites so does it looks like:
<ssl ssl3-tls-ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" cert-nickname="*******" tls-enabled="false" /> 
Top guide
posted by Darren
Sat Jan 01 20:41:29 UTC 2011
Thanks
Great Tutorial
posted by Harry Hartley
Thu Dec 30 02:34:28 UTC 2010
Can you please add more descriptive text about what you are doing in section 6. The post does a great job of explaining stuff in the beginning of the article, but doesn't explain anything at the last.
Thanks for the tutorial !
posted by Barry
Wed Dec 29 19:42:12 UTC 2010
Thanks for the instructions on getting GlassFish up and running on Ubuntu !
I was having nothing but problems with this on my own so you've really saved me a lot of time and headaches. 
Thanks !
RE: SSL problem with Glassfish on an Amazon EC2 instance
posted by Aidan
Tue Dec 21 11:06:56 UTC 2010
Hi Nabi,
Thanks for the response [via Email]. I did actually manage to fix my problem. It stemmed entirely from entering my password incorrectly when generating the certs in the security configuration. Deleting them and regenerating them fixed it.  

Thanks,
Aidan
SSL problem with Glassfish on an Amazon EC2 instance
posted by Aidan
Sun Dec 12 02:06:45 UTC 2010
Hey,

Great instructions for installing Glassfish on Ubuntu, really thorough.  I thought I'd try and run through them and try and get glassfish up and running on an Amazon EC2 instance, and ran into a little difficulty, and was wondering if you could help.

Everything was going great, I got it installed and running fine, it was only when I got half way through section 6 and executed the following command that things started going wrong:

/home/glassfish/bin/asadmin set server-config.network-config.protocols.protocol.admin-listener.security-enabled=true

Now, any command I execute for asadmin fails like so:

/home/glassfish
glassfish@X:~$ /home/glassfish/bin/asadmin --secure list-jvm-options
It appears that server [localhost:4848] does not accept secure connections.
Retry with --secure=false.
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Command list-jvm-options failed.
glassfish@X:~$ /home/glassfish/bin/asadmin list-jvm-options
java.net.SocketException: Unexpected end of file from server
Command list-jvm-options failed.

As you can see both secure and unsecure fail so I cannot make issue any commands using asadmin (I can't even start or stop it!). Running netstat I can see that the server is up and running and listening on port 4848. And if I hit port 8080 in a web browser then the welcome page comes up so there doesn't appear to be any issues with the server itself, just the ssl connection.

The stack trace I am seeing in server.log is below which seems to indicate it's having trouble getting the keystore:

[#|2010-12-12T00:40:32.991+0000|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|SSL support could not be configured!
java.io.IOException: Cannot recover key
       at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183)...

[#|2010-12-12T00:40:32.992+0000|SEVERE|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|ProtocolChain exception
java.lang.NullPointerException
[#|2010-12-12T00:41:03.991+0000|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=25;_ThreadName=Thread-1;|SSL support could not be configured!
java.io.IOException: Cannot recover key
...
Thanks a lot for tutorial
posted by Andrei R.
Mon Nov 29 03:42:09 UTC 2010
Nabi.
Thanks a lot for your Tutorial.
This is very helpful.
Today I was able to complete the work I was planning for weeks.

Appreciate your help.

Regards, 
Andrei.
RE: Glassfish answer file
posted by Jeffrey P.
Sun Nov 28 17:32:23 UTC 2010
I had to add: 

  AS_JAVA=/usr/local/java/bin 

to the asadmin script.

Thank you for the tutorial ... I am going to try to use glassfish with gwt.

I am new to using an application server.

Jeff.
Glassfish answer file
posted by Jeffrey P.
Sun Nov 28 15:30:07 UTC 2010
I am going through your glassfish setup tutorial -- it is very good! -- Thanks.

I have one question: 

How do I create the glassfish answer file without having the gui stuff loaded on my server?

I get the following error:

root@ubuntu:/usr/local/glassfish/glassfish/config# /etc/init.d/glassfish start
starting glassfish from /usr/local/glassfish/bin
exec: 17: java: not found