top of page

Student Group

Public·41 members
Johnny Daniels
Johnny Daniels

GlassFish Security: Secure Your GlassFish Insta...


By default, secure admin uses the GlassFish Server self-signed certificates, via the aliasescorresponding to these certificates, to authenticate the DAS and instances with each otherand to authorize secure admin operations. Specifically, the DAS uses the (s1as) aliasfor authenticating itself and authorizing access in administration traffic, and instances use the(glassfish-instance) alias for authenticating themselves and authorizing access in secure admin traffic.




GlassFish Security: Secure your GlassFish insta...



Eclipse GlassFish 7 is developed through the GlassFish projectopen-source community at -ee4j/glassfish.The GlassFish project provides a structured process for developing theEclipse GlassFish platform that makes the new features of the Jakarta EEplatform available faster, while maintaining the most important featureof Jakarta EE: compatibility. It enables Java developers to access theEclipse GlassFish source code and to contribute to the development of theEclipse GlassFish.


The Jakarta EE Samples project is a collection of sample applications thatdemonstrate a broad range of Jakarta EE technologies. The Jakarta EE Samplesare bundled with the Jakarta EE Software Development Kit (SDK) and are alsoavailable from the repository( -ee4j/glassfish-samples).


For example, to import a certificate named oi.cer for a Eclipse GlassFish domain in /glassfish7/glassfish/domains/domain1, using analias called "OID self-signed certificate," you would use the following command:


For example, to import a certificate named ovd.cer for a Eclipse GlassFish domain in /glassfish7/glassfish/domains/domain1, using analias called "OVD self-signed certificate," you would use the following command:


You do this by defining the httpservlet-security-provider attribute inthe glassfish-web.xml file corresponding to your application. Set thevalue of the attribute to the provider name you assigned to the messagesecurity provider. For example, if you use MySAM when you create themessage security provider the entry would behttpservlet-security-provider="MySAM".


disable-secure-adminThe disable-secure-admin subcommand turns offsecure admin. Eclipse GlassFish no longer encrypts administrativemessages and will no longer accept remote administration connections.Disabling secure admin affects the entire domain, including the DAS andall instances. The DAS must be running , and not any instances, when yourun disable-secure-admin. You must restart the DAS immediately afterdisabling secure admin, and then start any instances you want to run.


The Grizzly configuration on the DAS and each instance is identical,with the exception that the DAS uses the s1as alias for SSL/TLSauthentication and the instances use the glassfish-instance alias.(These alias names are the default, and you can change them.)A server restart is required to change the Grizzly adapter behavior.The restart also synchronizes the restarted instances. When you startthe instances, the DAS delivers the updated configuration to the instances.


By default, Eclipse GlassFish includes a single account for user "admin"and an empty password. Therefore, if you make no other changes beforeyou enable secure admin, "admin" is the initial default username and nopassword is required. You need to decide whether enabling secure adminwithout also requiring a password makes sense in your environment.


By default, --adminalias of the enable-secure-admin subcommand usesthe s1as alias, and the --instancealias option uses theglassfish-instance alias, both of which identify the defaultself-signed certificates.


You can instead have Eclipse GlassFish use your own certificates for thispurpose by first adding your certificates to the keystore andtruststore, and then running enable-secure-admin and specifying thealiases for your certificates.


It is also possible to use s1as and glassfish-instance as the aliasnames for your own certificates. A benefit of doing so is that you wouldnot have to specify alias names with the enable-secure-adminsubcommand.


If you decide to use the s1as and glassfish-instance aliases withyour own certificates, you will first need to disable secure admin (ifenabled) and then change or delete the exiting s1as alias from boththe keystore.jks keystore and cacerts.jks truststore for the DAS.You can use the --changealias or`--delete` option of keytool toaccomplish this. Then, import your own certificates.


For example, assume that you write your own admin client that uses theREST interface. When your client establishes the connection, it canchoose which certificate to use for its client cert. You would thenspecify the DN of this certificate to enable-secure-admin-principal.


When you run enable-secure-admin, Eclipse GlassFish automaticallyrecords the DNs for the admin alias and the instance alias, whether youspecify those values or use the defaults. You do not need to runenable-secure-admin-principal yourself for those certificates.


By default, secure admin uses the Eclipse GlassFish self-signedcertificates, via the aliases corresponding to these certificates, toauthenticate the DAS and instances with each other and to authorizesecure admin operations. Specifically, the DAS uses the (s1as) aliasfor authenticating itself and authorizing access in administrationtraffic, and instances use the (glassfish-instance) alias forauthenticating themselves and authorizing access in secure admin traffic.


Eclipse GlassFish provides a powerful and flexible set of software toolsfor securing the subsystems and applications that run on a serverinstance. The following table provides a checklist of essential featuresthat Oracle recommends you use to secure your production environment.


When the keystore is ready, it should be imported into the default GlassFist keystore, which can be found in the following location: glassfish4/glassfish/domains/domain1/config/keystore.jks


Instead of using the web interface (GlassFish Administration Console), you can manually edit the domain.xml configuration file with the appropriate certificate alias and port. The file is located in glassfish4/glassfish/domains/domain1/config/domain.xml.


If you encounter any issues with the HTTPS connection, it is worth checking the server log for errors, which is located in glassfish4/glassfish/domains/domain1/logs/server.log.


Before you start doing anything you should think about a security concept. A detailedsecurity concept is out of scope for this tutorial. Very important from security point of view is not to run your Glassfish server as root. This means you need to create auser with restricted rights which you can use for running Glassfish. Once you have addeda new user, let's say 'glassfish', you might also want to add a new group called 'glassfishadm'.You can use this group for all users that shall be allowed to "administer" your Glassfish infull depth. In full depth means also modifying different files in the Glassfish home directory.Below you find user and group related commands that you might want to use.


You should make sure that you do not block other important ports, for example your ssh port which usually runs on port 22 (else you will be locked out). Changing the ssh port to some other is actually a good idea,but for now we will simply suggest your ssh port is 22. Another helpfull iptables rule related to your ssh port 22 is to slow down connection tries from an ip if they fail 3 times. I found a rule for that on the web and added it below. Although I will not mention it here you should also use other techniques and tools to secure your ssh port. Unfortunately, I did not get the timeto post a tutorial about that.


As you can see Glassfish is started with the user glassfish.It's always a bad idea to run a webserver with root. You should always use arestricted user - in our case this will be the user glassfish.You will learn how to use the script we just created in the next steps.


Glassfish is coming with two pre-configured certificate which is used for ssl (https). You can see it in thekeystore.jks file if you check for the alias s1as. In Glassfish 3.1 there is even another preconfigured certificate available: glassfish-instance.But that also means that everybody else can get these two certificates, the public keys, private keys, etc.With that information you could never be safe because "others" could "read" your data sent to Glassfish via https.That means you should always make sure to replace the pre-configured s1as and glassfish-instance entries in your keystore. But you should not delete them as long as the alias "s1as" and "glassfish-instance" are still in use (and it is by default in use for https...).I faced some strange behaviour as I did not think of that at the beginning when I simply deleted s1as- learn from my mistake and do not delete it for now...But we can help us with generating a new alias first (myAlias) and when ever needed or wanted we could change eachoccurrence of s1as to myAlias (i.e. via admin console) and then we could finally delete that s1as. The same has to be done also for glassfish-instance.


The following code box shows you the commands we need for modifying our Glassfish keystore. As you can see we first delete ourpre-configured s1as entry (Glassfish mustn't be running!). Later a new s1as entry isgenerated - it is now unique for us! Similar steps have to be executed also for our second certificate (glassfish-instance).


The file glassfish-4.1.1 will make GlassFish start at boot time. To use it, transfer the file iGrafxPlatform-16.x.x.xxxx-Origins-EAR.zip to the host. Extract it and move it to the appropriate folder. If you chose a different domain name than "iGrafx", you must modify the file accordingly. That file also expects to find Java in /usr/lib/jvm/java-8-oracle. If you have it installed somewhere else, just change the JPS variable. 041b061a72


About

Welcome to the group! You can connect with other members, ge...

Members

bottom of page