Making Appserver Admin CLI More Secure

Status
Asarch Reviewed and Approved
Kedar Mhaswade
0.95
Document Created
Kedar Mhaswade
0.5
 

Table Of Contents

Introduction and Scope

This document describes the details of changes required to be done in and around Appserver software in order to implement Sun's security policy about reusable passwords in command lines. Appserver versions affected by this proposed change are GlassFish, Sun's Appserver PE/EE 9.0. Basic familiarity of readers with Sun's Appserver is assumed. The policy mandates that all programs distributed by Sun strictly follow the following:

Following terminology applies.

Terms, Synonyms Meaning, Details
Reusable Password A password string that can be used successfully more than once. This differs from one time passwords. The appserver's admin password is an example of a reusable password.
admin, administrative The term "admin" is used to mean administrative throughout this document.
Appserver A generic term that applies to GlassFish, Sun's Appserver 9.0 PE and EE alike, unless specified otherwise.
asadmin The name given to Appserver's Command Line Interface.
Password When used this way, it means the admin password for Appserver domains, unless specified otherwise. Note that until Appserver 8.2, every asadmin invocation needs an admin password to perform any remote operation on a given domain. There are other passwords as well, which should not be confused with this password.
Remote command Any asadmin command that depends on making a connection to Domain Admin Server running locally or elsewhere to do any admin task. An example is "deploy". Thus, "remote" is really a misnomer because the asadmin command may not be invoked on a remote machine. About 95% of the asadmin commands are Remote Commands.
Local command Any asadmin command that does not depend on Domain Admin Server and performs an admin task locally. An example is: "create-domain". About 5% of the asadmin commands are Local Commands.

Requirements

Following requirements drive this proposal:

  1. Appserver software should support Sun's Security Policy for asadmin.
  2. No asadmin command may read the plaintext Password string specified on command line and treat it as Reusable Password. See 4. below.
  3. No asadmin command may read the environment variable named AS_ADMIN_*PASSWORD (* is a wildcard) to use it as a reusable password. If such a variable is defined in the environment, it must be ignored. Examples of such ignored environmental variables are AS_ADMIN_PASSWORD, AS_ADMIN_ADMINPASSWOD.
  4. asadmin may not use --password option. In other words, Appserver must incorporate the change (incompatible with previous releases) to reject a command line that specifies this option. This is different from 2. above.
  5. Since existing users are well versed with the --password option, it is imperative that a clear message is generated on each asadmin invocation where it (--password) is specified. In other words, an invalid option for a command and --password must be treated differently.
  6. No documentation should mention --password option. In other words, all the existing documentation that refers to --password should be changed in favor of --passwordfile.


Table Of Contents

Summary of Changes

Here is a summary of changes to expect if the proposal is implemented. It is necessary to go through the details when in doubt.

  1. asadmin will not support --password option on command line.
  2. asadmin will not read the environment variables of the form "AS_ADMIN_*PASSWORD".
  3. asadmin option "--user" that denotes the admin user name is optional on all the commands.
  4. The asadmin user's preferences (admin user name and admin password) will now be formally stored in a defined preferences file. The format of the preferences file is discussed below. Note that this file contains the credentials in cleartext.
  5. To enhance the user experience of asadmin, a new asadmin command called "login" will be introduced.
  6. Creation of domain will provide an option that can automatically "login" to that domain.
  7. All the asadmin commands that accept a host name and port number will use the preferences file to read the user name and password.

 

Details

Provision of Saving Admin User Name and Password while Creating Domain

In order to enhance the usability of create-domain command for its immediate administration, create-domain command will provide a new option called --savelogin. This, in addition to creating the domain will save the admin user name and password, will save the admin user name and password. This improves the usability of any domain that is created by user and is not limited to just the default domain that is created during installation. The default value of this option is false. This is how the create-domain command changes, when this (Boolean) option is used. (When the option is not used, the behavior of create-domain is unchanged).

$>asadmin create-domain --adminport 8888 --savelogin mydomain

The admin user name and password will be saved in [/home/joe/.asadminpass] for this domain, mydomain. Do you want to continue (y/n)? y

Please enter the admin user name for this domain: administrator
Please enter the admin password for this domain: (no echo)
Please enter the admin password for this domain again: (no echo)

Domain [mydomain] was created successfully.
The admin user name and encoded password is saved in [/home/Joe/.asadminpass]. Make sure that this file remains protected. If admin user name and password is not specified otherwise, asadmin will use the information stored in this file to administer this domain [mydomain].

It is important to note the following:

This provision improves the user experience of a domain that is created and administered locally. This is because if the user has specified default admin port while creating the domain, there is no need to specify --user, --passwordfile, --host, --port on any of the subsequent asadmin Remote Commands. These values will be automatically obtained.

It is important to note that when the same user creates multiple domains having same admin port number using this option on the same or different machines (where the home directory is NFS mounted), the command is NOT going to prompt whether the admin-password should be overwritten. It will always be overwritten. The reason being the possibility of this command to be run in a batch mode.

Note that "asadmin delete-domain" command will remove the entry corresponding to "localhost" and its "admin-port" obtained from the domain.xml.

Provision of asadmin login Command for Remote Administration

One of the strengths of asadmin interface is that it simulates an administration console. Thus, if various Appserver domains are created on various machines (locally), asadmin invocation from any of these machines can manage the domains located elsewhere (remotely). This comes in handy especially when a particular machine is chosen as an administration client and it manages multiple domains and servers therein. To ease the administration of such remote domains (just like the above provision does it for local domains), a new command is proposed here: "asadmin login". This is only an interactive command. It can not be run (easily) using script. Following is the behavior of this command:

$>asadmin login --host admin-host --port admin-port

The admin user name and password will be saved in [/home/Joe/.asadminpass] for this domain, with host [admin-host] and admin-port [admin-port]. Do you want to continue (y/n)? y

Please enter the admin user name for this domain: administrator
Please enter the admin password for this domain: (no echo)

(Assuming the login to the remote server succeeded)

The admin user name and encoded password is saved in [/home/Joe/.asadminpass]. Make sure that this file remains protected. If admin user name and password is not specified otherwise, asadmin will use the information stored in this file to administer this domain [host: admin-host, port: admin-port].

Following should be noted in relation to asadmin login:

Again, note that while using "asadmin login" with host specified as "localhost" for multiple domains and same port number, the command will prompt whether the user wants to overwrite the previous entry.

Format of ".asadminpass" File

The following is the format of ".asadminpass" file:

#Please don't modify this file by hand. Use "asadmin login" command instead.
#
asadmin://admin%20user@host:port-uri-encoded encoded-admin-password
...

Note that a space (' ') is used as a field delimiter.

Algorithm to Get User Name and Password

Here is how admin user and admin password determined (obtained) by asadmin.

Admin User

Admin Password

Other Changes to asadmin

Following are the additional changes to asadmin:

Changes to Other Parts of Appserver/GlassFish

Admin GUI

According to Admin GUI team it is sufficient to use the password manager like facility provided by the browsers. They do not make any changes and rely on the browser behavior.

AMX

There will be no changes made.

TOC

Introduction
Requirements
Summary of Changes
Details

$Id: proposal.html,v 1.1 2006-01-31 22:53:32 km105526 Exp $
$Author: km105526 $