Configure passwords in Payara Server and GlassFish
Answeriing Stackoverflow questions provides a great feedback for finding out gaps in the official documentation of my favourite opensource tools. One of the questions which I answered here was how to change Payara Server master password in docker container. Obviously, in a standard server installation, this is simple – just use the asadmin change-master-password command, then type the old and new password in to the console and it’s done. Not in docker though, where the configuration has to be automated by a script. The same applies to all infrastructure-as-a-code solutions like Chef or Puppet. So I had to dig deeper into the documentation and experiment a bit.
Specifying passwords from file
The key thing in working with passwords in scripts is to provide them in a file. Each asadmin command accepts argument –passwordfile to instruct it to read all the necessary passwords from it avoid asking for passwords interactively. But it’s a bit tricky to find out how to define passwords in this password file, because it’s used for multiple types of passwords. Oracle documentation for GlassFish v3 which also applies to GlassFish v4 and v5 and Payara v4 and 5 documents 4 types of passwords. Each type of password can be specified in the password file with a variable with AS_ADMIN_ prefix.
- admin password with prefix AS_ADMIN_PASSWORD, default is empty password
- master password with prefix AS_ADMIN_MASTERPASSWORD , default is “changeit”
- user password with prefix AS_ADMIN_USERPASSWORD
- alias password with prefix AS_ADMIN_ALIASPASSWORD
So for example, if we need to run a command with admin password “mypassword”, the following line has to be in the password file:
AS_ADMIN_PASSWORD=mypassword
And then we can use the password with the –passwordfile argument, like this:
asadmin list-applications --passwordfile=mypasswordfile
The above command won’t wait for typing the password but will immediately list all applications on the server. If the password is incorrect, the command would fail.
Changing passwords from non-interactively from script
So far, all was documented at least in the old GlassFish v3 documentation. What’s missing in the documentation though is how to specify a new password from file if we want to change it from a script. When we execute a command to change any password (e.g. admin password or master password) without a password file, the command would ask for 2 passwords – the old one and the new one. Therefore we need to specify 2 passwords in a file.
The solution is to add another variable for a new password into the same password file. Variables for new passwords are prefixed with AS_ADMIN_NEW prefix. Therefore to change the master password, we need the following 2 lines in our password file:
AS_ADMIN_MASTERPASSWORD=oldmasterpassword AS_ADMIN_NEWMASTERPASSWORD=newmasterpassword
And then we can use the 2 passwords with the –passwordfile argument, like this:
asadmin change-master-password --passwordfile=mypasswordfile
The above command won’t wait for typing or retyping any password but will immediately change the master password on the server to newmasterpassword . If the old password is incorrect, the command would fail.
Changing passwords in docker image
In Docker, the preferred way is to configure the server in the image so that when a container is executed, the configuration is applied automatically. Avoid configuring containers because it’s not easy to run asadmin commands in a container and changing some passwords, such as master password, requires server restart.
The default Payara Server Docker image already contains asadmin commands which change the admin password. You can copy the lines that create /opt/tmpfile and use it with the change-admin-password command to change the admin password.
The same can be done to change the master password. Below is an example custom Dockerfile to change the master password to newpassword :
<span class="pln">FROM payara</span><span class="pun">/</span><span class="pln">server</span><span class="pun">-</span><span class="pln">full </span> <span class="pun">#</span><span class="pln"> specify a </span><span class="kwd">new</span><span class="pln"> master password </span><span class="str">"newpassword"</span><span class="pln"> instead of the </span><span class="kwd">default</span><span class="pln"> password </span><span class="str">"changeit"</span><span class="pln"> RUN echo </span><span class="str">'AS_ADMIN_MASTERPASSWORD=changeit\nAS_ADMIN_NEWMASTERPASSWORD=newpassword'</span> <span class="pun">>></span> <span class="pun">/</span><span class="pln">opt</span><span class="pun">/</span><span class="pln">masterpwdfile </span><span class="pun">#</span><span class="pln"> execute asadmin command to apply the </span><span class="kwd">new</span><span class="pln"> master password RUN $</span><span class="pun">{</span><span class="pln">PAYARA_PATH</span><span class="pun">}/</span><span class="pln">bin</span><span class="pun">/</span><span class="pln">asadmin change</span><span class="pun">-</span><span class="pln">master</span><span class="pun">-</span><span class="pln">password </span><span class="pun">--</span><span class="pln">passwordfile</span><span class="pun">=/</span><span class="pln">opt</span><span class="pun">/</span><span class="pln">masterpwdfile</span>
With the above Dockerfile in your current directory, you can build your custom docker image with:
docker build -t my-payara/server-full .
And then run my-payara/server-full instead of payara/server-full.
You can verify that the master password is change in the docker container when you run it with:
docker run -t -i --entrypoint keytool payara/server-full:masterpwd -list -keystore /opt/payara41/glassfish/domains/domain1/config/keystore.jks
If you type the new master password, you should see the contents of the key store with the list of certifictes
Published on Java Code Geeks with permission by Ondrej Mihalyi, partner at our JCG program. See the original article here: Configure passwords in Payara Server and GlassFish Opinions expressed by Java Code Geeks contributors are their own. |
Hi,
Using the above command i tried to change master password , but its not working for me.
Could please help me to change the master password.