Virtual Guru's Blog – Home of Virtualization Workshops

April 15, 2009

Glassfish 2.1 App Server and MySQL 5.1 AMI Pre and Post configurations

Filed under: amazon_aws, cloud, glassfish, opensolaris, Virtualization — natiku @ 1:42 am

This entry is part of ‘OpenSolaris on Amazon EC2′ workshop


Glassfish 2.1 AMI Create Info Phase

Edit /etc/mysql
Edit /root/ec2sun/README
Create /export/home/gf21/glassfish.REAME
Link README to /root/ec2sun/

Glassfish 2.1 AMI Cleaning phase

Cleaning is done by root, if you will recreate empty files you need to be sure then they will have corresponding rights

Check the you are root

whoami
root

1. Stop services so we can clean their log

svcadm disable -t glassfish/domain1

2. Clean service SMF logs

rm -f /var/svc/log/glassfish-domain1:default.log

3. Clean Glassfish server logs

rm -f /opt/gf21/glassfish/domains/domain1/logs/*.log

4. Clean Glassfish build files

rm -f /opt/gf21/*.jar

5. Clean Glassfish users shell history

rm -f /export/home/gf21/.*history
rm -f /root/.*history

6. Clean IPS stuff

rm -r /var/pkg/download/*
rm -r  /var/pkg/index/*

7. Wipe free space

I am not sure if ZFS clone also copy deleted stuff ???

dd if=/dev/zero of=/zero.zer bs=10000000; rm -f /zero.zer
5745934336 bytes (5.7 GB) copied, 2876.97 s, 2.0 MB/s

Now we are ready to process additional clean up procedures on Getting Started (like ssh keys) and rebundle into AMI

Glassfish 2.1 AMI Rebuilding process (From inside AMI)

Getting Started Guide.

1. Check resource usages before rebulding

MEM and CPU usage

2. Make second monitoring login

ssh -i /mnt/keys/id_rsa-your-amaonzec2-key -l root ec2-public-name

3. Move our my Amazon EC2 SSH login key !!!

cp /root/.ssh/authorized_keys /mnt/
rm -r /root/.ssh/*

4. Logs clean up

rm -f /var/adm/messages.[01234]
> /var/adm/messages
> /var/adm/utmpx
> /var/adm/wtmpx

5. Rebundle with scrips

cd /mnt
/opt/ec2/sbin/rebundle.sh -v Glassfish_2008.11_32_1.0.img
Paste it in BASH, some $ and \ is escape with ONE more \
cat >/tmp/mon.ksh <<EOF
#!/bin/ksh
echo "ZFS Cloning started"
echo "Waiting , so clone process really start "
while true
do
zpool status rpool | grep "resilver in progress" >/dev/null
if [ \$? -eq 0 ]
then
break
else
print -n -e "\b-"
sleep 1
print -n -e "\b\\\"
sleep 1
print -n -e "\b|"
sleep 1
print -n -e "\b/"
sleep 1
fi
done
while true
do
zpool status rpool | grep "resilver in progress" >/dev/null
if [ \$? -eq 1 ]
then
break
else
status=\$(zpool status rpool | grep "resilver in progress"| gsed -e 's/ scrub: resilver in progress for/Elapsed/g' )
print -n -e "\r \$status  "
print -n -e "\b-"
sleep 1
print -n -e "\b\\\"
sleep 1
print -n -e "\b|"
sleep 1
print -n -e "\b/"
sleep 1
fi
done
echo "ZFS Cloning ended"
exit 0
EOF
chmod 0777 /tmp/mon.ksh
/tmp/mon.ksh
cp /mnt/authorized_keys /root/.ssh/
mkdir /mnt/parts
mkdir /mnt/keys
scp -i /mnt/keys/id_rsa-your-amaonzec2-key /mnt/keys/environ.sh /mnt/keys/*.pem root@ec2-public-name:/mnt/keys/
. /mnt/keys/environ.sh
ec2-bundle-image -c $EC2_CERT -k $EC2_PRIVATE_KEY \
--kernel aki-6552b60c --ramdisk ari-6452b60d \
--block-device-mapping "root=rpool/52@0,ami=0,ephemeral0=1" \
--user $EC2_USERID --arch i386 \
-i $DIRECTORY/Glassfish_2008.11_32_1.0.img -d $DIRECTORY/parts
cd $DIRECTORY/parts
rdate time.czech.sun.com
ec2-upload-bundle -b sun-osol-2008-11 -m Glassfish_2008.11_32_1.0.img.manifest.xml \
--url http://s3.amazonaws.com \
--retry -a $EC2_KEYID -s $EC2_KEY
ec2reg -C $EC2_CERT -K $EC2_PRIVATE_KEY sun-osol-2008-11/Glassfish_2008.11_32_1.0.img.manifest.xml
IMAGE ami-a87b9cc1
ec2-describe-images ami-a87b9cc1
IMAGE   ami-a87b9cc1    sun-osol-2008-11/Glassfish_2008.11_32_1.0.img.manifest.xml      327216928991    available       private         i386    machine aki-6552b60c    ari-6452b60d

Glassfish 2.1 AMI Rebuilding process (From outside in XEN/xVM)

Glassfish 2.1 Postconfiguration (Securing)

Set new Glassfish admin password

Sun GlassFish Enterprise Server 2.1 Administration Guide >> Chapter 9 Configuring Security

All tasks bellow need to be done as glassfish 2.1 runtime user “gf21″, so you need to do su from “root” user first ! as:

su - gf21

1. Generate new admin password

As user you want to run glassfish 2.1 securely so you need to set up GF2.1 admin password and regenerate HTTP SSL key

Remember then we run admin on SSL so you need to use asadmin with “-s” parameter

Password for new admin password value must have 8 or more characters.

asadmin change-admin-password -s
Please enter the old admin password>adminadmin
Please enter the new admin password>yournewpassword
Please enter the new admin password again>yournewpassword
Updated .asadminpass file with new password.
Command change-admin-password executed successfully.

Re-generate new Glassfish self-sign HTTP certificate

Sun GlassFish Enterprise Server 2.1 Administration Guide >> Using Java Secure Socket Extension (JSSE) Tools

Steps in using verisign certificate with Glassfish appserver

Important:
Keep your SSL keys private, if your local certificate store will be compromised,

your SSL communication will not be secure anymore (same as password send over net)
When you will create a public AMIs be sure then you generate for them new unique SSL keys

1. Backup original certificate

cp /opt/gf21/glassfish/domains/domain1/config/keystore.jks   \
/opt//gf21glassfish/domains/domain1/config/keystore.jks.old
cd  /opt/gf21/glassfish/domains/domain1/config/

2. Delete old certificate

keytool -delete -alias s1as -keystore keystore.jks -storepass changeit

3. Generate new certificate

Note: Glassfish in Developer profile use same scrtificate for Web on 8181 port

and for admin connection over 4848 port, so certificate content will be
seen by potential public users, use a mean full certificate data there

keytool -genkey -noprompt -trustcacerts -keyalg RSA -sigalg SHA1withRSA -alias s1as \
-dname "CN=myamazon1.myec2domain.com,OU=SLI,O=GUB,L=Denver,S=Colorado,C=US" \
-keystore keystore.jks -keypass changeit -storepass changeit -validity 3650

4. Check new certificate

keytool -list -keystore keystore.jks -storepass changeit -alias s1as -v
Alias name: s1as
Creation date: Sep 9, 2008
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=myamazon1.myec2domain.com, OU=SLI, O=GUB, L=Denver, ST=Colorado, C=US
Issuer: CN=myamazon1.myec2domain.com, OU=SLI, O=GUB, L=Denver, ST=Colorado, C=US
Serial number: 48c6557e
Valid from: Tue Sep 09 03:52:46 PDT 2008 until: Fri Sep 07 03:52:46 PDT 2018
Certificate fingerprints:
MD5:  7E:30:9D:D0:37:EC:1E:F2:0A:D1:80:2E:BE:EC:0F:CC
SHA1: 01:D8:83:8E:42:29:6F:9D:4F:57:2A:3B:B9:DE:AF:C2:76:1C:98:4B
Signature algorithm name: SHA1withRSA
Version: 3

You can also use a OpenSSL certificate, see

Using OpenSSL to create certificates for Metro

Optionally: Open Glassfish HTTP administration to internet

For most developer tasks you can use console admin interface like:

su - gf21
asadmin list-domains -s
domain1 running
asadmin help

But if you prefer HTTP based admin console , follow this procedure

1. Change address back to 0.0.0.0 in domain.xml

su - gf21
asadmin get -s server.http-service.http-listener.admin-listener.address
server.http-service.http-listener.admin-listener.address = 127.0.0.1
asadmin set -s server.http-service.http-listener.admin-listener.address=0.0.0.0

2. Restart Glassfish SMF service

User gf21 not have authorization to restart service
/usr/sbin/svcadm disable -t svc:/application/glassfish/domain1:default
/usr/sbin/svcadm enable svc:/application/glassfish/domain1:default
svcs /application/glassfish/domain1
STATE          STIME    FMRI
online*        12:50:01 svc:/application/glassfish/domain1:default
svcs /application/glassfish/domain1
online         12:05:29 svc:/application/glassfish/domain1:default
netstat -an | egrep "4848"
*.4848         *.*                0      0 49152      0 LISTEN

3. Open port 4848 on Amazon EC2 firewall and access this port HTTPS from Amazon public internet address like:

httpss://ec2public_fqdn_name:4848/

and log as user ‘admin’ with your ‘new admin password’

You are done with Glassfisg 2.1 post customizations

Where to look for Glassfish 2.1 help

About these ads

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: