We are trying to run GlassFish V2 on Linux machine and every time we try to restart the node agents using asadmin command it used to prompt password for user as well as master password. We had tough time figuring this out. It was easy for us to setup autostart for the domains but for node agents its was not clearly mentioned anywhere.
The -passwordfile option in asadmin looks for a file which stores the password in plain text. We wanted to avoid the password prompt at the same time didn’t want to store the passwords in plain text file for security reasons. Here is step by step instruction how you can do it.
Step 1: Creating the password Alias.
Just before creating the Node agents make sure you have a password alias created for admin user password. Below command can be used to create the admin alias
This will prompt you to enter the password for user admin. Make sure you enter the correct password.
Step 2: Creating the password file pointing to Alias.
Now create a password file to which you can point your automatic restart. Say file name password.txt with follwing content.
This file can contain your non-encripted password too if you wish to store it in that way just put the actual password (assuming its mypassword) in password.txt file like below
We prefer not to use this as it not secure to store the password in a plain text file. Now move next to create the node agent using below command
Step 3: Creating the Node agent.
The savemasterpassword=true option makes sure you will not be prompted for the master password everytime you do a restart and teh –passwordfile option takes care of node agent user password.
Step 4: First time manual Starting the Node agent.
You need to manually enter the password for first time to make this work as for node-agent to make this working, it is required that the node-agent has synchronized with the domain once after the alias is created using asadmin create-alias command. This is because the domain-passwords store is available only at the the domain initially, until it gets synchronized at the node-agent location. Use below command for first time synchronization of password alias.
This will prompt you for admin password.
Step 5: Starting the Node agent.
Now when you want to start the node agent you should use following command
Boom!!! We are good to go, this should not prompt you for password anymore.
We have used these steps on Linux environment but I am sure that it should not be any different on Solaris or any other Unix flavor.
This is such a common use case for any GlassFish administrator and I am surprised to see no organized document mentioning these steps. No wonder many people are scared to use this server even now. Share your experience if you see any problems doing these steps mentioned above.
It is obvious that one wouldn't like to store the password in clear text in the password file, however, for me it isn't obvious how the security is enhanced by using an alias. I mean, the alias is avaliable in the passwordfile in readable/interpretable format! Can't anyone just use the alias instead of the clear text password?
Mr More-on