Skip Navigation Links | |
Exit Print View | |
Oracle GlassFish Server 3.1-3.1.1 High Availability Administration Guide |
1. High Availability in GlassFish Server
2. Setting Up SSH for Centralized Administration
About SSH for Centralized Administration
Determining Whether to Use SSH for Centralized Administration
Requirements for the SSH User's Environment
File Access Permissions on UAC-Enabled Windows Systems
Setting Up Cygwin SSH on Windows
To Download and Install Cygwin
To Set the Path for Windows and for the Cygwin Shell
To Set the Home Directory for the Cygwin SSH User
To Configure and Start the Cygwin SSH Server Daemon sshd
Setting Up the MKS Toolkit on Windows
To Set the Path for Windows and for the MKS Toolkit Shell
To Set the Home Directory for the MKS Toolkit SSH User
To Configure and Start the MKS Toolkit SSH Server Daemon sshd
Setting Up SSH on UNIX and Linux Systems
To Set Up SSH on Oracle Solaris Systems
To Set Up SSH on MacOS Systems
To Set Up SSH on Linux systems
Testing the SSH Setup on a Host
To Test the SSH Setup on a Host
Setting Up SSH User Authentication
To Set Up Public Key Authentication Without Encryption
Installing and Removing GlassFish Server Software on Multiple Hosts
To Copy a GlassFish Server Installation to Multiple Hosts
To Remove GlassFish Server Software From Multiple Hosts
3. Administering GlassFish Server Nodes
4. Administering GlassFish Server Clusters
5. Administering GlassFish Server Instances
6. Administering Named Configurations
7. Configuring Web Servers for HTTP Load Balancing
8. Configuring HTTP Load Balancing
9. Upgrading Applications Without Loss of Availability
10. Configuring High Availability Session Persistence and Failover
11. Configuring Java Message Service High Availability
When a GlassFish Server subcommand uses SSH to log in to a remote host, GlassFish Server must be able to authenticate the SSH user. Setting up SSH user authentication ensures that this requirement is met.
Before setting up SSH user authentication, determine the authentication scheme to use. If SSH is already deployed at your site, the authentication scheme to use might already be chosen for you.
The following table lists the authentication schemes that GlassFish Server supports. The table also lists the advantages and disadvantages of each authentication scheme.
|
The following topics are addressed here:
Use the setup-ssh subcommand in local mode to set up public key authentication without encryption. This subcommand enables you to set up public key authentication on multiple hosts in a single operation.
The setup-ssh subcommand generates a key pair and distributes the public key file to specified hosts. The private key file and the public key file are protected only by the file system's file access permissions. If you require additional security, set up public key authentication with passphrase-protected encryption as explained in To Set Up Encrypted Public Key Authentication.
Before You Begin
Ensure that the following prerequisites are met:
SSH is set up on each host where you are setting up public key authentication. For more information, see the following sections:
Only the SSH user has write access to the following files and directories on each host where you are setting up public key authentication:
The SSH user's home directory
The ~/.ssh directory
The authorized_key file
If other users can write to these files and directories, the secure service might not trust the authorized_key file and might disallow public key authentication.
Note - Only the options that are required to complete this task are provided in this step. For information about all the options for setting up an SSH key, see the setup-ssh(1) help page.
asadmin> setup-ssh [--sshuser sshuser] host-list
The SSH user for which you are generating the SSH key pair. If you are running the subcommand as the SSH user, you may omit this option.
A space-separated list of the names of the hosts where the SSH public key is to be distributed.
After generating the SSH key pair, the subcommand uses SSH to log in to each host in host-list as the SSH user to distribute the public key. Each time a password is required to log in to a host, you are prompted for the SSH user's password.
Example 2-4 Setting Up Public Key Authentication Without Encryption
This example generates and sets up an SSH key for the user gfuser on the hosts sua01 and sua02. The command is run by the user gfuser.
asadmin> setup-ssh --generatekey=true sua01 sua02 Enter SSH password for gfuser@sua01> Created directory /home/gfuser/.ssh /usr/bin/ssh-keygen successfully generated the identification /home/gfuser/.ssh/id_rsa Copied keyfile /home/gfuser/.ssh/id_rsa.pub to gfuser@sua01 Successfully connected to gfuser@sua01 using keyfile /home/gfuser/.ssh/id_rsa Copied keyfile /home/gfuser/.ssh/id_rsa.pub to gfuser@sua02 Successfully connected to gfuser@sua02 using keyfile /home/gfuser/.ssh/id_rsa Command setup-ssh executed successfully.
Next Steps
After setting up public key authentication, test the setup by using ssh to log in as the SSH user to each host where the public key was distributed. For each host, log in first with the unqualified host name and then with the fully qualified name. If SSH does not prompt for password, public key authentication is set up correctly on the host.
If you are prompted for a password, verify that the public key file was copied correctly to the SSH user's authorized_keys file.
Troubleshooting
Setup might fail because file access permissions in the SSH user's home directory are too permissive. In this situation, ensure that the file access permissions in the SSH user's home directory meet the requirements for performing this procedure.
If you have set the file access permissions in the SSH user's home directory correctly, setup might still fail if you are using the MKS Toolkit. In this situation, correct the problem in one of the following ways:
On each remote host, copy the public key file to the SSH user's ~/.ssh directory and import the file. To import the file, select the Secure Service tab in the MKS configuration GUI and click Passwordless.
Disable strict modes.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help setup-ssh at the command line.
Encrypted key file authentication uses an encrypted private key file that is protected with a passphrase. This passphrase must be provided to use the private key to unlock the public key. If you require encrypted public key authentication, you must use the SSH utility ssh-keygen to generate an SSH key pair with an encrypted private key. You can then use the setup-ssh subcommand to distribute the public key file to specified hosts.
To use the encrypted key file, GlassFish Server requires the passphrase with which the key file was encrypted. To provide this passphrase securely to GlassFish Server, create a GlassFish Server password alias to represent the passphrase and store this alias in a password file that is passed to the asadmin(1M) utility.
Note - Only the options that are required to complete this task are provided in each step. For information about all the options for the commands and subcommands in this task, see their help pages or man pages.
Before You Begin
Ensure that the following prerequisites are met:
SSH is set up on each host where you are setting up public key authentication. For more information, see the following sections:
Only the SSH user has write access to the following files and directories on each host where you are setting up public key authentication:
The SSH user's home directory
The ~/.ssh directory
The authorized_key file
If other users can write to these files and directories, the secure service might not trust the authorized_key file and might disallow public key authentication.
Use the SSH utility ssh-keygen(1) for this purpose.
$ ssh-keygen -t type
The algorithm that is to be used for the key and which must be rsa, dsa, or rsa1.
The ssh-keygen utility prompts you for a file in which to save the key.
The ssh-keygen utility prompts you for a passphrase.
The ssh-keygen utility prompts you to type the passphrase again.
Use the setup-ssh(1) asadmin subcommand for this purpose.
$ asadmin setup-ssh --generatekey=false host-list
A space-separated list of the names of the hosts where the SSH public key is to be distributed.
The subcommand uses SSH to log in to each host in host-list as the SSH user to distribute the public key. Each time a passphrase or a password is required to log in to a host, you are prompted for the passphrase or the SSH user's password.
Use the create-password-alias(1) asadmin subcommand for this purpose.
$ asadmin create-password-alias alias-name
Your choice of name for the alias that you are creating.
The create-password-alias subcommand prompts you to type the passphrase for which you are creating an alias.
The create-password-alias subcommand prompts you to type the passphrase again.
AS_ADMIN_SSHKEYPASSPHRASE=${ALIAS=alias-name}
The alias name that you specified in Step 7.
Note - When you create an SSH node, pass this file as the --passwordfile option of the asadmin utility. For more information, see To Create an SSH Node.
Example 2-5 Setting Up Encrypted Public Key Authentication
This example generates an SSH key pair with an encrypted private key for the user gfadmin and distributes the public key to the hosts sj01 and ja02. The example also creates an alias that is named ssh-key-passphrase for the private key's passphrase.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/gfadmin/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/gfadmin/.ssh/id_rsa. Your public key has been saved in /home/gfadmin/.ssh/id_rsa.pub. The key fingerprint is: db:b5:f6:0d:fe:16:33:91:20:64:90:1a:84:66:f5:d0 gfadmin@dashost $ asadmin setup-ssh --generatekey=false sj01 sj02 Key /home/gfadmin/.ssh/id_rsa is encrypted Enter key passphrase> Enter SSH password for gfadmin@sj01> Copied keyfile /home/gfadmin/.ssh/id_rsa.pub to gfadmin@sj01 Successfully connected to gfadmin@sj01 using keyfile /home/gfadmin/.ssh/id_rsa Successfully connected to gfadmin@sj02 using keyfile /home/gfadmin/.ssh/id_rsa SSH public key authentication is already configured for gfadmin@sj02 Command setup-ssh executed successfully. $ asadmin create-password-alias ssh-key-passphrase Enter the alias password> Enter the alias password again> Command create-password-alias executed successfully.
The entry in the password file for the ssh-key-passphrase alias is as follows:
AS_ADMIN_SSHKEYPASSPHRASE=${ALIAS=ssh-key-passphrase}
Troubleshooting
Setup might fail because file access permissions in the SSH user's home directory are too permissive. In this situation, ensure that the file access permissions in the SSH user's home directory meet the requirements for performing this procedure.
If you have set the file access permissions in the SSH user's home directory correctly, setup might still fail if you are using the MKS Toolkit. In this situation, correct the problem in one of the following ways:
On each remote host, copy the public key file to the SSH user's ~/.ssh directory and import the file. To import the file, select the Secure Service tab in the MKS configuration GUI and click Passwordless.
Disable strict modes.
See Also
You can also view the full syntax and options of the subcommands by typing the following commands at the command line:
asadmin help create-password-alias
asadmin help setup-ssh
To use SSH to log in to a remote host, GlassFish Server requires the SSH user's password. To provide this password securely to GlassFish Server, create a GlassFish Server password alias to represent the password and store this alias in a password file that is passed to the asadmin(1M) utility.
Before You Begin
Ensure that SSH is set up on each host where you are setting up password authentication. For more information, see the following sections:
Note - Only the options that are required to complete this task are provided in this step. For information about all the options for creating a password alias, see the create-password-alias(1) help page.
asadmin> create-password-alias alias-name
Your choice of name for the alias that you are creating.
The create-password-alias subcommand prompts you to type the password for which you are creating an alias.
The create-password-alias subcommand prompts you to type the password again.
AS_ADMIN_SSHPASSWORD=${ALIAS=alias-name}
The alias name that you specified in Step 1.
Note - When you create an SSH node, pass this file as the --passwordfile option of the asadmin utility. For more information, see To Create an SSH Node.
Example 2-6 Creating an Alias for the SSH User's Password
This example creates an alias that is named ssh-password for the SSH user's password.
$ asadmin create-password-alias ssh-password Enter the alias password> Enter the alias password again> Command create-password-alias executed successfully.
The entry in the password file for the ssh-password alias is as follows:
AS_ADMIN_SSHPASSWORD=${ALIAS=ssh-password}
See Also
You can also view the full syntax and options of the subcommand by typing the asadmin help create-password-alias at the command line.