Glassfish Change Admin Password

Question

How can I change the admin password for a Glassfish Domain using a password file? I know the conventional method of manually typing the password upon prompt.

However I want to change the admin password using a script where in I do not have to manually type the password.

Answer 1

This is possible, but you will need 2 password files if you want to script this fully in the easiest way.

Create a temporary file (tmpfile in my example) which will hold the current password (blank by default) and the desired new password:

AS_ADMIN_PASSWORD=
AS_ADMIN_NEWPASSWORD=myNewPassword

Now create a password (pwdfile in my example) file which will contain the changed admin password:

AS_ADMIN_PASSWORD=myNewPassword

You can then use the files to change the password using the commands below, making sure to use tmpfile when changing the password, then pwdfile afterwards

 $PAYARA_PATH/bin/asadmin start-domain
 $PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/tmpfile change-admin-password
 $PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/pwdfile enable-secure-admin
 $PAYARA_PATH/bin/asadmin restart-domain

This example was adapted from the way the Payara Server dockerfile works

Answer 2

For anyone still interested in manually setting the admin account password:

I tried to generate the contents of the "admin-keyfile" located in "glassfish/domains/{ACTIVE_DOMAIN_NAME}/config/admin-keyfile" based on the current implementation of the Payara Repo. This file (as the data source for the FileRealm) is used to authenticate the admin user when accessing the admin interface under port 4848.

Each line of this text file represents an account and is structured as

USERNAME;PASSWORD;GROUPS

The field "PASSWORD" is prefixed with a hash algorithm keyword (wrapped in curly braces, e.g. "SSHA" or "SSHA256") followed by a BASE64 encoded hash of the concatenated salted hash and the salt value itself (some random bytes):

{SSHA}BASE64(SHA(password,salt),salt)

Long story short: If you want to generate user accounts manually you could for example use the following Python script:

import hashlib
from base64 import b64encode
from secrets import token_bytes
from getpass import getpass

username = 'admin' # input('Username: ')
plainTextPassword = getpass()
randomSalt = token_bytes(8)
passwordHash = hashlib.sha256()
passwordHash.update(plainTextPassword.encode('utf-8'))
passwordHash.update(randomSalt)
passwordDigest = passwordHash.digest()
# cryptic range reflects the strange implementation... feel free to change it to "range(98)"
# https://github.com/payara/Payara/blob/6488cbdc90fd0f6c42de6a42affcd09f697be715/nucleus/common/common-util/src/main/java/org/glassfish/security/common/SSHA.java#L108
for run in range(2, 101):
    passwordHash = hashlib.sha256()
    passwordHash.update(passwordDigest)
    passwordDigest = passwordHash.digest()
saltedHashAndSalt = b64encode(passwordDigest + randomSalt).decode('utf-8')
result = '{0};{{SSHA256}}{1};asadmin'.format(username, saltedHashAndSalt)
print(result)

Insert the console output into the "admin-keyfile" and (re)start your server.