last modified: 2017-04-09


  • I use Debian, version 8.7 (why?)

  • Vi is used as a text editor in the following

Installing the JDK 8

Create a new file:

vim /etc/apt/sources.list.d/java-8-debian.list

add these lines:

Close the file.

get the certif key:

apt-key adv --keyserver --recv-keys EEA14886

install the JDK 8:

apt-get update
apt-get install oracle-java8-installer

Set the env variables straight:

apt-get install oracle-java8-set-default

Installing Glassfish 4.1

We will install it in /opt/app-server

mkdir /opt/app-server

create a glassfish user (here the -m option creates its home directory if not already present):


maybe a good idea to choose a user name different from glassfish - default values are always to be avoided.

sudo useradd -m glassfish

make the user owner of /opt/app-server:

sudo chown -R glassfish /opt/app-server
sudo chmod -R 700 /opt/app-server

change to user glassfish

su - glassfish

download glassfish from here:

cd /opt/app-server

Glassfish is now installed.

Hardening Glassfish 4.1

We can access glassfish commande line by doing:

cd glassfish4/glassfish/bin


Change the masterpassword:

change-master-password --savemasterpassword

(put "changeit" when the default password is asked, then choose your own)

We will now delete the default domain ("domain1") and create a new one. 2 reasons for this:

  • We will create a domain with a custom name, to avoid using the default value.

  • Create a domain from scratch allows to make use of the nice "portbase" option:

→ The "portbase" option allows for creating a set of ports different from the default ones.

delete-domain domain1
create-domain --portbase 17390 yourcustomdomain

just letters and numbers in the domain name.

So, with portbase 17390 (choose your own value instead), the port for the GlassFish GUI console will be 17390+ 48 = 17438

Add a tunnel for port 17438 in your SSH connection. Restart your SSH connection.

In the browser, got to http://localhost:17438

In the GUI console,

  • change the admin password

  • change the "Address field" in http-listener-2 sub menu to the IP of the server.

  • change the content of /domains/yourcustomdomain/docroot/index.html → "my server is online"

  • create an "errorpages" subdir in your domain root folder and an error page in /domains/yourcustomdomain/errorpages/404.html

Then, in the GUI console, point to this file via:

Configuration|Virtual Server|server
name: send-error_1
value: code=404 path=/tmp/404.html reason=Resource_not_found

Hide the identity of the server in the headers:

  • In http-listeners: turn off the "XPowered By:" header with your http-listener

  • add a JVM-Option""

the end

Author of this tutorial: Clement Levallois

All resources on linux security: