Thursday Mar 01, 2012

GlassFish 3.1.2: Secure By Default Changes

Secure by default is the characteristic of software where its default installation results in a secure configuration. Often there is a trade off between ease of use and the degree of default security.

In GlassFish 3.1.2 we have improved the secure by default behavior, and we've tried to do so without impacting the ease of use that GlassFish is known for (at least not impacting it too much). We had two main goals we were trying to satisfy in 3.1.2:

  1. More actively encourage the user to set an admin password at installation time.
  2. Require an admin password whenever remote administration (aka "secure admin") is enabled.

To achieve this you'll notice the following changes when you use 3.1.2:

  1. The installer now prompts for an admin password even in the default installation mode. You are still allowed to choose no password because remote administration is not enabled out of the box.
  2. Any time remote administration is enabled (by running the enable-secure-admin command for example), you will be required to have an admin password set. Basically GlassFish will do what it can to prevent you from enabling remote administration while not having an admin password.
  3. For the Oracle GlassFish Server commercial zip distributions (where there is no installer) you will be prompted for an admin password the first time you start the default domain (DAS). And just like with the installer, you are still allowed to choose no password because remote administration is not enabled out of the box. The open source / community zips continue to behave as they did in 3.1.1 (no prompting).

One issue our QA organization ran into when running their automated tests on the Oracle GlassFish Server commercial zip bundles had to do with their scripts that automatically installed (unzipped) GlassFish and started the default domain. These scripts started failing because the server was prompting for an admin password at startup.

The solution is to use the change-admin-password command to set an admin password before starting the domain. As part of the 3.1.2 changes we enhanced change-admin-password so that it could be run without the domain (DAS) running if you use the "--domain_name" option.  Here is an example of how to set the admin password on a domain before starting the domain the first time (command output removed for brevity):

$ unzip ogs-3.1.2-web.zip
$ cd glassfish3/glassfish
$ touch /tmp/password.txt
$ chmod 600 /tmp/password.txt
$ echo "AS_ADMIN_PASSWORD=" > /tmp/password.txt
$ echo "AS_ADMIN_NEWPASSWORD=newadminpassword" >> /tmp/password.txt
$ bin/asadmin --user admin --passwordfile /tmp/password.txt change-admin-password \
    --domain_name domain1
$ rm /tmp/password.txt
$ bin/asadmin start-domain

This does the following:

  • Installs glassfish by unzipping the zip
  • Creates a file (/tmp/password.txt) to supply passwords to the asadmin command. We make sure the file is readable only by the user running asadmin and remove the file when we are done for security purposes. The file has two lines that look like:

      AS_ADMIN_PASSWORD=
      AS_ADMIN_NEWPASSWORD=newadminpassword
  •  Uses the asadmin change-admin-password command to set the admin password on the domain. Now the domain can be started.

For more information about security changes in GlassFish 3.1.2 see Tim Quinn's blog entry, and as always the GlassFish Security Guide is recommended reading.


About

jdipol

Search

Categories
Archives
« March 2012 »
SunMonTueWedThuFriSat
    
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today