admin@glassfish.java.net

Re: password policy since b55

From: Sankar Neelakandan <Sankar.Neelakandan_at_Sun.COM>
Date: Fri, 24 Jul 2009 15:17:19 -0700

This list is little bit old. But will be good starting point to add and
resolve the incompatibilities.

http://wiki.glassfish.java.net/Wiki.jsp?page=V3CommandLineCompatibilityIssues

-Sankar

David Ronge wrote:
> Yes, it works well, i added the entry as you suggested and our tests
> run properly.
> For our part, it is now no issue at all, once the masterpassword is
> added, since it is (i assume from what was just said)
> backward-compatible (so i only commited changed passwordfile to test
> sources, all branches). We use the full syntax
> globally for creating as well as starting/stopping domains whenever
> possible.
> (Another similar change was since some early build of preview V3 - i
> think it was preview - when stop-domain required
> passwd whereas it wasn't even accepted with this cmd by older builds
> or V2. That's being handled in our scripts
> and doesn't require modification.)
>
> Is there any comprehensive web page listing changes like this? I mean
> enforcing something originally optional.
> Some brief summary of changes. I do not demand anything new be
> created, still if it exists please give me a pointer.
> I realize it is development so features are supposed to change.
>
> Thank you much once more for quick assistance.
>
> Regards,
> David
>
> Kedar Mhaswade wrote:
>> Sankar just confirmed that this works and he's filed a bug against
>> create-domain (8876) to track.
>>
>> -Kedar
>>
>>
>> Kedar Mhaswade wrote:
>>>
>>>
>>> Sankar Neelakandan wrote:
>>>>
>>>>
>>>> Kedar Mhaswade wrote:
>>>>> That's because master password was NEVER enforced for v3. I
>>>>> implemented it
>>>>> for the first time for v3. If you ran the commands like you did
>>>>> for V2,
>>>>> this would always work. Remember, for V2, a domain startup would
>>>>> always
>>>>> require to open the stores otherwise the server startup fails.
>>>> Yes but in V2 when the masterpassword is not provided for the
>>>> create-domain command the password is assumed to be "changeit".
>>>> The start-domain command never prompted for masterpassword in this
>>>> default case.
>>>
>>> And it never does. Like I said, there was some create-domain related
>>> change that Bill made after I was done and I am not sure if this is
>>> the fallout of that.
>>>
>>> e.g. try this out:
>>>
>>> passwords:
>>> AS_ADMIN_MASTERPASSWORD=changeit
>>> AS_ADMIN_PASSWORD=adminadmin
>>> AS_ADMIN_ADMINPASSWORD=adminadmin
>>>
>>> asadmin --passwordfile passwords create-domain --portbase 5000 d2
>>>
>>> asadmin start-domain d2 (note: no passwordfile given)
>>>
>>> and it *does* start without prompting.
>>>
>>> Again, I don't know why it does not work when passwords does NOT
>>> contain
>>> AS_ADMIN_MASTERPASSWORD. It's a separate issue.
>>>
>>>>>
>>>>> Since the master password was enforced only since b55, the
>>>>> start-domain
>>>>> needs this to be provided while doing the startup.
>>>>>
>>>>> Now, in most cases, this is not a problem. In the "default" case,
>>>>> i.e.
>>>>> when the domain is *created* with default master password, startup
>>>>> would
>>>>> have it.
>>>> Does this mean the masterpassword has to be explicitly provided as
>>>> "changeit" ?.
>>>
>>> No.
>>>
>>>> When the masterpassword is not provided the create-domain command
>>>> still goes ahead and creates a domain. What is the masterpassword
>>>> used in this case ?.
>>>
>>> Investigating. Not related to my changes ...
>>>
>>>> If it is "changeit" why does the start-domain command still prompts
>>>> for masterpassword ?.
>>>
>>> Correct, it should not and it does not.
>>>
>>>>
>>>>> In another case, where you choose the do --savemasterpassword during
>>>>> create-domain, start-domain would have that password read
>>>>> automatically for
>>>>> you, so that you don't have to provide it during startup.
>>>>
>>>>>
>>>>> -Kedar
>>>>>
>>>>>
>>>>> Sankar Neelakandan wrote:
>>>>>> Kedar,
>>>>>> The exact problem is,
>>>>>> In B55 when the domain is created without MASTERPASSWORD in
>>>>>> passwordfile the start-domain works without prompting for
>>>>>> masterpassword.
>>>>>> But in B56 when the domain is created without MASTERPASSWORD in
>>>>>> passwordfile the start-domain doesn't work without providing the
>>>>>> master password. (If the domain is started without a console
>>>>>> there is no prompting for masterpassword and fails with the
>>>>>> noconsole message)
>>>>>>
>>>>>> Please see the following logs.
>>>>>>
>>>>>>
>>>>>> bash-3.00# cat /password.txt
>>>>>> AS_ADMIN_PASSWORD=adminadmin
>>>>>>
>>>>>>
>>>>>> bash-3.00# glassfishv3/glassfish/bin/asadmin create-domain
>>>>>> --adminport 4848 --user admin --passwordfile /password.txt domain1
>>>>>> Deprecated syntax: create-domain, Options: [passwordfile, user]
>>>>>> Using port 4848 for Admin.
>>>>>> Using default port 8080 for HTTP Instance.
>>>>>> Using default port 7676 for JMS.
>>>>>> Using default port 3700 for IIOP.
>>>>>> Using default port 8181 for HTTP_SSL.
>>>>>> Using default port 3820 for IIOP_SSL.
>>>>>> Using default port 3920 for IIOP_MUTUALAUTH.
>>>>>> Using default port 8686 for JMX_ADMIN.
>>>>>> Distinguished Name of the self-signed X.509 Server Certificate is:
>>>>>> [CN=easqesf4,OU=GlassFish,O=Sun Microsystems,L=Santa
>>>>>> Clara,ST=California,C=US]
>>>>>> Domain domain2 created.
>>>>>> Command create-domain executed successfully.
>>>>>>
>>>>>> bash-3.00# glassfishv3/glassfish/bin/asadmin start-domain domain2
>>>>>> No valid master password found
>>>>>> Enter master password (3 attempt(s) remain)> Sorry, incorrect
>>>>>> master password, retry
>>>>>> Enter master password (2 attempt(s) remain)> Sorry, incorrect
>>>>>> master password, retry
>>>>>> Enter master password (1 attempt(s) remain)> Sorry, incorrect
>>>>>> master password, retry
>>>>>> Number of attempts (3) exhausted, giving up
>>>>>> Command start-domain failed.
>>>>>>
>>>>>> When started without console it fails with the following error
>>>>>> message
>>>>>>
>>>>>>
>>>>>> bash-3.00# glassfishv3/glassfish/bin/asadmin start-domain domain1
>>>>>> Deprecated syntax: start-domain, Options: [passwordfile, user]
>>>>>> No valid master password found
>>>>>> Command start-domain failed.
>>>>>> No console, no prompting possible
>>>>>>
>>>>>>
>>>>>>
>>>>>> Kedar Mhaswade wrote:
>>>>>>> Dave,
>>>>>>>
>>>>>>> It should be AS_ADMIN_MASTERPASSWORD. AS_ADMIN_USERPASSWORD is
>>>>>>> for (an entirely) different purpose.
>>>>>>>
>>>>>>> If you don't really care about master password (:-0) you can just
>>>>>>> have AS_ADMIN_MASTERPASSWORD=changeit added to this password.txt
>>>>>>> file and I am pretty sure this will be fixed.
>>>>>>>
>>>>>>> But I think we need to address this use case. My understanding was
>>>>>>> that in this case, (i.e. the way your password.txt seems) we should
>>>>>>> have defaulted the master password to "changeit". I am not sure if
>>>>>>> this is due to recent changes to create-domain command as well.
>>>>>>> We'll
>>>>>>> investigate.
>>>>>>>
>>>>>>> For now, just add this one more line to password.txt to get
>>>>>>> unblocked.
>>>>>>>
>>>>>>> -Kedar
>>>>>>>
>>>>>>> David Ronge wrote:
>>>>>>>> Hi Kedar,
>>>>>>>>
>>>>>>>> yes, we delete domain1 first to be sure the eventual setup
>>>>>>>> change of default domain won't give us some obscure diffs and
>>>>>>>> to keep setup stable.
>>>>>>>>
>>>>>>>> (delete-domain.1:
>>>>>>>> [exec] Domain domain1 deleted.
>>>>>>>> [exec] Command delete-domain executed successfully.
>>>>>>>> No passwd used.)
>>>>>>>> content of the password.txt is here:
>>>>>>>> AS_ADMIN_PASSWORD=adminadmin
>>>>>>>> AS_ADMIN_USERPASSWORD=changeit
>>>>>>>>
>>>>>>>> create-by-admin-command:
>>>>>>>> [echo] exec: create-domain --user admin --passwordfile
>>>>>>>> /space/test4u/cvswork/sunsw/tango/qe-tests/gf-setup/password.txt
>>>>>>>> domain1
>>>>>>>> [echo] With properties:
>>>>>>>> [echo] http.ssl.port=8181:orb.listener.port=3007:imq.port=7676
>>>>>>>> [exec] Deprecated syntax: create-domain, Options:
>>>>>>>> [passwordfile, user]
>>>>>>>> [exec] Using port 4848 for Admin.
>>>>>>>> [exec] Using port 8080 for HTTP Instance.
>>>>>>>> [exec] Using default port 7676 for JMS.
>>>>>>>> [exec] Using port 3007 for IIOP.
>>>>>>>> [exec] Using port 8181 for HTTP_SSL.
>>>>>>>> [exec] Using default port 3820 for IIOP_SSL.
>>>>>>>> [exec] Using default port 3920 for IIOP_MUTUALAUTH.
>>>>>>>> [exec] Using default port 8686 for JMX_ADMIN.
>>>>>>>> [exec] Distinguished Name of the self-signed X.509 Server
>>>>>>>> Certificate is:
>>>>>>>> [exec] [CN=eas-x2100-1.India.Sun.COM,OU=GlassFish,O=Sun
>>>>>>>> Microsystems,L=Santa Clara,ST=California,C=US]
>>>>>>>> [exec] Domain domain1 created.
>>>>>>>> [exec] Command create-domain executed successfully.
>>>>>>>>
>>>>>>>> is the target used, more precisely, target corresponding to the
>>>>>>>> above log is here:
>>>>>>>> <target name="create-by-admin-command" depends="get-asadmin"
>>>>>>>> if="create.by.admin.command">
>>>>>>>> <!-- propertyset refid="full.domain.propertyset"/ -->
>>>>>>>> <echo message="exec: create-domain --user admin
>>>>>>>> --passwordfile ${basedir}/password.txt ${domain.name}"/>
>>>>>>>> <property name="dmn.specif.1"
>>>>>>>> value="http.ssl.port=${https.port}" />
>>>>>>>> <property name="dmn.specif.2"
>>>>>>>> value="${dmn.specif.1}:orb.listener.port=${orb.port}" />
>>>>>>>> <property name="dmn.specif.0"
>>>>>>>> value="${dmn.specif.2}:imq.port=${imq.port}" />
>>>>>>>> <echo message="With properties:"/>
>>>>>>>> <echo message="${dmn.specif.0}"/>
>>>>>>>>
>>>>>>>> <exec executable="${asadmin.executable}" dir="${basedir}"
>>>>>>>> resultproperty="asadmin.result">
>>>>>>>> <!-- in ${gf.install.home} or ${basedir} ? -->
>>>>>>>> <arg value="create-domain"/>
>>>>>>>> <arg value="--user"/>
>>>>>>>> <arg value="admin"/>
>>>>>>>> <arg value="--passwordfile"/>
>>>>>>>> <arg value="password.txt"/><!-- ${basedir}/... -->
>>>>>>>> <arg value="--instanceport"/>
>>>>>>>> <arg value="${instance.port}"/>
>>>>>>>> <arg value="--adminport"/>
>>>>>>>> <arg value="${admin.port}"/>
>>>>>>>> <arg value="--domaindir"/>
>>>>>>>> <arg value="${gf.install.home}/domains"/>
>>>>>>>> <arg value="--domainproperties"/>
>>>>>>>> <arg value="${dmn.specif.0}"/>
>>>>>>>> <!-- leave as last item value - (first that is not an
>>>>>>>> option) -->
>>>>>>>> <arg value="${domain.name}"/>
>>>>>>>> </exec>
>>>>>>>> </target>
>>>>>>>>
>>>>>>>> with --domainproperties echoed as visible.
>>>>>>>> There's alternative setup target using setup.xml but that is
>>>>>>>> used with V2 only for continuity.
>>>>>>>> (The property set contains the original default ports mainly -
>>>>>>>> i think these are exclusively defaults - you can see better.)
>>>>>>>>
>>>>>>>> The master password claimed is AS_ADMIN_PASSWORD - according to
>>>>>>>> the password.txt? Or the other entry?
>>>>>>>>
>>>>>>>> ~dave
>>>>>>>>
>>>>>>>> Kedar Mhaswade wrote:
>>>>>>>>> Hi David,
>>>>>>>>>
>>>>>>>>> VB Kumar told me that you guys were seeing some issues here.
>>>>>>>>>
>>>>>>>>> Yes, I made some changes to the master password handling in
>>>>>>>>> b55. It was
>>>>>>>>> not a big deal as far as users are concerned. I am sorry that
>>>>>>>>> it seems to
>>>>>>>>> affect you. But I do think that you guys are creating domain
>>>>>>>>> differently.
>>>>>>>>> As you can see the console output of start-domain, it contains:
>>>>>>>>>
>>>>>>>>> >>> [exec] No valid master password found
>>>>>>>>> >>> [exec] No console, no prompting possible
>>>>>>>>> >>> [exec] Command start-domain failed.
>>>>>>>>> >>> [exec] Result: 1
>>>>>>>>>
>>>>>>>>> So, it's not failing for deprecated syntax, but for something
>>>>>>>>> else.
>>>>>>>>> Can I get the entire sequence of commands you run? For
>>>>>>>>> example, is the
>>>>>>>>> same password.txt provided to both create-domain and
>>>>>>>>> start-domain commands?
>>>>>>>>> I somehow think that the master password for this domain is
>>>>>>>>> not the default
>>>>>>>>> ("changeit") or there is a bug in what I recently did ...
>>>>>>>>>
>>>>>>>>> Let me know either way. My commit log is here:
>>>>>>>>> http://fisheye4.atlassian.com/changelog/glassfish-svn/trunk/v3/admin/cli/src/main/java/com/sun/enterprise/admin/cli/commands?cs=29406
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -Kedar
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> David Ronge wrote:
>>>>>>>>>> This way:
>>>>>>>>>>
>>>>>>>>>> <target name="start-a-domain" if="a.domain.exists"
>>>>>>>>>> unless="skip.domain" depends="check.domain.exists">
>>>>>>>>>> <property name="a.domain.name"
>>>>>>>>>> value="${default.domain}"/><!-- convenience default -->
>>>>>>>>>> <echo message="STARTING domain ${a.domain.name}..." />
>>>>>>>>>> <echo message="stuff.dir ${stuff.dir}..." />
>>>>>>>>>> <exec executable="${gf.install.home}/bin/asadmin.bat"
>>>>>>>>>> os="Windows XP,Windows 2000,Windows 2003"
>>>>>>>>>> dir="${stuff.dir}" spawn="true"
>>>>>>>>>> failonerror="false">
>>>>>>>>>> <arg value="start-domain"/>
>>>>>>>>>> <arg value="--user"/>
>>>>>>>>>> <arg value="admin"/>
>>>>>>>>>> <arg value="--passwordfile"/>
>>>>>>>>>> <arg value="password.txt"/>
>>>>>>>>>> <arg value="${a.domain.name}"/>
>>>>>>>>>> </exec>
>>>>>>>>>> <exec executable="${gf.install.home}/bin/asadmin"
>>>>>>>>>> dir="${stuff.dir}" os="SunOS,Linux,AIX,Mac OS X">
>>>>>>>>>> <arg line="start-domain --user admin --passwordfile
>>>>>>>>>> password.txt ${a.domain.name}"/>
>>>>>>>>>> </exec>
>>>>>>>>>> <echo message="STARTED domain ${a.domain.name}..." />
>>>>>>>>>> </target>
>>>>>>>>>>
>>>>>>>>>> (start-domain command seemed not to be obligatory with user
>>>>>>>>>> and passwd data but stop-domain did when file-user was added
>>>>>>>>>> etc.
>>>>>>>>>> So we include it for start too.)
>>>>>>>>>> This worked reliably unless some integration fault prevented
>>>>>>>>>> proper start due to bundling error or start failure of some
>>>>>>>>>> essential service.
>>>>>>>>>>
>>>>>>>>>> ~dave
>>>>>>>>>>
>>>>>>>>>> Jane Young wrote:
>>>>>>>>>>> Can you provide the syntax used to start the domain?
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Jane
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> David Ronge wrote:
>>>>>>>>>>>> Hi, is there any instruction to handle starting/stopping
>>>>>>>>>>>> domain differently now?
>>>>>>>>>>>> The behavior has changed ~ with build b55 as now i can see >
>>>>>>>>>>>>
>>>>>>>>>>>> start-a-domain:
>>>>>>>>>>>> [echo] STARTING domain domain1...
>>>>>>>>>>>> [echo] stuff.dir
>>>>>>>>>>>> /space/test4u/cvswork/sunsw/tango/qe-tests/gf-setup...
>>>>>>>>>>>> [exec] Deprecated syntax: start-domain, Options:
>>>>>>>>>>>> [passwordfile, user]
>>>>>>>>>>>> [exec] No valid master password found
>>>>>>>>>>>> [exec] No console, no prompting possible
>>>>>>>>>>>> [exec] Command start-domain failed.
>>>>>>>>>>>> [exec] Result: 1
>>>>>>>>>>>> [echo] STARTED domain domain1...
>>>>>>>>>>>>
>>>>>>>>>>>> it says "deprecated" but the coming syntax simply doesn't
>>>>>>>>>>>> work without change.
>>>>>>>>>>>> Can someone please give me a clue?
>>>>>>>>>>>> Our team tests Metro/jaxws webservices on V2/V3/Tomcat...
>>>>>>>>>>>> so managing GF administration is sort of routine for us.
>>>>>>>>>>>> (Still, if there's page to look at when something stops
>>>>>>>>>>>> working the old way it would be nice.)
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you much in advance.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> David
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> To unsubscribe, e-mail:
>>>>>>>>>>>> admin-unsubscribe_at_glassfish.dev.java.net
>>>>>>>>>>>> For additional commands, e-mail:
>>>>>>>>>>>> admin-help_at_glassfish.dev.java.net
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
>>>>>>>>>> For additional commands, e-mail:
>>>>>>>>>> admin-help_at_glassfish.dev.java.net
>>>>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>>
>>>>>>> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
>>>>>>> For additional commands, e-mail: admin-help_at_glassfish.dev.java.net
>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>>
>>>>>> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
>>>>>> For additional commands, e-mail: admin-help_at_glassfish.dev.java.net
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: admin-help_at_glassfish.dev.java.net
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: admin-help_at_glassfish.dev.java.net
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: admin-help_at_glassfish.dev.java.net
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: admin-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: admin-help_at_glassfish.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.