Setup of GlassFish and security measures

last modified: 2017-04-09

Clément Levallois

! 'Escape' or 'o' to see all sides, F11 for full screen, 's' for speaker notes

  • I use Debian, version 8.7 (why?)

  • Vi is used as a text editor in the following

Installing the JDK 8

Create a new file:

vim /etc/apt/sources.list.d/java-8-debian.list

add these lines:

Close the file.

get the certif key:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886

install the JDK 8:

apt-get update
apt-get install oracle-java8-installer

Set the env variables straight:

apt-get install oracle-java8-set-default

Installing Glassfish 4.1

We will install it in /opt/app-server

mkdir /opt/app-server

create a glassfish user (here the -m option creates its home directory if not already present):

INFO

maybe a good idea to choose a user name different from glassfish - default values are always to be avoided.

sudo useradd -m glassfish

make the user owner of /opt/app-server:

sudo chown -R glassfish /opt/app-server
sudo chmod -R 700 /opt/app-server

change to user glassfish

su - glassfish

download glassfish from here: https://glassfish.java.net/download.html

cd /opt/app-server
wget http://download.java.net/glassfish/4.1.2/release/glassfish-4.1.2.zip
unzip glassfish-4.1.2.zip

Glassfish is now installed.

Hardening Glassfish 4.1

We can access glassfish commande line by doing:

cd glassfish4/glassfish/bin

./asadmin

Change the masterpassword:

change-master-password --savemasterpassword

(put "changeit" when the default password is asked, then choose your own)

We will now delete the default domain ("domain1") and create a new one. 2 reasons for this:

  • We will create a domain with a custom name, to avoid using the default value.

  • Create a domain from scratch allows to make use of the nice "portbase" option:

→ The "portbase" option allows for creating a set of ports different from the default ones.

delete-domain domain1
create-domain --portbase 17390 yourcustomdomain
NOTE

just letters and numbers in the domain name.

So, with portbase 17390 (choose your own value instead), the port for the GlassFish GUI console will be 17390+ 48 = 17438

Add a tunnel for port 17438 in your SSH connection. Restart your SSH connection.

In the browser, got to http://localhost:17438

In the GUI console,

  • change the admin password

  • change the "Address field" in http-listener-2 sub menu to the IP of the server.

  • change the content of /domains/yourcustomdomain/docroot/index.html → "my server is online"

  • create an "errorpages" subdir in your domain root folder and an error page in /domains/yourcustomdomain/errorpages/404.html

Then, in the GUI console, point to this file via:

Configuration|Virtual Server|server
name: send-error_1
value: code=404 path=/tmp/404.html reason=Resource_not_found

Hide the identity of the server in the headers:

  • In http-listeners: turn off the "XPowered By:" header with your http-listener

  • add a JVM-Option -Dproduct.name=""

The end!

Author of this tutorial: Clement Levallois

All resources on linux security: https://seinecle.github.io/linux-security-tutorials/

site
    stats