It is some days that I saw some posts about securing Glassfish in production environment, so I thought I write some of my experience here to let other secure the glassfish easier. There are some basic items that you will need to relay on in order to have a secure Glassfish installation.
- secure access to administration console, both web based and CLI.
- secure all ports and listeners that application server uses to interact with outside applications.
- secure your environment from GlassFish; Yes, glassfish can be evil if you have buggy software installed on you application server.
- secure your application server from the environment that it is operating on it.
- secure glassfish directories in order to prevent any accidental changes, use, etc in glassfish configuration files.
- Take care of all logging if you are not going to secure Glassfish on the file system.
- tips and tricks which are not mentioned in the above sections.
- firewalls, network security, clustered environment tips and tricks
But how you can do these, I will explain each item in as much details as I can begin with securing your administration console. As you know administration console is the main interaction point with an application server, however must of application servers let you perform all changes from a CLI or direct editing of server.xml, domain.xml and so on. But Web based administration console is the most open to access part of application server, So letâ€™s see how we can secure it:
You will need to change administration password from the default one, do it by using the following command in CLI when your application server is running.
Using this command you can change your administration password both for CLI and Web based console. The output of the command may differ from version or profile to another version and profile but it will asks you to enter old and new password, in case that it asks to accept a certificate accept it, you will change it later.
Second thing that you should change is master-password, make sure that you stop your application server before issuing the command as it will not work when the as is running. Following command in asadmin console will do it for you. Default master password value is â€œchangeitâ€
Now you are sure that your administration console and keystore files are protected using a new password which you know.
Its time to take a closer look at application server web based console protection, you need to make sure that you have most possible protection over your administration console by limiting access to it using firewalls and after that you can add another level of protection and transmission integrity by using a mutual authentication using Digital Certificate.
By changing the administration http listener to use an a digital certificate specific for administration console and changing its setting to use client-cert authentication or mutual authentication you can ensure that your administration console will only opens in a browser which has a digital certificate signed by a CA known to your administration listener.
This way you can be sure that only the guys with that specific digital certificate will have access to your admin console and the administrator will not fool by anyone to connect to a mock server. On the other hand you have full protection of SSL over your transmitted data. To learn how you can setup your own CA and add keys to glassfish keystore take a look at some older entry of my weblog. however those entry shows how you can use digital certificate when your AS uses jks files ant certDB files.