17 messages in net.java.dev.glassfish.adminRe: password policy since b55| From | Sent On | Attachments |
|---|---|---|
| David Ronge | Jul 24, 2009 2:44 am | |
| Jane Young | Jul 24, 2009 3:07 am | |
| David Ronge | Jul 24, 2009 5:55 am | |
| Kedar Mhaswade | Jul 24, 2009 6:10 am | |
| David Ronge | Jul 24, 2009 6:33 am | |
| Kedar Mhaswade | Jul 24, 2009 6:39 am | |
| David Ronge | Jul 24, 2009 6:51 am | |
| Sankar Neelakandan | Jul 24, 2009 9:41 am | |
| David Ronge | Jul 24, 2009 10:03 am | |
| Byron Nevins | Jul 24, 2009 11:13 am | |
| Kedar Mhaswade | Jul 24, 2009 1:17 pm | |
| Sankar Neelakandan | Jul 24, 2009 1:37 pm | |
| Kedar Mhaswade | Jul 24, 2009 2:06 pm | |
| Sankar Neelakandan | Jul 24, 2009 2:26 pm | |
| Kedar Mhaswade | Jul 24, 2009 2:37 pm | |
| David Ronge | Jul 24, 2009 2:58 pm | |
| Sankar Neelakandan | Jul 24, 2009 3:16 pm |
| Subject: | Re: password policy since b55 | |
|---|---|---|
| From: | Sankar Neelakandan (Sank...@Sun.COM) | |
| Date: | Jul 24, 2009 2:26:52 pm | |
| List: | net.java.dev.glassfish.admin | |
Kedar Mhaswade wrote:
That's because master password was NEVER enforced for v3. I implemented it for the first time for v3. If you ran the commands like you did for V2, this would always work. Remember, for V2, a domain startup would always require to open the stores otherwise the server startup fails.
Yes but in V2 when the masterpassword is not provided for the create-domain command the password is assumed to be "changeit". The start-domain command never prompted for masterpassword in this default case.
And it never does. Like I said, there was some create-domain related change that Bill made after I was done and I am not sure if this is the fallout of that.
e.g. try this out:
passwords: AS_ADMIN_MASTERPASSWORD=changeit AS_ADMIN_PASSWORD=adminadmin AS_ADMIN_ADMINPASSWORD=adminadmin
asadmin --passwordfile passwords create-domain --portbase 5000 d2
asadmin start-domain d2 (note: no passwordfile given)
and it *does* start without prompting.
Again, I don't know why it does not work when passwords does NOT contain AS_ADMIN_MASTERPASSWORD. It's a separate issue.
Yes that is the issue I am trying to find the answer for. Anyway I filed a bug for this https://glassfish.dev.java.net/issues/show_bug.cgi?id=8869
Since the master password was enforced only since b55, the start-domain needs this to be provided while doing the startup.
Now, in most cases, this is not a problem. In the "default" case, i.e. when the domain is *created* with default master password, startup would have it.
Does this mean the masterpassword has to be explicitly provided as "changeit" ?.
No.
When the masterpassword is not provided the create-domain command still goes ahead and creates a domain. What is the masterpassword used in this case ?.
Investigating. Not related to my changes ...
If it is "changeit" why does the start-domain command still prompts for masterpassword ?.
Correct, it should not and it does not.
In another case, where you choose the do --savemasterpassword during create-domain, start-domain would have that password read automatically for you, so that you don't have to provide it during startup.
-Kedar
Sankar Neelakandan wrote:
Kedar, The exact problem is, In B55 when the domain is created without MASTERPASSWORD in passwordfile the start-domain works without prompting for masterpassword. But in B56 when the domain is created without MASTERPASSWORD in passwordfile the start-domain doesn't work without providing the master password. (If the domain is started without a console there is no prompting for masterpassword and fails with the noconsole message)
Please see the following logs.
bash-3.00# cat /password.txt AS_ADMIN_PASSWORD=adminadmin
bash-3.00# glassfishv3/glassfish/bin/asadmin create-domain --adminport 4848 --user admin --passwordfile /password.txt domain1 Deprecated syntax: create-domain, Options: [passwordfile, user] Using port 4848 for Admin. Using default port 8080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using default port 8181 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Distinguished Name of the self-signed X.509 Server Certificate is: [CN=easqesf4,OU=GlassFish,O=Sun Microsystems,L=Santa Clara,ST=California,C=US] Domain domain2 created. Command create-domain executed successfully.
bash-3.00# glassfishv3/glassfish/bin/asadmin start-domain domain2 No valid master password found Enter master password (3 attempt(s) remain)> Sorry, incorrect master password, retry Enter master password (2 attempt(s) remain)> Sorry, incorrect master password, retry Enter master password (1 attempt(s) remain)> Sorry, incorrect master password, retry Number of attempts (3) exhausted, giving up Command start-domain failed.
When started without console it fails with the following error message
bash-3.00# glassfishv3/glassfish/bin/asadmin start-domain domain1 Deprecated syntax: start-domain, Options: [passwordfile, user] No valid master password found Command start-domain failed. No console, no prompting possible
Kedar Mhaswade wrote:
Dave,
It should be AS_ADMIN_MASTERPASSWORD. AS_ADMIN_USERPASSWORD is for (an entirely) different purpose.
If you don't really care about master password (:-0) you can just have AS_ADMIN_MASTERPASSWORD=changeit added to this password.txt file and I am pretty sure this will be fixed.
But I think we need to address this use case. My understanding was that in this case, (i.e. the way your password.txt seems) we should have defaulted the master password to "changeit". I am not sure if this is due to recent changes to create-domain command as well. We'll investigate.
For now, just add this one more line to password.txt to get unblocked.
-Kedar
David Ronge wrote:
Hi Kedar,
yes, we delete domain1 first to be sure the eventual setup change of default domain won't give us some obscure diffs and to keep setup stable.
(delete-domain.1: [exec] Domain domain1 deleted. [exec] Command delete-domain executed successfully. No passwd used.) content of the password.txt is here: AS_ADMIN_PASSWORD=adminadmin AS_ADMIN_USERPASSWORD=changeit
create-by-admin-command: [echo] exec: create-domain --user admin --passwordfile /space/test4u/cvswork/sunsw/tango/qe-tests/gf-setup/password.txt domain1 [echo] With properties: [echo] http.ssl.port=8181:orb.listener.port=3007:imq.port=7676 [exec] Deprecated syntax: create-domain, Options: [passwordfile, user] [exec] Using port 4848 for Admin. [exec] Using port 8080 for HTTP Instance. [exec] Using default port 7676 for JMS. [exec] Using port 3007 for IIOP. [exec] Using port 8181 for HTTP_SSL. [exec] Using default port 3820 for IIOP_SSL. [exec] Using default port 3920 for IIOP_MUTUALAUTH. [exec] Using default port 8686 for JMX_ADMIN. [exec] Distinguished Name of the self-signed X.509 Server Certificate is: [exec] [CN=eas-x2100-1.India.Sun.COM,OU=GlassFish,O=Sun Microsystems,L=Santa Clara,ST=California,C=US] [exec] Domain domain1 created. [exec] Command create-domain executed successfully.
is the target used, more precisely, target corresponding to the above log is here: <target name="create-by-admin-command" depends="get-asadmin" if="create.by.admin.command"> <!-- propertyset refid="full.domain.propertyset"/ --> <echo message="exec: create-domain --user admin --passwordfile ${basedir}/password.txt ${domain.name}"/> <property name="dmn.specif.1" value="http.ssl.port=${https.port}" /> <property name="dmn.specif.2" value="${dmn.specif.1}:orb.listener.port=${orb.port}" /> <property name="dmn.specif.0" value="${dmn.specif.2}:imq.port=${imq.port}" /> <echo message="With properties:"/> <echo message="${dmn.specif.0}"/>
<exec executable="${asadmin.executable}" dir="${basedir}" resultproperty="asadmin.result"> <!-- in ${gf.install.home} or ${basedir} ? --> <arg value="create-domain"/> <arg value="--user"/> <arg value="admin"/> <arg value="--passwordfile"/> <arg value="password.txt"/><!-- ${basedir}/... --> <arg value="--instanceport"/> <arg value="${instance.port}"/> <arg value="--adminport"/> <arg value="${admin.port}"/> <arg value="--domaindir"/> <arg value="${gf.install.home}/domains"/> <arg value="--domainproperties"/> <arg value="${dmn.specif.0}"/> <!-- leave as last item value - (first that is not an option) --> <arg value="${domain.name}"/> </exec> </target>
with --domainproperties echoed as visible. There's alternative setup target using setup.xml but that is used with V2 only for continuity. (The property set contains the original default ports mainly - i think these are exclusively defaults - you can see better.)
The master password claimed is AS_ADMIN_PASSWORD - according to the password.txt? Or the other entry?
~dave
Kedar Mhaswade wrote:
Hi David,
VB Kumar told me that you guys were seeing some issues here.
Yes, I made some changes to the master password handling in b55. It was not a big deal as far as users are concerned. I am sorry that it seems to affect you. But I do think that you guys are creating domain differently. As you can see the console output of start-domain, it contains:
[exec] No valid master password found [exec] No console, no prompting possible [exec] Command start-domain failed. [exec] Result: 1
So, it's not failing for deprecated syntax, but for something else. Can I get the entire sequence of commands you run? For example, is the same password.txt provided to both create-domain and start-domain commands? I somehow think that the master password for this domain is not the default ("changeit") or there is a bug in what I recently did ...
Let me know either way. My commit log is here: http://fisheye4.atlassian.com/changelog/glassfish-svn/trunk/v3/admin/cli/src/main/java/com/sun/enterprise/admin/cli/commands?cs=29406
-Kedar
David Ronge wrote:
This way:
<target name="start-a-domain" if="a.domain.exists" unless="skip.domain" depends="check.domain.exists"> <property name="a.domain.name" value="${default.domain}"/><!-- convenience default --> <echo message="STARTING domain ${a.domain.name}..." /> <echo message="stuff.dir ${stuff.dir}..." /> <exec executable="${gf.install.home}/bin/asadmin.bat" os="Windows XP,Windows 2000,Windows 2003" dir="${stuff.dir}" spawn="true" failonerror="false"> <arg value="start-domain"/> <arg value="--user"/> <arg value="admin"/> <arg value="--passwordfile"/> <arg value="password.txt"/> <arg value="${a.domain.name}"/> </exec> <exec executable="${gf.install.home}/bin/asadmin" dir="${stuff.dir}" os="SunOS,Linux,AIX,Mac OS X"> <arg line="start-domain --user admin --passwordfile password.txt ${a.domain.name}"/> </exec> <echo message="STARTED domain ${a.domain.name}..." /> </target>
(start-domain command seemed not to be obligatory with user and passwd data but stop-domain did when file-user was added etc. So we include it for start too.) This worked reliably unless some integration fault prevented proper start due to bundling error or start failure of some essential service.
~dave
Jane Young wrote:
Can you provide the syntax used to start the domain?
Thanks, Jane
David Ronge wrote:
Hi, is there any instruction to handle starting/stopping domain differently now? The behavior has changed ~ with build b55 as now i can see >
start-a-domain: [echo] STARTING domain domain1... [echo] stuff.dir /space/test4u/cvswork/sunsw/tango/qe-tests/gf-setup... [exec] Deprecated syntax: start-domain, Options: [passwordfile, user] [exec] No valid master password found [exec] No console, no prompting possible [exec] Command start-domain failed. [exec] Result: 1 [echo] STARTED domain domain1...
it says "deprecated" but the coming syntax simply doesn't work without change. Can someone please give me a clue? Our team tests Metro/jaxws webservices on V2/V3/Tomcat... so managing GF administration is sort of routine for us. (Still, if there's page to look at when something stops working the old way it would be nice.)
Thank you much in advance.
Regards, David
---------------------------------------------------------------------
To unsubscribe, e-mail: admi...@glassfish.dev.java.net For additional commands, e-mail: admi...@glassfish.dev.java.net
---------------------------------------------------------------------
To unsubscribe, e-mail: admi...@glassfish.dev.java.net For additional commands, e-mail: admi...@glassfish.dev.java.net