change-master-password command in Glassfish 3.1

 Glassfish 3.1 has released!! You can find more information at this link.

Today we will cover one of the commands of 3.1 change-master-password and some changes we made with respect to 2.1.

The master password is the password that is used to encrypt the DAS (and instances) keystore. Therefore the DAS and associated server instances need the password to open the keystore at startup.The master password is the same for the DAS and all instances in the domain. The default master password is "changeit". The master password can be saved in a master-password file:

This is the location of the master-password file

  1. DAS: domains/domainname/master-password
  2. Instance: nodes/node-name/agent/master-password

A master password can be set during domain or instance creation by entering it interactively. It is saved to the master-password file if the --savemasterpassword option is used. This is supported by:

  1. create-domain
  2. create-local-instance

A master password is provided during domain or instance startup via the master-password file or by entering it interactively. This is supported by:

  1. start-domain
  2. start-local-instance

The change-master-password command is a local command which is used to change the master-password .The master-password may be changed on the DAS by running change-master-password. The DAS must be down to run this command. change-master-password supports the --savemasterpassword option so that the master password can be saved in a master-password file. The same command can be used to change the master-password file on an instance


Options for change-master-password

--savemasterpassword:

This option indicates whether the master password should be written to the file system. This is necessary so that start-domain and start-local-instance can start the server without having to prompt the user for password.Defaults to false

NOTE: if savemasterpassword is not set, the master password file, if it exists, will be deleted.

--nodedir

           This option is used when changing the master password for a node. You can specify a nodedir which is your <gf>/nodes. If the option is omitted, then it defaults to <installdir>/glassfish/nodes. Omitting it doesn't cause the change to be applied to the whole domain

--domaindir

          This option is used when changing the master password for the DAS. Typically this is <gf>/domains. It is an error to specify both domaindir and nodedir together.

Operands
[domain_name_or_node_name]

domain_name

This is the domain name whose password is to be changed.

node_name

This is the name of the node agent whose password is to be changed.


For the first instance created on a node, you can't start it until the master password is set
and saved to the file.

From that point on you should be able to create new instances and start
existing instances on the node.

Please refer to the following screencast for more information .


Comments:

Is the master password obfuscated (reversibly hashed or encrypted) when it is stored in the file system by the '--savemasterpassword' option ? If so what algorithm is used to obfuscate the password ? I have a customer who currently uses Sun Application Server 8.1 and has run into difficulties during security evaluations due to the requirement to save the password on the file system in plain text.

Posted by Markus Zellner on March 01, 2011 at 01:36 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

user12615559

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today