This entry is part of ‘OpenSolaris on Amazon EC2′ workshop
Glassfish 2.1 AMI Create Info Phase
Edit /etc/mysql Edit /root/ec2sun/README Create /export/home/gf21/glassfish.REAME Link README to /root/ec2sun/
Glassfish 2.1 AMI Cleaning phase
Cleaning is done by root, if you will recreate empty files you need to be sure then they will have corresponding rights
Check the you are root
whoami root
1. Stop services so we can clean their log
svcadm disable -t glassfish/domain1
2. Clean service SMF logs
rm -f /var/svc/log/glassfish-domain1:default.log
3. Clean Glassfish server logs
rm -f /opt/gf21/glassfish/domains/domain1/logs/*.log
4. Clean Glassfish build files
rm -f /opt/gf21/*.jar
5. Clean Glassfish users shell history
rm -f /export/home/gf21/.*history rm -f /root/.*history
6. Clean IPS stuff
rm -r /var/pkg/download/* rm -r /var/pkg/index/*
7. Wipe free space
I am not sure if ZFS clone also copy deleted stuff ???
dd if=/dev/zero of=/zero.zer bs=10000000; rm -f /zero.zer 5745934336 bytes (5.7 GB) copied, 2876.97 s, 2.0 MB/s
Now we are ready to process additional clean up procedures on Getting Started (like ssh keys) and rebundle into AMI
Glassfish 2.1 AMI Rebuilding process (From inside AMI)
1. Check resource usages before rebulding
MEM and CPU usage
2. Make second monitoring login
ssh -i /mnt/keys/id_rsa-your-amaonzec2-key -l root ec2-public-name
3. Move our my Amazon EC2 SSH login key !!!
cp /root/.ssh/authorized_keys /mnt/ rm -r /root/.ssh/*
4. Logs clean up
rm -f /var/adm/messages.[01234] > /var/adm/messages > /var/adm/utmpx > /var/adm/wtmpx
5. Rebundle with scrips
cd /mnt /opt/ec2/sbin/rebundle.sh -v Glassfish_2008.11_32_1.0.img
Paste it in BASH, some $ and \ is escape with ONE more \ cat >/tmp/mon.ksh <<EOF #!/bin/ksh echo "ZFS Cloning started" echo "Waiting , so clone process really start " while true do zpool status rpool | grep "resilver in progress" >/dev/null if [ \$? -eq 0 ] then break else print -n -e "\b-" sleep 1 print -n -e "\b\\\" sleep 1 print -n -e "\b|" sleep 1 print -n -e "\b/" sleep 1 fi done while true do zpool status rpool | grep "resilver in progress" >/dev/null if [ \$? -eq 1 ] then break else status=\$(zpool status rpool | grep "resilver in progress"| gsed -e 's/ scrub: resilver in progress for/Elapsed/g' ) print -n -e "\r \$status " print -n -e "\b-" sleep 1 print -n -e "\b\\\" sleep 1 print -n -e "\b|" sleep 1 print -n -e "\b/" sleep 1 fi done echo "ZFS Cloning ended" exit 0 EOF chmod 0777 /tmp/mon.ksh /tmp/mon.ksh
cp /mnt/authorized_keys /root/.ssh/
mkdir /mnt/parts mkdir /mnt/keys
scp -i /mnt/keys/id_rsa-your-amaonzec2-key /mnt/keys/environ.sh /mnt/keys/*.pem root@ec2-public-name:/mnt/keys/
. /mnt/keys/environ.sh
ec2-bundle-image -c $EC2_CERT -k $EC2_PRIVATE_KEY \ --kernel aki-6552b60c --ramdisk ari-6452b60d \ --block-device-mapping "root=rpool/52@0,ami=0,ephemeral0=1" \ --user $EC2_USERID --arch i386 \ -i $DIRECTORY/Glassfish_2008.11_32_1.0.img -d $DIRECTORY/parts
cd $DIRECTORY/parts rdate time.czech.sun.com ec2-upload-bundle -b sun-osol-2008-11 -m Glassfish_2008.11_32_1.0.img.manifest.xml \ --url http://s3.amazonaws.com \ --retry -a $EC2_KEYID -s $EC2_KEY
ec2reg -C $EC2_CERT -K $EC2_PRIVATE_KEY sun-osol-2008-11/Glassfish_2008.11_32_1.0.img.manifest.xml IMAGE ami-a87b9cc1
ec2-describe-images ami-a87b9cc1 IMAGE ami-a87b9cc1 sun-osol-2008-11/Glassfish_2008.11_32_1.0.img.manifest.xml 327216928991 available private i386 machine aki-6552b60c ari-6452b60d
Glassfish 2.1 AMI Rebuilding process (From outside in XEN/xVM)
Glassfish 2.1 Postconfiguration (Securing)
Set new Glassfish admin password
Sun GlassFish Enterprise Server 2.1 Administration Guide >> Chapter 9 Configuring Security
All tasks bellow need to be done as glassfish 2.1 runtime user “gf21″, so you need to do su from “root” user first ! as:
su - gf21
1. Generate new admin password
As user you want to run glassfish 2.1 securely so you need to set up GF2.1 admin password and regenerate HTTP SSL key
Remember then we run admin on SSL so you need to use asadmin with “-s” parameter
Password for new admin password value must have 8 or more characters.
asadmin change-admin-password -s Please enter the old admin password>adminadmin Please enter the new admin password>yournewpassword Please enter the new admin password again>yournewpassword Updated .asadminpass file with new password. Command change-admin-password executed successfully.
Re-generate new Glassfish self-sign HTTP certificate
Steps in using verisign certificate with Glassfish appserver
Important:
Keep your SSL keys private, if your local certificate store will be compromised,
your SSL communication will not be secure anymore (same as password send over net)
When you will create a public AMIs be sure then you generate for them new unique SSL keys
1. Backup original certificate
cp /opt/gf21/glassfish/domains/domain1/config/keystore.jks \ /opt//gf21glassfish/domains/domain1/config/keystore.jks.old cd /opt/gf21/glassfish/domains/domain1/config/
2. Delete old certificate
keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
3. Generate new certificate
Note: Glassfish in Developer profile use same scrtificate for Web on 8181 port
and for admin connection over 4848 port, so certificate content will be
seen by potential public users, use a mean full certificate data there
keytool -genkey -noprompt -trustcacerts -keyalg RSA -sigalg SHA1withRSA -alias s1as \ -dname "CN=myamazon1.myec2domain.com,OU=SLI,O=GUB,L=Denver,S=Colorado,C=US" \ -keystore keystore.jks -keypass changeit -storepass changeit -validity 3650
4. Check new certificate
keytool -list -keystore keystore.jks -storepass changeit -alias s1as -v Alias name: s1as Creation date: Sep 9, 2008 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=myamazon1.myec2domain.com, OU=SLI, O=GUB, L=Denver, ST=Colorado, C=US Issuer: CN=myamazon1.myec2domain.com, OU=SLI, O=GUB, L=Denver, ST=Colorado, C=US Serial number: 48c6557e Valid from: Tue Sep 09 03:52:46 PDT 2008 until: Fri Sep 07 03:52:46 PDT 2018 Certificate fingerprints: MD5: 7E:30:9D:D0:37:EC:1E:F2:0A:D1:80:2E:BE:EC:0F:CC SHA1: 01:D8:83:8E:42:29:6F:9D:4F:57:2A:3B:B9:DE:AF:C2:76:1C:98:4B Signature algorithm name: SHA1withRSA Version: 3
You can also use a OpenSSL certificate, see
Using OpenSSL to create certificates for Metro
Optionally: Open Glassfish HTTP administration to internet
For most developer tasks you can use console admin interface like:
su - gf21 asadmin list-domains -s domain1 running asadmin help
But if you prefer HTTP based admin console , follow this procedure
1. Change address back to 0.0.0.0 in domain.xml
su - gf21 asadmin get -s server.http-service.http-listener.admin-listener.address server.http-service.http-listener.admin-listener.address = 127.0.0.1 asadmin set -s server.http-service.http-listener.admin-listener.address=0.0.0.0
2. Restart Glassfish SMF service
User gf21 not have authorization to restart service /usr/sbin/svcadm disable -t svc:/application/glassfish/domain1:default /usr/sbin/svcadm enable svc:/application/glassfish/domain1:default svcs /application/glassfish/domain1 STATE STIME FMRI online* 12:50:01 svc:/application/glassfish/domain1:default svcs /application/glassfish/domain1 online 12:05:29 svc:/application/glassfish/domain1:default netstat -an | egrep "4848" *.4848 *.* 0 0 49152 0 LISTEN
3. Open port 4848 on Amazon EC2 firewall and access this port HTTPS from Amazon public internet address like:
and log as user ‘admin’ with your ‘new admin password’
You are done with Glassfisg 2.1 post customizations
Where to look for Glassfish 2.1 help
- General Glassfish 2.1 help
- Deploying JAVA applications in Glassfish 2.1 non-root install
