3

Background: I need to change the payara-server master-password. According to the docs the master-password must match the password in the keystore & truststore for the SSL Certificates to work properly. To make my website run on https instead of http.

I got Payara-Server running in a Docker Container through the guide:

I tried to change the payaradomain master-password, but I get an acyclic error. 1. made sure the payara-domain isn't running.

- ./asadmin stop-domain --force=true payaradomain

When I run this command, instead domain1 gets killed. & then kicked out of the docker container:

./asadmin stop-domain --kill=true payaradomain

When I execute this command:

./asadmin list-domains

Response:

domain1 running
payaradomain not running
Command list-domains executed successfully.

Then tried command:

./asadmin stop-domain --force=true payaradomain

Response:

 CLI306: Warning - The server located at /opt/payara41/glassfish/domains/payaradomain is not running.

I'm happy with that, but when I try:

./asadmin change-master-password payaradomain

I get this response:

Domain payaradomain at /opt/payara41/glassfish/domains/payaradomain is running. Stop it first.

I have attached the picture below: please help...

payaradomain is running. Stop it first.

S34N
  • 7,469
  • 6
  • 34
  • 43

3 Answers3

3

If you want to configure Payara server in docker, including the master password, you should do it by creating your own docker image by extending the default Payara docker image. This is the simplest Dockerfile:

FROM payara/server-full

# specify a new master password "newpassword" instead of the default password "changeit"
RUN echo 'AS_ADMIN_MASTERPASSWORD=changeit\nAS_ADMIN_NEWMASTERPASSWORD=newpassword' >> /opt/masterpwdfile

# execute asadmin command to apply the new master password
RUN ${PAYARA_PATH}/bin/asadmin change-master-password --passwordfile=/opt/masterpwdfile payaradomain

Then you can build your custom docker image with:

docker build -t my-payara/server-full .

And then run my-payara/server-full instead of payara/server-full.

Also note that with the default Payara docker image, you should specify the PAYARA_DOMAIN variable to run payaradomain instead of domain1, such as:

docker run --env PAYARA_DOMAIN=payaradomain payara/server-full

The sample Dockerfile above redefines this variable so that payaradomain is used by default, without need to specify it when running the container.

Alternative way to change master password

You cn alternatively run the docker image without running Payara Server. Instead, you can run bash shell first, perform necessary commands in the console and the run the server from the shell.

To do that, you would run the docker image with:

docker run -t -i --entrypoint /bin/bash payara/server-full

The downside of this approach is that the docker container runs in foreground and if you restart it then payara server has to be started again manually, so it's really only for testing purposes.

OndroMih
  • 7,280
  • 1
  • 26
  • 44
  • Hi @OndrejM, Your response is very informative. Thank you soo much. I have learnt a lot. All along I was trying to implement the configurations in the container instead of applying the solution in the custom built docker image. Than you. – S34N Nov 23 '17 at 23:19
  • Can i also then go ahead & add the following to the DockerFile, just under the last line in your example: `ADD ca.crt:/etc/ssl/certs` next-line: `RUN update-ca-certificates` as shown in this example: https://stackoverflow.com/questions/26028971/docker-container-ssl-certificates# ... is it advisable to store ssl certificates in a docker image/build? – S34N Nov 23 '17 at 23:26
  • Another thing. I have noticed that the default path for ssl certs for docker-java-home is in `/etc/ssl/certs` But glassfish would be expecting ssl certificates in: `/opt/payara41/glassfish/domains/payaradomain/config/` How would one handle such a confusing realisation? – S34N Nov 23 '17 at 23:35
  • I just learnt that I need to read-up on docker **secrets** & learn how this is done with docker. – S34N Nov 23 '17 at 23:49
  • Payara/Glassfish doesn't use default location for certificates and expect certificates in payaradomain/config as you wrote. I wrote a detailed blog post about adding certificates to Payara here: http://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate – OndroMih Nov 25 '17 at 07:47
2

The reason you get the messages saying payaradomain is running is because you have started domain1. payaradomain and domain1 use the same ports and the check to see if a domain is running looks to see if the admin port for a given domain are in use.

In order to change the master password you must either have both domains stopped or change the admin port for payaradomain.

Jonathan Coustick
  • 1,127
  • 9
  • 19
1

instead of echoing passwords in the dockerfile it is safer to COPY a file during build containing the passwords and remove that when the build is finished.

Eduard Drenth
  • 51
  • 5