GlassFish in Production
By Brian Leonard on Feb 19, 2009
Last week I noted how to install and configure GlassFish on your development machine. In a production environment, your needs and setup are a bit different. So here are my suggestions on how to deploy GlassFish in production. If you have better ideas or experiences, please share them and I'll update the entry.
Step 1: Install GlassFish
bleonard@opensolaris:~$ pfexec pkg install glassfishv2 PHASE ITEMS Indexing Packages 554/554 DOWNLOAD PKGS FILES XFER (MB) Completed 12/12 6363/6363 142.44/142.44 PHASE ACTIONS Install Phase 7404/7404 Reading Existing Index 9/9 Indexing Packages 12/12
Assuming you are going to run GlassFish using its cluster profile, you also need to install the SUNWjdmk-base package:
bleonard@opensolaris:$ pfexec pkg install SUNWjdmk-base DOWNLOAD PKGS FILES XFER (MB) Completed 1/1 3/3 1.09/1.09 PHASE ACTIONS Install Phase 10/10 PHASE ITEMS Reading Existing Index 9/9 Indexing Packages 1/1
There are still a few more hoops you need to jump through in order to get GlassFish to recognize the JDMK libraries. The SUNWjdmk-base package installs them into /usr/share/lib/jdmk. However, GlassFish looks for them in /opt/SUNWjdmk/5.1/lib. The easiest way to fix this is to add a link in /opt:
pfexec mkdir /opt/SUNWjdmk pfexec mkdir /opt/SUNWjdmk/5.1 pfexec ln -s /usr/share/lib/jdmk /opt/SUNWjdmk/5.1/lib
Step 2: Create a User to Mange the Server
The application server stores configuration information in the user's home directory, therefore we need an actual user account (instead of just a role). I'm going to create a user and group called appservr. Users on the system can then switch to the appservr user to administer the server.
bleonard@opensolaris:$ pfexec groupadd appservr bleonard@opensolaris:$ pfexec useradd -g appservr -b /export/home -c "Application Server Administrator" -m appservr 80 blocks
bleonard@opensolaris:$ pfexec passwd appservr New Password: Re-enter new Password: passwd: password successfully changed for appserv
Step 3: Create the Domains Directory
GlassFish will create its domains in the /var directory. You can change the location in the /usr/appserver/config/asenv.conf file. But assuming you want to leave it set to /var, we need to create a directory writable by the appservr user:
bleonard@opensolaris:$ pfexec mkdir /var/appserver bleonard@opensolaris:$ pfexec chown appservr:appservr /var/appserver/
Step 4: Create and Start the Domain
Now you should be able to turn control of managing the application server to any other user on the system - they would simply need to switch to the appservr user:
bleonard@opensolaris:~$ su appservr Password: Sun Microsystems Inc. SunOS 5.11 snv_101b November 2008
Then they're free to administer the server - create domains, etc...
$ asadmin create-domain --user admin --adminport 4848 --profile cluster domain1 Please enter the admin password> Please enter the admin password again> Please enter the master password [Enter to accept the default]:> Please enter the master password again [Enter to accept the default]:> Using port 4848 for Admin. Using default port 8080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using default port 8181 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Domain being created with profile:cluster, as specified on command line or environment. Security Store uses: JKS Domain domain1 created.
$ asadmin start-domain --user admin domain1 Starting Domain domain1, please wait. Log redirected to /var/appserver/domains/domain1/logs/server.log. Please enter the admin password> Redirecting output to /var/appserver/domains/domain1/logs/server.log Domain domain1 started. Domain [domain1] is running [Sun Java System Application Server 9.1_01 (build b09d-fcs)] with its configuration and logs at: [/var/appserver/domains]. Admin Console is available at [http://localhost:4848]. Use the same port  for "asadmin" commands. User web applications are available at these URLs: [http://localhost:8080 https://localhost:8181 ]. Following web-contexts are available: [/web1 /__wstx-services ]. Standard JMX Clients (like JConsole) can connect to JMXServiceURL: [service:jmx:rmi:///jndi/rmi://opensolaris:8686/jmxrmi] for domain management purposes. Domain listens on at least following ports for connections: [8080 8181 4848 3700 3820 3920 8686 ]. Domain supports application server clusters and other standalone instances.
Step 5: Creating a SMF Service for the Domain
This step is optional but makes administering the server much nicer. It can be performed by the root user, or you can assign the necessary privileges to the appservr user. Assuming the latter case, the additional steps you need take are well documented in the asadmin create-service help file:
$ asadmin create-service --help
First you will note: "To run this command, you must have solaris.smf.\* authorization." The solaris.smf.\* authorizations are included with the "Service Management" profile. So to assign these privileges to the appserv user:
bleonard@opensolaris:~$ pfexec usermod -P "Service Management" appservr
Or if you decide that you only want the appservr user to be able to enable and disable the service, assign them the "Service Operator" profile instead:
bleonard@opensolaris:~$ pfexec usermod -P "Service Operator" appservr
The help for asadmin create-service also states the following: "It is also essential for the users to have write permission in the directory tree: /var/svc/manifest/application/SUNWappserver."
So let's do that too:
bleonard@opensolaris:~$ pfexec mkdir /var/svc/manifest/application/SUNWappserver bleonard@opensolaris:~$ pfexec chown appservr:appservr /var/svc/manifest/application/SUNWappserver
Now you can log back in as appservr and create the service. Before doing so we need to store the password information in a file. I created a file called appservr_password.txt in appservr's home directory containing the following:
AS_ADMIN_USER=admin AS_ADMIN_PASSWORD=adminadmin AS_ADMIN_MASTERPASSWORD=changeit
Modify the file as follows so only the appservr user can read its contents:
$ chmod 600 appservr_password.txt
Then run the asadmin create-service command as follows:
$ pfexec asadmin create-service --type das --passwordfile appservr_password.txt /var/appserver/domains/domain1/
Now the appservr user can start the domain using:
$ svcadm enable domain1
And I think that should pretty much cover it. Let me know if I've overlooked anything.