Difference between revisions of "Payara Configuration in QPR UI"

From Mea Wiki
Jump to navigation Jump to search
Line 20: Line 20:
  
 
=== Alternative 1: Routing Traffic Through IIS ===
 
=== Alternative 1: Routing Traffic Through IIS ===
This is the recommended way, because it's easier to maintain than SSL configuration in GlassFish. See [[Routing through IIS in QPR UI]] and configure the SSL sertificate in IIS.
+
This is the recommended way, because it's easier to maintain than SSL configuration in GlassFish. See [[Routing Through IIS in QPR UI]] and configure the SSL sertificate in IIS.
  
 
=== Alternative 2: SSL Configuration in GlassFish ===
 
=== Alternative 2: SSL Configuration in GlassFish ===

Revision as of 15:05, 7 November 2017

Access GlassFish Administration Console

GlassFish Administration Console can be accessed at http://SERVERNAME:4848, where SERVERNAME is the name of the server. Alternatively you can use http://localhost:4848 when accessing from the server itself.

Change GlassFish Port

By default, Glassfish is using port 8080 for the front-end and port 4848 for the administration UI. If these ports cannot be used, they can be changed as follows:

  1. Access the administration UI as described in Accessing GlassFish control panel.
  2. Expand Configurations -> server-config -> Network Config -> Network Listeners
  3. Select the listener to configure and change the Port value.

By default, there are following listeners:

  • admin-listener: for GlassFish Administration Console
  • http-listener-1: for hosted applications HTTP connections (QPR UI is the hosted application)
  • http-listener-1: for hosted applications HTTPS connections

Change Glassfish Administrator Password

It is highly recommended to change the default administrator password for Glassfish at Domain -> Administrator Password.

SSL Configuration

There are two alternatives for setting up secure connection:

Alternative 1: Routing Traffic Through IIS

This is the recommended way, because it's easier to maintain than SSL configuration in GlassFish. See Routing Through IIS in QPR UI and configure the SSL sertificate in IIS.

Alternative 2: SSL Configuration in GlassFish

In order to configure your installation to use SSL for encrypting the communication, follow the instructions below. Note that the instructions assume that your SSL certificate is in the .pfx format. For other formats some commands have to be altered accordingly.

  1. Make sure your Java JRE bin folder is in the environment's PATH setting, so that keytool will be found.
  2. Launch two command prompts with administrator rights, navigate one to <QPR UI installation root>\Glassfish\bin and the other to <QPR UI installation root>\Glassfish\glassfish\domains\domain1\config
  3. Make backup copies of keystore.jks, cacerts.jks, and domain.xml in <QPR UI installation root>\Glassfish\glassfish\domains\domain1\config
  4. Open the Glassfish administration panel at http://<hostname>:4848. If you haven't done so, change the administrator password. Use a password longer than six characters here.
  5. In the Glassfish admin panel, go to server (Admin Server) -> Secure Administration -> Enable secure administration. Note that at this point the secure admin will still be using a self-signed certificate, which will cause warnings in browsers. As we know the reason for the warning, we can ignore it this time and proceed to the secure administration despite the certificate error.
  6. Stop the domain from the server (Admin Server) page or by running the following command line in the bin folder:
    asadmin stop-domain
  7. With the command line in the bin folder, run:
    asadmin change-master-password --savemasterpassword=true
    and define a new password to replace the default "changeit" password. NOTE: This should be a different password than the admininistrator password used for regular logins. This is basically a master key to the installation and also the certificate will be using this password in a later stage, so choose an appropriately strong password that is known only by those who have access to the SSL certificate password.
  8. Change to the command line in the config folder. Run:
    keytool -importkeystore -srckeystore <your_pfx_file_name_and_path> -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
    You'll be asked for the destination keystore password, input the password defined in previous step here. Use the same password when you're asked to re-enter the new password. Source keystore password is your SSL certificate's password. Copy the alias to e.g. Notepad, you'll be needing this later.
  9. In the config folder, import the certificate also to the cacerts.jks keystore, i.e. run:
    keytool -importkeystore -srckeystore <your_pfx_file_name_and_path> -srcstoretype pkcs12 -destkeystore cacerts.jks -deststoretype JKS
  10. In the config folder, run the following commands:
    keytool -keypasswd  -alias <key alias from step 8>
    -keystore keystore.jks keytool -keypasswd  -alias <key alias from step 8>  -keystore cacerts.jks
    You're asked for the keystore password, this is once again the password defined in step 7. When the key password is requested, enter the original SSL certificate password and then enter the password from step 7 as the new key password.
  11. Start the domain by running the following command line in the bin folder:
    asadmin start-domain
  12. Access the Glassfish admin panel at https://<servername>:4848
  13. Expand Configurations -> server-config -> Network Config -> Network Listeners -> http-listener-2
  14. Switch to the SSL tab and enable SSL3. Also change Certificate nickname to be the alias from step 8 and save the changes.
  15. You can now also disable http-listener-1 to prevent access without SSL, but that is safer to do after you have verified that the SSL config works.
  16. Stop the domain and open <QPR UI installation root>\Glassfish\glassfish\domains\domain1\config\domain.xml into a text editor that's running as an administrator. Search and replace all references to s1as with the alias from step 8.
  17. Save the file and restart the domain. You should now be able to access the SSL instance at https://<servername>:8181/mobiledash/