GlassFish - World's first Java EE 7 Application Server


Setting up SSH for use with GlassFish 3.1

Before using SSH nodes in GlassFish 3.1 you need to have SSH setup and configured on your hosts. The most reliable way to do this is to use ssh public key authentication and ensure that the following prerequisite is met:

The user that the DAS runs as must be able to SSH from the DAS system to all the other instance systems without ssh prompting for anything.

This document describes how to quickly setup SSH to satisfy this pre-requisite.

Unix/Linux

1) Install SSHD and make sure it is running

Pretty much all unix systems include ssh support – both client (ssh, scp, etc) and server (sshd). Usually ssh is in /bin or /usr/bin and sshd is in /usr/sbin or /usr/lib/ssh. On Linux you may not have the server (sshd) software installed. In this case you'll have to install the sshd package. It may be called openssh-server or something like that.

Once the software is installed you can verify sshd is running by telnet'ing to port 22. You should see something like this:

$ telnet adc2101159 22
Trying xx.xxx.xxx.xxx...
Connected to adc2101159.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3

If instead you see "connection refused" then SSHD is not running and you'll need to enable it. How to do this varies by OS.

Solaris 10, OpenSolaris svcadm enable ssh
Macintosh System Preferences -> Sharing -> check Remote Login
Linux TBD

2) Configure SSH

Now that all the instance systems are running SSHD you'll need to configure SSH to use key authentication to authenticate to the instance systems. If you think this is already true skip to "Verify SSH". Otherwise here are the steps:

On the DAS system do the following:

  1. Make sure you are logged in as the user that the DAS will be running as
  2. Run 'ssh <instancehost>' for each instance host. You will need to provide your ssh password. This will ensure that ~/.ssh is created on each instance host. Just log out immediately after logging in.
  3. Back on the DAS system generate your key pair by running: 'ssh-keygen -t dsa'. When asked for a passphrase just press <return>. GlassFish does not yet support encrypted key files.
  4. On the DAS system run: 'scp ~/.ssh/id_dsa.pub <instancehost>:.ssh/authorized_keys2' for each instance host.
  5. Now run 'ssh <instancehost>' for each instance again. Do it using both the unqualified name (instancehost) and the fully qualified name (instance.us.oracle.com). This makes sure both names get saved in your trusted host file and will work with GlassFish.

That's it! Next step is to verify the setup.

3) Verify SSH

We want to make sure you can log into each instance host without ssh prompting for anything so let's double check that one more time.

  • For each instance run 'ssh <instancehost>' using both the unqualified name (instancehost) and the fully qualified name (instance.us.oracle.com). If ssh does not prompt you for anything you are good to go. If you are prompted for a password then there is something amiss in your SSH setup. You may want to verify that your public key file was correctly copied onto the instance host (/.ssh/id_dsa.pub to /.ssh/authorized_keys2).

Windows

1) Install Cygwin SSHD and make sure it is running

For a basic setup see: 3.1SSH: Installing Windows Cygwin sshd

Do this an all the instance systems. Also do this on the DAS system, but you don't need to actually run the SSHD service on the DAS (but you do need the SSH client for testing and key generation).

2) Configure SSH

On the DAS system do the following:

  1. Make sure you are logged in as the user that the DAS will be running as
  2. Run 'ssh <instancehost>' for each instance host. You will need to provide your ssh password. Once logged in do:
    1. $ mkdir .ssh
  3. Back on the DAS system generate your key pair by running: 'ssh-keygen -t dsa'. When asked for a passphrase just press <return>. GlassFish does not yet support encrypted key files.
  4. On the DAS system run: 'scp ~/.ssh/id_dsa.pub <instancehost>:.ssh/authorized_keys2' for each instance host.
  5. Now run 'ssh <instancehost>' for each instance again. Do it using both the unqualified name (instancehost) and the fully qualified name (instance.us.oracle.com). This makes sure both names get saved in your trusted host file and will work with GlassFish.

3) Verify SSH

We want to make sure you can log into each instance host without ssh prompting for anything so let's double check that one more time.

  • For each instance run 'ssh <instancehost>' using both the unqualified name (instancehost) and the fully qualified name (instance.us.oracle.com). If ssh does not prompt you for anything you are good to go. If you are prompted for a password then there is something amiss in your SSH setup. You may want to verify that your public key file was correctly copied onto the instance host (/.ssh/id_dsa.pub to /.ssh/authorized_keys2).

Using GlassFish with your SSH setup

Now that you have SSH set up you can use GlassFish 3.1 with it. GlassFish supports basic unencrypted key file authentication (as described in this document), encrypted key file authentication, and username/password authentication.

For information on how to configure GlassFish to use this various forms of authentication when access an SSH node please see: 3.1 SSH Authentication

Comments:

I followed the instructions in part 2 Configure SSH, step 4 and it did not work on CentOS 5.5. I then found out that the use of authorized_keys2 for protocol 2 has been deprecated since 2001. Changing it to use authorized_keys instead worked.
Posted by hiro2k at Jul 07, 2011 09:27