Payara Configuration in QPR UI
Access GlassFish Administration Console
GlassFish Administration Console can be accessed at http://SERVERNAME:4848, where SERVERNAME is the name of the server. Alternatively you can use http://localhost:4848 when accessing from the server itself.
Change GlassFish Port
By default, Glassfish is using ports 8080 (http) and 8181 (https) for the front-end and port 4848 for the administration UI. These ports can be changed as follows:
- Access the administration UI as described in Accessing GlassFish control panel.
- Expand Configurations -> server-config -> Network Config -> Network Listeners
- Select the listener to configure and change the Port value.
By default, there are following listeners:
- admin-listener: for GlassFish Administration Console
- http-listener-1: for hosted applications HTTP connections (QPR UI is the hosted application)
- http-listener-1: for hosted applications HTTPS connections
Change Glassfish Administrator Password
It is highly recommended to change the default administrator password for Glassfish at Domain -> Administrator Password.
SSL Configuration
There are two alternatives for setting up secure connection:
Alternative 1: Routing Traffic Through IIS
This is the recommended way, because it's easier to maintain than SSL configuration in GlassFish. See Routing Through IIS in QPR UI and configure the SSL sertificate in IIS.
Alternative 2: SSL Configuration in GlassFish
In order to configure your installation to use SSL for encrypting the communication, follow the instructions below. Note that the instructions assume that your SSL certificate is in the .pfx format. For other formats some commands have to be altered accordingly.
- Make sure your Java JRE bin folder is in the environment's PATH setting, so that keytool will be found.
- Launch two command prompts with administrator rights, navigate one to <QPR UI installation root>\Glassfish\bin and the other to <QPR UI installation root>\Glassfish\glassfish\domains\domain1\config
- Make backup copies of keystore.jks, cacerts.jks, and domain.xml in <QPR UI installation root>\Glassfish\glassfish\domains\domain1\config
- Open the Glassfish administration panel at http://<hostname>:4848. If you haven't done so, change the administrator password. Use a password longer than six characters here.
- In the Glassfish admin panel, go to server (Admin Server) -> Secure Administration -> Enable secure administration. Note that at this point the secure admin will still be using a self-signed certificate, which will cause warnings in browsers. As we know the reason for the warning, we can ignore it this time and proceed to the secure administration despite the certificate error.
- Stop the domain from the server (Admin Server) page or by running the following command line in the bin folder:
asadmin stop-domain
- With the command line in the bin folder, run:
asadmin change-master-password --savemasterpassword=true
and define a new password to replace the default "changeit" password. NOTE: This should be a different password than the admininistrator password used for regular logins. This is basically a master key to the installation and also the certificate will be using this password in a later stage, so choose an appropriately strong password that is known only by those who have access to the SSL certificate password.
- Change to the command line in the config folder. Run:
keytool -importkeystore -srckeystore <your_pfx_file_name_and_path> -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
You'll be asked for the destination keystore password, input the password defined in previous step here. Use the same password when you're asked to re-enter the new password. Source keystore password is your SSL certificate's password. Copy the alias to e.g. Notepad, you'll be needing this later.
- In the config folder, import the certificate also to the cacerts.jks keystore, i.e. run:
keytool -importkeystore -srckeystore <your_pfx_file_name_and_path> -srcstoretype pkcs12 -destkeystore cacerts.jks -deststoretype JKS
- In the config folder, run the following commands:
keytool -keypasswd -alias <key alias from step 8>
-keystore keystore.jks keytool -keypasswd -alias <key alias from step 8> -keystore cacerts.jks
- You're asked for the keystore password, this is once again the password defined in step 7. When the key password is requested, enter the original SSL certificate password and then enter the password from step 7 as the new key password.
- Start the domain by running the following command line in the bin folder:
asadmin start-domain
- Access the Glassfish admin panel at https://<servername>:4848
- Expand Configurations -> server-config -> Network Config -> Network Listeners -> http-listener-2
- Switch to the SSL tab and enable SSL3. Also change Certificate nickname to be the alias from step 8 and save the changes.
- You can now also disable http-listener-1 to prevent access without SSL, but that is safer to do after you have verified that the SSL config works.
- Stop the domain and open <QPR UI installation root>\Glassfish\glassfish\domains\domain1\config\domain.xml into a text editor that's running as an administrator. Search and replace all references to s1as with the alias from step 8.
- Save the file and restart the domain. You should now be able to access the SSL instance at https://<servername>:8181/mobiledash/