Thoughts on my current and past work:
Java cloud developer experience,
WebLogic Server multi-tenancy, GlassFish...

Securing Administration in GlassFish Server 3.1 - 2: Remote Administration

Tim Quinn
Consulting Member of Technical Staff

If you are an administrator of a GlassFish installation, you will see
some new facets of administrative security in GlassFish Server 3.1.  In
this series of blogs I describe three key aspects: admin
authentication, remote administration, and admin message encryption. 
Some of this will be familiar to you if you have worked with earlier
releases of GlassFish, and some will be new.

 Remember that convenience and security are often at odds with each
other. We have tried hard to keep the out-of-the-box experience with
GlassFish Server 3.1 convenient while not creating security problems.
And we have tried to make it very easy to run in a very secure
administrative environment. 

See also:

Part 1: Admin Authentication

Part 3: Admin Message Encryption

Part 2: Remote Administration

Out-of-the-box, GlassFish Server 3.1 does not permit remote administration. This is to reduce your exposure to an attack from elsewhere in the network.  If you try to do remote administration GlassFish sends a "403 - Forbidden" HTTP status as the response. This is true regardless of whether you use asadmin, an IDE, or the REST interface. 

You can turn remote administration on using

asadmin enable-secure-admin

which actually accomplishes two things.  It enables remote administration and also encrypts all admin traffic (more about that in Part 3).

Before you run enable-secure-admin, make sure that the DAS is the only GlassFish process running -- that is, stop any instances.  Then after you run enable-secure-admin restart the DAS and then you can start up remote instances.  Part of the instance start-up will download the updated configuration to the instances so they can communicate securely with the DAS.

Note:  Enabling secure admin does not change anything about how GlassFish deals with the default admin account.  In particular the default admin username remains "admin" and the default password remains empty.  Before enabling secure admin - and therefore enabling remote administration - you will probably want to either change the admin password (see the asadmin change-admin-password command) or add at least one additional admin account which disables the default admin account handling described in Part 1.

One reason you might want to enable remote administration is to set up a remote instance - a server on a different host from where the DAS is running - without using SSH.  Remote administration needs to be turned on because commands you run on the remote host need to communicate with the DAS...and that is remote administration pure and simple.  Joe DiPol has written a nice blog talking about how to set up remote instances without using SSH.

You can turn remote administration off again by shutting down any instances, leaving the DAS only up, then running

asadmin disable-secure-admin

and then restarting the DAS and starting any instances up again.

In addition to controlling remote administration, enable-secure-admin and disable-secure-admin controls the encryption of admin traffic.  Continue on to Part 3 for more about that.

Join the discussion

Comments ( 2 )
  • Robert Monday, March 7, 2011

    Works great even on my SPARC T5240. You did not mention that disable-secure-admin only works with Java 1.6.0_22 and up.

  • Timothy Quinn Monday, March 7, 2011

    GlassFish 3.1 as a whole is supported only with Java SE 1.6.0_22 and later. This is mentioned on the downloads page and elsewhere.

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.