Administering Password Aliases

A password alias is used to indirectly access a password so that the password itself does not appear in cleartext in the domain's domain.xml configuration file.

Storing passwords in cleartext format in system configuration files is common in many open source projects. In addition to GlassFish Server, Apache Tomcat, Maven, and Subversion, among others, store and pass passwords in cleartext format. However, storing and passing passwords in cleartext can be a security risk, and may violate some corporate security policies. In such cases, you can use password aliases.

The following topics are addressed here:

• To Create a Password Alias

• To List Password Aliases

• To Delete a Password Alias

• To Update a Password Alias

To Create a Password Alias

Use the create-password-alias subcommand in remote mode to create an alias for a password in the domain's keystore. The password corresponding to the alias name is stored in an encrypted form in the domain configuration file. The create-password-alias subcommand takes both a secure interactive form, in which users are prompted for all information, and a more script-friendly form, in which the password is propagated on the command line.

You can also use the set(1) subcommand to remove and replace the password in the configuration file. For example:

asadmin set --user admin server.jms-service.jms-host.default_JMS_host.
admin-password='${ALIAS=jms-password}'

1. Ensure that the server is running.

   Remote subcommands require a running server.

2. Go to the directory where the configuration file resides.

   By default, the configuration file is located in domain-dir/config.

3. Create the password alias by using the create-password-alias(1) subcommand.

4. Type the password for the alias when prompted.

5. Add the alias to a password file.

   In the password file, for example, passwords.txt, add the following line: AS_ADMIN_PASSWORD=${ALIAS=admin-password-alias}, where admin-password-alias is the new password alias.

6. Stop the GlassFish Server domain.

   See To Stop a Domain.

7. Start the domain specifying the file that contains the alias.

   Use the following syntax:

   start-domain --user admin --passwordfile /path-to/passwords.txt domain1

Example 11–3 Creating a Password Alias

This example creates the new jms-password alias for the admin user:

asadmin> create-password-alias --user admin jms-password

You are prompted to type the password for the alias:

Please enter the alias password>secret-password
Please enter the alias password again>secret-password
Command create-password-alias executed successfully.

See Also

You can also view the full syntax and options of the subcommand by typing asadmin help create-password-alias at the command line.

To List Password Aliases

Use the list-password-aliases subcommand in remote mode to list existing the password aliases.

1. Ensure that the server is running.

   Remote subcommands require a running server.

2. List password aliases by using the list-password-aliases(1) subcommand.

Example 11–4 Listing Password Aliases

This example lists the existing password aliases:

asadmin> list-password aliases
jmspassword-alias
Command list-password-aliases executed successfully

See Also

You can also view the full syntax and options of the subcommand by typing asadmin help list-password-aliases at the command line.

To Delete a Password Alias

Use the delete-password-alias subcommand in remote mode to delete an existing password alias.

1. Ensure that the server is running.

   Remote subcommands require a running server.

2. List all aliases by using the list-password-aliases(1) subcommand.

3. Delete a password alias by using the list-password-aliases(1) subcommand.

Example 11–5 Deleting a Password Alias

This example deletes the password alias jmspassword-alias:

asadmin> delete-password-alias jmspassword-alias
Command list-password-aliases executed successfully

See Also

You can also view the full syntax and options of the subcommand by typing asadmin help delete-password-alias at the command line.

To Update a Password Alias

Use the update-password-alias subcommand in remote mode to change the password for an existing password alias. The update-password-alias subcommand takes both a secure interactive form, in which the user is prompted for all information, and a more script-friendly form, in which the password is propagated on the command line.

1. Ensure that the server is running.

   Remote subcommands require a running server.

2. Update an alias by using the update-password-alias(1) subcommand.

3. Type the password when prompted.

Example 11–6 Updating a Password Alias

This example updates the password for the jmspassword-alias alias:

asadmin> update-password-allias /home/password.txt jsmpassword-alias

You are prompted to type the new password for the alias:

Please enter the alias password>new-secret-password
Please enter the alias password again>new-secret-password
Command update-password-alias executed successfully

See Also

You can also view the full syntax and options of the subcommand by typing asadmin help update-password-alias at the command line.