Configure passwords in Payara Server and GlassFish

Answeriing Stackoverflow questions provides a great feedback for finding out gaps in the official documentation of my favourite opensource tools. One of the questions which I answered here was how to change Payara Server master password in docker container. Obviously, in a standard server installation, this is simple – just use the  asadmin change-master-password  command, then type the old and new password in to the console and it’s done. Not in docker though, where the configuration has to be automated by a script. The same applies to all infrastructure-as-a-code solutions like Chef or Puppet. So I had to dig deeper into the documentation and experiment a bit.

Specifying passwords from file

The key thing in working with passwords in scripts is to provide them in a file. Each asadmin command accepts argument --passwordfile  to instruct it to read all the necessary passwords from it avoid asking for passwords interactively. But it’s a bit tricky to find out how to define passwords in this password file, because it’s used for multiple types of passwords. Oracle documentation for GlassFish v3 which also applies to GlassFish v4 and v5 and Payara v4 and 5 documents 4 types of passwords. Each type of password can be specified in the password file with a variable with AS_ADMIN_  prefix.

  • admin password with prefix AS_ADMIN_PASSWORD, default is empty password
  • master password with prefix AS_ADMIN_MASTERPASSWORD , default is “changeit”
  • user password with prefix AS_ADMIN_USERPASSWORD
  • alias password with prefix AS_ADMIN_ALIASPASSWORD

So for example, if we need to run a command with admin password “mypassword”, the following line has to be in the password file:

And then we can use the password with the  --passwordfile argument, like this:

The above command won’t wait for typing the password but will immediately list all applications on the server. If the password is incorrect, the command would fail.

Changing passwords from non-interactively from script

So far, all was documented at least in the old GlassFish v3 documentation. What’s missing in the documentation though is how to specify a new password from file if we want to change it from a script. When we execute a command to change any password (e.g. admin password or master password) without a password file, the command would ask for 2 passwords – the old one and the new one. Therefore we need to specify 2 passwords in a file.

The solution is to add another variable for a new password into the same password file. Variables for new passwords are prefixed with AS_ADMIN_NEW  prefix. Therefore to change the master password, we need the following 2 lines in our password file:

And then we can use the 2 passwords with the  --passwordfile argument, like this:

The above command won’t wait for typing or retyping any password but will immediately change the master password on the server to newmasterpassword . If the old password is incorrect, the command would fail.

Changing passwords in docker image

In Docker, the preferred way is to configure the server in the image so that when a container is executed, the configuration is applied automatically. Avoid configuring containers because it’s not easy to run asadmin commands in a container and changing some passwords, such as master password, requires server restart.

The default Payara Server Docker image already contains asadmin commands which change the admin password. You can copy the lines that create  /opt/tmpfile  and use it with the  change-admin-password  command to change the admin password.

The same can be done to change the master password. Below is an example custom Dockerfile to change the master password to newpassword :

With the above Dockerfile in your current directory, you can build your custom docker image with:

And then run my-payara/server-full  instead of payara/server-full.

You can verify that the master password is change in the docker container when you run it with:

If you type the new master password, you should see the contents of the key store with the list of certifictes.

Leave a Reply

Your email address will not be published. Required fields are marked *