Command enable-secure-admin not found

419 views
Skip to first unread message

theirman

unread,
Jun 3, 2019, 5:48:31 AM6/3/19
to Payara Forum
Hello

Because of the error I can't fix here (https://groups.google.com/forum/#!topic/payara-forum/lhKejHCzMHg), I started installing my payara-server-full machine again from scratch. 

But, after importing my SSL certificates into the keystores, after starting my machine, when I run the enable-secure-admin command, I get the error: Command enable-secure-admin not found.

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} start-domain ${DOMAIN_NAME}
Waiting for production to start .......
Successfully started the domain : production
domain  Location: /data/apps/payara/appserver/glassfish/domains/production
Log File: /data/apps/payara/appserver/glassfish/domains/production/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} list-domains
production running
Command list-domains executed successfully.

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} enable-secure-admin --adminalias=production_certificate
Command enable-secure-admin not found.
Check the entry of command name. This command may be provided by a package that is not installed.
Closest matching local and remote command(s):
    enable-secure-admin
    enable-secure-admin-internal-user
    enable-secure-admin-principal

Command enable-secure-admin failed.



What did I do wrong this time?

HASUNUMA Kenji

unread,
Jun 3, 2019, 9:51:32 AM6/3/19
to Payara Forum
Hi, 

before you run enable-secure-admin command, you should set admin password using change-admin-password command. In default, admin password is not set, therefore you would fail to run enable-secure-admin command.

Thanks.

2019年6月3日月曜日 18時48分31秒 UTC+9 theirman:

theirman

unread,
Jun 4, 2019, 3:25:09 AM6/4/19
to Payara Forum
Hello,

Thank you Kenji :) Following your message, I changed my admin password again (maybe the old one was too simple admin/admin)

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} stop-domain ${DOMAIN_NAME}
Waiting for the domain to stop .
Command stop-domain executed successfully.

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user ${ADMIN_USER} change-admin-password --domain_name=${DOMAIN_NAME}
Enter the admin password>
Enter the new admin password>
Enter the new admin password again>
Command change-admin-password executed successfully.


After changing my password, I started my domain and tried to secure it again

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} start-domain ${DOMAIN_NAME}
Waiting for production to start .......
Successfully started the domain : production
domain  Location: /data/apps/payara/appserver/glassfish/domains/production
Log File: /data/apps/payara/appserver/glassfish/domains/production/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.



bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} enable-secure-admin --adminalias=production_certificate
Command enable-secure-admin not found.
Check the entry of command name. This command may be provided by a package that is not installed.
Closest matching local and remote command(s):
    enable-secure-admin
    enable-secure-admin-internal-user
    enable-secure-admin-principal


Command enable-secure-admin failed.


And I only have one user for the moment in this domain :

bash-4.2$ ${PAYARA_DIR}/bin/asadmin list-file-users --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} --authrealmname=admin-realm server-config
Deprecated syntax, instead use:
asadmin --user admin --passwordfile /data/apps/payara/passwordFile list-file-users [options] ...
admin
Command list-file-users executed successfully.

Any other idea ?

Ondro Mihályi

unread,
Jun 4, 2019, 5:03:51 AM6/4/19
to theirman, Payara Forum
Hi,

The commands you execute look OK to me. I assume that you run Payara Server in Docker. I tried to execute the exact commands (I just used an existing s1as alias) and all works for me without issues, with the official Payara Docker image for version 5.192.

Do you see any error message in the logs? Did you run anything else than those commands? Do you have any other custom configuration?

ut 4. 6. 2019 o 9:25 theirman <thierry...@gmail.com> napísal(a):
--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/cfe16afc-d8cc-409c-b1a8-470d09d2961c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Message has been deleted
Message has been deleted

theirman

unread,
Jun 4, 2019, 5:47:29 AM6/4/19
to Payara Forum
Apparently something doesn't work with payara version 5.192:
I renamed my payara/appserver/glassfish/glassfish/domains/production/config folder to payara/appserver/glassfish/domains/production/___config
bash-4.2$ mv /data/apps/payara/appserver/glassfish/glassfish/domains/production/config /data/apps/payara/appserver/glassfish/glassfish/domains/production/___config

I copied my old_payara-5.191/appserver/glassfish/domains/production/config folder to payara/appserver/glassfish/domains/production/config
bash-4.2$ mv /data/apps/old_payara-5.191/appserver/glassfish/glassfish/domains/production/config /data/apps/payara/appserver/glassfish/glassfish/domains/production/config

I started my production domain
bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} start-domain ${DOMAIN_NAME}

Waiting for production to start .........

Successfully started the domain : production
domain  Location: /data/apps/payara/appserver/glassfish/domains/production
Log File: /data/apps/payara/appserver/glassfish/domains/production/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.

I tried to secure my domain... successfully
bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} enable-secure-admin --adm inalias=production_certificate
You must restart all running servers for the change in secure admin to take effect.
Command enable-secure-admin executed successfully.

bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} stop-domain ${DOMAIN_NAME }
Waiting for the domain to stop .
Command stop-domain executed successfully.



bash-4.2$ ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} start-domain ${DOMAIN_NAM E}
Waiting for production to start .......
Successfully started the domain : production
domain  Location: /data/apps/payara/appserver/glassfish/domains/production
Log File: /data/apps/payara/appserver/glassfish/domains/production/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.

I would like to point out that I have reproduced each step in the same way because I use an identical roadbook for these two versions

theirman

unread,
Jun 4, 2019, 5:51:33 AM6/4/19
to Payara Forum
Hello Ondro,

I don't use payara. I work in a VM with centos 7 and zulu-jdk 11.0.3
the file server.log does not display anything particular

Here is the commands i used according to this tutorial https://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate

# Copy certificate files

cd ${HOME_DIR}/appserver/glassfish/domains/production/config/
sudo cp /chemin/vers/mon/certificat.crt .
sudo cp /chemin/vers/mon/certificat.key .
sudo cp /chemin/vers/mon/DigiCertCA.crt .
sudo cp /chemin/vers/mon/TrustedRoot.crt .

sudo chmod 400 certificat.crt
sudo chmod 400 DigiCertCA.crt
sudo chmod 400 TrustedRoot.crt
sudo chmod 400 certificat.key
 
sudo chown payara:payara certificat.crt
sudo chown payara:payara DigiCertCA.crt
sudo chown payara:payara TrustedRoot.crt
sudo chown payara:payara certificat.key



# Configure the payara domain
${PAYARA_DIR}/bin/asadmin change-master-password --savemasterpassword=true ${DOMAIN_NAME}
 
cd ${HOME_DIR}/appserver/glassfish/domains/production/config/

openssl pkcs12 -export -in certificat.crt -inkey certificat.key -out certificat.p12 -name production_certificate

keytool -list -keystore certificat.p12

keytool -importkeystore -destkeystore keystore.jks -srckeystore certificat.p12 -srcstoretype PKCS12 -alias production_certificate

keytool -importcert -trustcacerts -destkeystore cacerts.jks -file certificat.crt -alias production_certificate
 
keytool -importcert -trustcacerts -destkeystore cacerts.jks -file DigiCertCA.crt -alias digicertca_certificate
 
keytool -importcert -trustcacerts -destkeystore cacerts.jks -file TrustedRoot.crt -alias trustedroot_certificate
 

${PAYARA_DIR}/bin/asadmin --user ${ADMIN_USER} --passwordfile=/tmp/tmpfile change-admin-password --domain_name=${DOMAIN_NAME}

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} start-domain ${DOMAIN_NAME}

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} set configs.config.server-config.network-config.protocols.protocol.http-listener-2.security-enabled=true

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=true

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=true

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=production_certificate

${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} enable-secure-admin --adminalias=production_certificate

(failed here)


for MEMORY_JVM_OPTION in $(${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} list-jvm-options | grep "Xm[sx]"); do\
        ${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} delete-jvm-options $MEMORY_JVM_OPTION;\
done


${PAYARA_DIR}/bin/asadmin --user=${ADMIN_USER} --passwordfile=${PASSWORD_FILE} set-log-attributes com.sun.enterprise.server.logging.GFFileHandler.logtoFile=false
To unsubscribe from this group and stop receiving emails from it, send an email to payara...@googlegroups.com.

Steve Millidge

unread,
Jun 7, 2019, 6:12:14 PM6/7/19
to Payara Forum
I've just unzipped a fresh Payara install and ran the commands below and didn't have a problem.

asadmin> change-admin-password

Enter the admin password>
Enter the new admin password>
Enter the new admin password again>
Command change-admin-password executed successfully.
asadmin> enable-secure-admin
Authentication failed with password from login store: /home/steve/.gfclient/pass
Enter admin password for user "admin">
Reply all
Reply to author
Forward
0 new messages