users@glassfish.java.net

Glassfish v2.1 change-master-password Issue -- on Windows 2003 Server

From: Derek Sceats <dsceats_at_silasg.com>
Date: Tue, 2 Jun 2009 16:37:58 -0700

Glassfish v2.1 change-master-password Issue -- on Windows 2003 Server


Hi All,

I have been doing some work on Password Management the last couple of days and have run into an issue with the Glassfish master password. It seems that if this password is changed from its default value of changeit, Glassfish is no longer accessible. Changing it back to changeit resolves the issue. Is this a known issue/bug, or am I missing something?

I am using Glassfish v2.1 on Windows 2003 Server.

Here is what I am doing...

open command window
change directory into \glassfish\lib
type asadmin

... Here is sanitized output from my Command Window...

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\user>cd c:\AppServer\glassfish\lib
C:\AppServer\glassfish\lib>asadmin
Use "exit" to exit and "help" for online help.

... Start domain with existing default master-password...

asadmin> start-domain domain1
Starting Domain domain1, please wait.
Default Log location is C:\AppServer\glassfish\domains\domain1\logs\server.log.
Redirecting output to C:/AppServer/glassfish/domains/domain1/logs/server.log
Domain domain1 is ready to receive client requests. Additional services are being started in background.
Domain [domain1] is running [Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)] with its configuration and logs at: [C:\AppServer\glassfish\domains].
Admin Console is available at [https://localhost:4848].
Use the same port [4848] for "asadmin" commands.
User web applications are available at these URLs:
[http://localhost:8080 https://localhost:8181 ].
Following web-contexts are available:
[/web1 /__wstx-services access dumpheaders ].
Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
[service:jmx:rmi:///jndi/rmi://myserver:8686/jmxrmi] for domain management purposes.
Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.

... Things look good. Log into Glassfish Admin Console on port 4848 to validate AppServer is running properly -- all is well...

asadmin> change-master-password
Please enter the new master password>
Please enter the new master password again>
Could not change password for domain domain1. Domain is running.
CLI137 Command change-master-password failed.

... Oops, didn't stop the domain before trying to change the password, so stop the domain...

asadmin> stop-domain domain1
Domain domain1 stopped.

... Now change the master password...

asadmin> change-master-password
Please enter the new master password> -- entered my new password
Please enter the new master password again> -- entered my new password
Master password changed for domain domain1

... Looks like all went well, so start Glassfish and try to access the Admin Console...

asadmin> start-domain domain1
Starting Domain domain1, please wait.
Default Log location is C:\AppServer\glassfish\domains\domain1\logs\server.log.
Please enter the master password> -- entered my new password
Redirecting output to C:/AppServer/glassfish/domains/domain1/logs/server.log
Domain domain1 failed to startup. Please check the server log for more details.
CLI156 Could not start the domain domain1.

... Hmmm, changed master-password and now Glassfish doesn't start up...

asadmin> change-master-password
Please enter the master password>
Password entered is invalid
CLI137 Command change-master-password failed.

... Oops, I entered "changeit" by accident. Let's try that again...

asadmin> change-master-password
Please enter the master password> -- entered my new password
Please enter the new master password> -- entered "changeit"
Please enter the new master password again> -- entered "changeit"
Master password changed for domain domain1

... Looks like all went well, so start Glassfish and try to access the Admin Console...

asadmin> start-domain domain1
Starting Domain domain1, please wait.
Default Log location is C:\AppServer\glassfish\domains\domain1\logs\server.log.
Please enter the master password> -- entered "changeit"
Redirecting output to C:/AppServer/glassfish/domains/domain1/logs/server.log
Domain domain1 is ready to receive client requests. Additional services are being started in background.

... Looks like Glassfish is starting up correctly...

Domain [domain1] is running [Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)] with its configuration and logs at: [C:\AppServer\glassfish\domains].
Admin Console is available at [https://localhost:4848].
Use the same port [4848] for "asadmin" commands.
User web applications are available at these URLs:
[http://localhost:8080 https://localhost:8181 ].
Following web-contexts are available:
[/web1 /__wstx-services access dumpheaders ].
Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
[service:jmx:rmi:///jndi/rmi://myserver:8686/jmxrmi] for domain management purposes.
Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.

asadmin>

... Things look good. Log into Glassfish Admin Console on port 4848 to validate AppServer is running properly -- all is well again...


*** SERVER.LOG FILE OUTPUT ***

... So looking at the Glassfish server.log file...


==>> FAILURE LOOKS LIKE THIS...

C:/AppServer/glassfish/lib/jhall.jar;C:\AppServer\glassfish\lib\appserv-launch.jar
com.sun.enterprise.server.PELaunch
start
[#|2009-06-02T14:44:23.886-0700|INFO|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;Java HotSpot(TM) Client VM;1.5.0_14;Sun Microsystems Inc.;|CORE5076: Using [Java HotSpot(TM) Client VM, Version 1.5.0_14] from [Sun Microsystems Inc.]|#]

[#|2009-06-02T14:44:23.995-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=pool-1-thread-3;|SEC1002: Security Manager is OFF.|#]

[#|2009-06-02T14:44:24.011-0700|INFO|sun-appserver2.1|javax.enterprise.resource.jms|_ThreadID=12;_ThreadName=pool-1-thread-1;|Using MQ RA for Broker lifecycle control|#]

[#|2009-06-02T14:44:26.949-0700|WARNING|sun-appserver2.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=1a6db3ff-f302-44c2-b352-ae1e1f087c22;|java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
Caused by: java.lang.ExceptionInInitializerError
        at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
        at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:262)
        at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:103)
        at com.sun.enterprise.server.PEMain.run(PEMain.java:399)
        at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
        ... 5 more
Caused by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Cannot recover key
        at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
        ... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
        at sun.security.provider.KeyProtector.recover(KeyProtector.java:301)
        at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:120)
        at java.security.KeyStore.getKey(KeyStore.java:731)
        at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:111)
        at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:41)
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:192)
        at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:320)
        at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:106)
        ... 10 more
|#]


==>> WHEREAS SUCCESS LOOKS LIKE THIS...

C:/AppServer/glassfish/lib/jhall.jar;C:\AppServer\glassfish\lib\appserv-launch.jar
com.sun.enterprise.server.PELaunch
start
[#|2009-06-02T14:34:01.450-0700|INFO|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;Java HotSpot(TM) Client VM;1.5.0_14;Sun Microsystems Inc.;|CORE5076: Using [Java HotSpot(TM) Client VM, Version 1.5.0_14] from [Sun Microsystems Inc.]|#]

[#|2009-06-02T14:34:01.622-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=11;_ThreadName=pool-1-thread-3;|SEC1002: Security Manager is OFF.|#]

[#|2009-06-02T14:34:01.622-0700|INFO|sun-appserver2.1|javax.enterprise.resource.jms|_ThreadID=12;_ThreadName=pool-1-thread-6;|Using MQ RA for Broker lifecycle control|#]

[#|2009-06-02T14:34:05.012-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=10;_ThreadName=main;com.sun.enterprise.security.provider.PolicyWrapper;|SEC1143: Loading policy provider com.sun.enterprise.security.provider.PolicyWrapper.|#]

[#|2009-06-02T14:34:06.481-0700|INFO|sun-appserver2.1|javax.enterprise.system.container.web|_ThreadID=10;_ThreadName=main;server;|WEB0114: SSO is disabled in virtual server [server]|#]


==>> FAILURE SEEMS TO OCCUR AT THIS POINT...

[#|2009-06-02T14:34:05.012-0700|INFO|sun-appserver2.1|javax.enterprise.system.core.security|_ThreadID=10;_ThreadName=main;com.sun.enterprise.security.provider.PolicyWrapper;|SEC1143: Loading policy provider com.sun.enterprise.security.provider.PolicyWrapper.|#]


... Does anyone have any ideas what is going on here?? Any suggestions welcome. Could the Glassfish team confirm that this isn't a bug?? Thanks!

Derek