Configure Payara Server passwords in Docker

Answering Stackoverflow questions provides a great feedback for finding out gaps in the official documentation of my favourite opensource tools. One of the questions which I answered here was how to change Payara Server master password in docker container. Obviously, in a standard server installation, this is simple – just use the asadmin change-master-password  command, then type the old and new password in to the console and it’s done. Not in docker though, where the configuration has to be automated by a script. The same applies to all infrastructure-as-a-code solutions like Chef or Puppet. So I had to dig deeper into the documentation and experiment a bit.

Specifying passwords from file

The key thing in working with passwords in scripts is to provide them in a file. Each asadmin command accepts argument --passwordfile  to instruct it to read all the necessary passwords from it to avoid asking for passwords interactively. But it’s a bit tricky to find out how to define passwords in this password file, because it’s used for multiple types of passwords. Oracle documentation for GlassFish v3 which also applies to GlassFish v4 and v5 and Payara v4 and v5 documents 4 types of passwords. Each type of password can be specified in the password file with a variable that starts with the AS_ADMIN_  prefix.

  • admin password with prefix AS_ADMIN_PASSWORD, default is empty password
  • master password with prefix AS_ADMIN_MASTERPASSWORD , default is “changeit”
  • user password with prefix AS_ADMIN_USERPASSWORD
  • alias password with prefix AS_ADMIN_ALIASPASSWORD

So for example, if we need to run a command with admin password “mypassword”, the following line has to be in the password file:


And then we can use the password with the --passwordfile argument, like this:

asadmin list-applications --passwordfile=mypasswordfileCode language: PHP (php)

The above command won’t wait for typing the password but will immediately list all applications on the server. If the password is incorrect, the command would fail.

Changing passwords non-interactively from script

So far, all was documented at least in the old GlassFish v3 documentation. What’s missing in the documentation though is how to specify a new password from file if we want to change it from a script. When we execute a command to change any password (e.g. admin password or master password) without a password file, the command would ask for 2 passwords – the old one and the new one. Therefore we need to specify 2 passwords in a file.

The solution is to add another variable for a new password into the same password file. Variables for new passwords are prefixed with AS_ADMIN_NEW  prefix. Therefore to change the master password, we need the following 2 lines in our password file:


And then we can use the 2 passwords with the –passwordfile argument, like this:

asadmin change-master-password --passwordfile=mypasswordfile

The above command won’t wait for typing or retyping any password but will immediately change the master password on the server to newmasterpassword . If the old password is incorrect, the command would fail.

Changing passwords in docker image

In Docker, the preferred way is to configure the server in the image so that when a container is executed, the configuration is applied automatically. Avoid configuring containers because it’s not easy to run asadmin commands in a container and changing some passwords, such as master password, requires server restart.

The default Payara Server Docker image already contains asadmin commands which change the admin password. You can copy the lines that create /opt/tmpfile  and use it with the change-admin-password  command to change the admin password.

The same can be done to change the master password. Below is an example custom Dockerfile to change the master password to newpassword :

FROM payara/server-full
# specify a new master password "newpassword" instead of the default password "changeit"
RUN echo 'AS_ADMIN_MASTERPASSWORD=changeit\nAS_ADMIN_NEWMASTERPASSWORD=newpassword' >> /opt/masterpwdfile

# execute asadmin command to apply the new master password
RUN ${PAYARA_PATH}/bin/asadmin change-master-password --passwordfile=/opt/masterpwdfileCode language: Dockerfile (dockerfile)

With the above Dockerfile in your current directory, you can build your custom docker image with:

docker build -t my-payara/server-full .

And then run my-payara/server-full  instead of payara/server-full.

You can verify that the master password is changed in the docker container when you run it with:

docker run -t -i --entrypoint keytool payara/server-full:masterpwd -list -keystore /opt/payara41/glassfish/domains/domain1/config/keystore.jksCode language: PHP (php)

If you type the new master password, you should see the contents of the key store with the list of certifictes.

NOTE: After you change the master password, the Docker image will still run Payara with the old master password, which is not the correct password and Payara will not start. After you change the master password, you also need to update the value of AS_ADMIN_MASTERPASSWORD in the file ${PASSWORD_FILE} (/opt/payara/passwordFile) to the value of the new master password, so that Payara is started with the new password.

Republished at:

5 thoughts on “Configure Payara Server passwords in Docker

  1. Hello,
    I’ve just try this :
    FROM payara/server-full
    # specify a new master password “newpassword” instead of the default password “changeit”
    RUN echo ‘AS_ADMIN_MASTERPASSWORD=changeit\nAS_ADMIN_NEWMASTERPASSWORD=newpassword’ >> /opt/masterpwdfile

    # execute asadmin command to apply the new master password
    RUN ${PAYARA_PATH}/bin/asadmin change-master-password –passwordfile=/opt/masterpwdfile

    And this don’t work for me
    Reason :
    Invalid option: –passwordfile=/tmp/gfpass-changemasterpassword
    Usage: asadmin [asadmin-utility-options] change-master-password
    [–nodedir ] [–domaindir ]
    [-?|–help[=]] [domain_name_or_node_name]
    Command change-master-password failed.

    What happened ?

    1. Hi Thierry,

      The problem is that your command is missing one dash in the “passwordfile” option. It should be prefixed with double dash as you can see in examples in my article. You should add one more dash before the “passwordfile” option, like this “change-master-password --passwordfile=/opt/masterpwdfile” and not “change-master-password –passwordfile=/opt/masterpwdfile.

      It’s possible that your editor interpreted 2 dashes as a single long dash. I’ve seen this in Microsoft Office but some other editors also may be trying to be too clever.

  2. Hi Ondro,
    I’ve tried your solution to change the master password,
    but when I built my own image using the dockerfile,
    the payara logs shows: Keystore was tampered with, or password was incorrect
    but I can verify the content of the keystore using the new password, this caused the Admin Console is not working
    tried also to enable-secure-admin, but get
    NCLS-ADMIN-00010 Remote host closed connection during handshake

    thank you again,

  3. Hi
    same issue for me as “Osama Hamed”
    the admin login is no more working : Remote host closed connection during handshake
    any solution
    thank you in advance

    1. Hi,

      Now I realized that after the master password is changed, the startup script in the Docker container will keep using the old password, which is wrong. After you change the master password, you also need to change the value for the AS_ADMIN_MASTERPASSWORD variable in the file ${PASSWORD_FILE} (/opt/payara/passwordFile).

      You can either copy the file to your project, modify the value to the new password, and then overwrite it in your image with the COPY command, or you can modify the file during docker image build with RUN command, running some grep or sed command that would replace the value with the new password.

      The file needs to contain the new master password when the container starts, because Payara will be launched with this password file.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha loading...