Home / Articles

GlassFish installation

2014-05-27T07:11:00Z.

GlassFish is a Java EE application server. GlassFish has built-in support of various Java EE standards, such as servlet, JSP, EL, JSF, JAX-RS, JavaMail and many more. Java SDK is required for running GlassFish.

You can manage GlassFish by using web-based administration console, or command-line tool asadmin which can be found under bin directory of GlassFish installation directory. This article covers basic usage of asadmin only.

This article assumes you are going to install GlassFish 3.1.2.2, but most of the commands are still applicable to GlassFish 4.0 at the time of writing. In addition, this article assumes you are going to install GlassFish on Debian GNU/Linux, but this article can still be used by replacing *nix commands with Windows equivalent commands (e.g. cp can be replaced with copy or Copy-Item, but command options may differ).

This article suggests some guidelines of installing GlassFish, you should refer to the official documentation for complete details.

Download GlassFish

GlassFish can be downloaded from https://glassfish.java.net/. At the time of writing, GlassFish 3.1.2.2 can be found under the Archived Releases page. Download glassfish-3.1.2.2.zip and extract files from the archive. Open terminal and navigate to the bin directory of the GlassFish installation directory.

Delete default domain

GlassFish comes with a default domain domain1. To list the domains, execute:

./asadmin list-domains

To delete the default domain, execute:

./asadmin delete-domain domain1

Create domain

To create a domain, execute:

./asadmin create-domain DOMAIN_NAME

Replace DOMAIN_NAME with a desired value.

Start domain

To start the created domain, execute:

./asadmin start-domain DOMAIN_NAME

Enable remote access to administrator console over HTTPS

If you are going to access the web-based administrator console from machines other than localhost, you will need to enable remote access and secure the channel with HTTPS. Execute:

./asadmin set server-config.network-config.protocols.protocol.\
admin-listener.security-enabled=true

./asadmin enable-secure-admin

Enable HTTP compression

To enable HTTP compression on the default listeners (1 for HTTP and 1 for HTTPS), execute:

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-1.http.compression=on

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-1.http.compressable-mime-type=text/html,text/css,\
application/javascript,application/json,text/xml,text/plain

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-1.http.compression-min-size-bytes=1024

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.http.compression=on

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.http.compressable-mime-type=text/html,text/css,\
application/javascript,application/json,text/xml,text/plain

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.http.compression-min-size-bytes=1024

Response which its content length equals to or greater than 1024 bytes and the response entity is one of the following MIME types will be compressed:

• text/html (HTML document)
• text/css (CSS file)
• application/javascript (JavaScript file)
• application/json (JSON file)
• text/xml (XML document)
• text/plain (plain text)

Adjust the values when necessary.

Adjust maximum HTTP POST request body size

To change the maximum HTTP POST request body size, execute:

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-1.http.max-post-size-bytes=4194304

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.http.max-post-size-bytes=4194304

The maximum size is now set to 4194304 bytes (4 megabytes). Adjust the values when necessary.

Disable X-Powered-By HTTP header

To hide the response header X-Powered-By on the 2 default listeners, execute:

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-1.http.xpowered-by=false

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.http.xpowered-by=false

Enable file cache

You can enable file cache to improve file I/O performance. Execute:

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-1.http.file-cache.enabled=true

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.http.file-cache.enabled=true

Change acceptor threads value

The acceptor threads value should be less than or equal to the number of cores in CPU. Execute:

./asadmin set server-config.network-config.transports.transport.\
tcp.acceptor-threads=2

Adjust the value 2 according to the hardware configuration of your computer.

Define error page

You can define error pages which will be shown for various erros (e.g. 404 (Not Found), 500 (Internal Server Error), etc.), execute:

./asadmin set server-config.http-service.virtual-server.server.\
property.send-error_404="code=404 \
path=\${com.sun.aas.instanceRoot}/docroot/404.html"

The example above instruct GlassFish to response to client requests with content of 404.html when encountering 404 (Not Found) error. The value ${com.sun.aas.instanceRoot} will be replaced with GLASSFISH_DIRECTORY/glassfish/domains/DOMAIN_NAME.

Delete default connection pools

GlassFish comes with 2 default connection pools, delete them by executing:

./asadmin delete-jdbc-connection-pool --cascade=true DerbyPool

./asadmin delete-jdbc-connection-pool --cascade=true __TimerPool

Change JVM options

List of JVM options can be found by executing:

./asadmin list-jvm-options

Change the default JVM options by executing:

./asadmin delete-jvm-options -- -client

./asadmin create-jvm-options -- -server

./asadmin create-jvm-options -Xmx512m

./asadmin create-jvm-options -Xms512m

./asadmin create-jvm-options -Dproduct.name=

The first 2 options instruct GlassFish to make use of server profile. The third and forth option sets the minimum and maximum memory heap size, adjust the value when necessary. The last option hides the product name for the purpose of obfuscation.

Change default deployment descriptor

There are a number of options can be tweaked in the default deployment descriptor to improve the performance. The default deployment descriptor is located at glassfish/domains/DOMAIN_NAME/config/default-web.xml. Suggested changes are:

• Under the servlet element, change the parameter xpoweredBy value to false.
• Add parameter development and set its value to false.
• Add parameter genStrAsCharArray and set its value to true.

The modified section should read like the following:

      
<init-param>
  <param-name>xpoweredBy</param-name>
  <param-value>false</param-value>
</init-param>
<init-param>
  <param-name>development</param-name>
  <param-value>false</param-value>
</init-param>
<init-param>
  <param-name>genStrAsCharArray</param-name>
  <param-value>true</param-value>
</init-param>
      
    

Restart the domain to take the configurations in effect, execute:

./asadmin restart-domain DOMAIN_NAME

Install SSL/ TLS certificate

You can install CA-signed certificate into GlassFish for use in HTTPS connections. The following assumes you own the domain example.com. First generate a keypair:

keytool -genkey -keyalg RSA -keysize 2048 -keystore example.keystore \
-alias example.com

For the question "what is your first and last name", you should provide the FQDN, in this example it is example.com. You will need to provide a password of the keystore, make sure to mark it down and save it in a secured place. The password will be used as master password of GlassFish so that GlassFish can open the keystore.

Then generate a CSR (Certificate Signing Request):

keytool -certreq -keyalg RSA -file example.com.csr -keystore example.keystore \
-alias example.com

Obtain the content of CSR:

cat example.com.csr

Submit the CSR to certificate issuer for signing the certificate. Once you have received the signed certificate from the certificate issuer, you need to import the certificate into the keystore. Before importing the signed certificate of your domain, you may need to import root certificate and intermediate certificate(s) first. The sequence of importing the chain of certificates is important. Take Positive SSL as an example, you need to import the certificates in the following order:

keytool -import -trustcacerts -alias AddTrustExternalCARoot \
-file AddTrustExternalCARoot.crt -keystore example.keystore

keytool -import -trustcacerts -alias PositiveSSLCA2 \
-file PositiveSSLCA2.crt -keystore example.keystore

keytool -import -trustcacerts -alias example.com \
-file example_com.crt -keystore example.keystore

The first command imports root certificate, the second command imports the intermediate certificate, and the third one imports signed certificate of your domain. Always consult documentation from your CA to check the sequence of importing certificates.

Now enable SSL3 and TLS on the default HTTPS listener:

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.ssl.ssl3-enabled=true

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.ssl.tls-enabled=true

Set the certificate nickname, which should be same as the domain name on the signed certificate:

./asadmin set server-config.network-config.protocols.protocol.\
http-listener-2.ssl.cert-nickname=example.com

Stop the domain and change master password of GlassFish:

./asadmin change-master-password DOMAIN_NAME

Note that the master password must be the same as the password of the keystore. Navigate to the config directory of the domain, backup keystore.jks and cacerts.jks:

cp keystore.jks keystore.old

cp cacerts.jks cacerts.jks.old

Rename the keystore containing signed certificates to keystore.jks:

mv example.keystore keystore.jks

The original keystore contains 2 self-signed certificates which are required by GlassFish for internal operation. After replacing the original keystore, you need to generate a new keypair:

keytool -genkeypair -alias s1as -keyalg RSA -keysize 2048 -validity 3650 \
-keystore keystore.jks

keytool -genkeypair -alias glassfish-instance -keyalg RSA -keysize 2048 \
-validity 3650 -keystore keystore.jks

You should not change the aliases of those certificates. Replace the corresponding keypairs in cacerts.jks:

keytool -delete -alias s1as -keystore cacerts.jks

keytool -delete -alias glassfish-instance -keystore cacerts.jks

keytool -export -alias s1as -file s1as.cert -keystore keystore.jks

keytool -export -alias glassfish-instance \
-file glassfish-instance.cert -keystore keystore.jks

keytool -import -alias s1as -file s1as.cert -keystore cacerts.jks

keytool -import -alias glassfish-instance \
-file glassfish-instance.cert -keystore cacerts.jks

Delete the exported certificates:

rm s1as.cert glassfish-instance.cert

Restart GlassFish to take new configuration in effect.

Install JDBC driver

To configure JDBC connection pools on GlassFish to connect to database (e.g. MySQL), JDBC driver for MySQL must first be installed on Glassfish first. Take MySQL server as an example, download Connector/J from MySQL website:

http://dev.mysql.com/downloads/connector/j/

Extract the archive and place Connector/J JAR file (e.g. mysql-connector-java-5.1.29-bin.jar) into glassfish/lib directory under GlassFish installation directory. Restart the domain to let GlassFish load the driver.

Add CA certificate to trust store for secured database connection

If the applications hosted on GlassFish will handle sensitive data such as login credentials and monetary transactions, it is recommended to encrypt the traffic between GlassFish and database (e.g. MySQL Server). Before connecting to MySQL server, you need to add CA certificate of MySQL instance to trust store of GlassFish.

For example, when using Amazon RDS to host a MySQL server instance, download the CA certificate and import the certificate to trust store used by GlassFish. Execute:

# Assume current directory is GlassFish installation directory.

cd glassfish/domains/DOMAIN_NAME/config

wget -O rds-mysql-ssl-ca-cert.pem \
https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem

cp cacerts.jks cacerts.jks.old

keytool -importcert -file rds-mysql-ssl-ca-cert.pem -keystore cacerts.jks \
-alias rds.mysql.ssl.ca.cert

You can then create user in MySQL server with REQUIRE SSL option to force client (i.e. GlassFish) to connect to the database over SSL.

Add JavaMail support

To configure JavaMail session resource on GlassFish to send e-mails, JavaMail implementation and protocol providers must first be installed on GlassFish first. Download JavaMail reference implementation and protocol providers from JavaMail website:

https://java.net/projects/javamail/pages/Home

Download mailapi.jar (JavaMail reference implementation) and smtp.jar (SMTP protocol provider) (also download other protocol providers if needed) and copy those JAR files to glassfish/lib directory under GlassFish installation directory.

Restart the domain to let GlassFish load the JAR files.

References

You can find additional information from the following pages:

• http://docs.oracle.com/cd/E26576_01/index.htm
• http://www.physics.usyd.edu.au/~rennie/glassfish.html
• https://forum.startcom.org/viewtopic.php?t=1390
• http://dev.mysql.com/doc/connector-j/en/connector-j-usagenotes-glassfish-config.html
• http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
• https://weblogs.java.net/blog/felipegaucho/archive/2010/03/04/glassfish-v3-resources-administration-cli-tool-asadmin