Configure Payara Server passwords in Docker

Answering Stackoverflow questions provides a great feedback for finding out gaps in the official documentation of my favourite opensource tools. One of the questions which I answered here was how to change Payara Server master password in docker container. Obviously, in a standard server installation, this is simple – just use the  asadmin change-master-password  command, then type the old and new password in to the console and it’s done. Not in docker though, where the configuration has to be automated by a script. The same applies to all infrastructure-as-a-code solutions like Chef or Puppet. So I had to dig deeper into the documentation and experiment a bit.

Specifying passwords from file

The key thing in working with passwords in scripts is to provide them in a file. Each asadmin command accepts argument --passwordfile  to instruct it to read all the necessary passwords from it to avoid asking for passwords interactively. But it’s a bit tricky to find out how to define passwords in this password file, because it’s used for multiple types of passwords. Oracle documentation for GlassFish v3 which also applies to GlassFish v4 and v5 and Payara v4 and v5 documents 4 types of passwords. Each type of password can be specified in the password file with a variable that starts with the AS_ADMIN_  prefix.

  • admin password with prefix AS_ADMIN_PASSWORD, default is empty password
  • master password with prefix AS_ADMIN_MASTERPASSWORD , default is “changeit”
  • user password with prefix AS_ADMIN_USERPASSWORD
  • alias password with prefix AS_ADMIN_ALIASPASSWORD

So for example, if we need to run a command with admin password “mypassword”, the following line has to be in the password file:

And then we can use the password with the  --passwordfile argument, like this:

The above command won’t wait for typing the password but will immediately list all applications on the server. If the password is incorrect, the command would fail.

Changing passwords non-interactively from script

So far, all was documented at least in the old GlassFish v3 documentation. What’s missing in the documentation though is how to specify a new password from file if we want to change it from a script. When we execute a command to change any password (e.g. admin password or master password) without a password file, the command would ask for 2 passwords – the old one and the new one. Therefore we need to specify 2 passwords in a file.

The solution is to add another variable for a new password into the same password file. Variables for new passwords are prefixed with AS_ADMIN_NEW  prefix. Therefore to change the master password, we need the following 2 lines in our password file:

And then we can use the 2 passwords with the  --passwordfile argument, like this:

The above command won’t wait for typing or retyping any password but will immediately change the master password on the server to newmasterpassword . If the old password is incorrect, the command would fail.

Changing passwords in docker image

In Docker, the preferred way is to configure the server in the image so that when a container is executed, the configuration is applied automatically. Avoid configuring containers because it’s not easy to run asadmin commands in a container and changing some passwords, such as master password, requires server restart.

The default Payara Server Docker image already contains asadmin commands which change the admin password. You can copy the lines that create  /opt/tmpfile  and use it with the  change-admin-password  command to change the admin password.

The same can be done to change the master password. Below is an example custom Dockerfile to change the master password to newpassword :

With the above Dockerfile in your current directory, you can build your custom docker image with:

And then run my-payara/server-full  instead of payara/server-full.

You can verify that the master password is change in the docker container when you run it with:

If you type the new master password, you should see the contents of the key store with the list of certifictes.

Republished at:

2 thoughts on “Configure Payara Server passwords in Docker

  1. Hello,
    I’ve just try this :
    FROM payara/server-full
    # specify a new master password “newpassword” instead of the default password “changeit”
    RUN echo ‘AS_ADMIN_MASTERPASSWORD=changeit\nAS_ADMIN_NEWMASTERPASSWORD=newpassword’ >> /opt/masterpwdfile

    # execute asadmin command to apply the new master password
    RUN ${PAYARA_PATH}/bin/asadmin change-master-password –passwordfile=/opt/masterpwdfile

    And this don’t work for me
    Reason :
    Invalid option: –passwordfile=/tmp/gfpass-changemasterpassword
    Usage: asadmin [asadmin-utility-options] change-master-password
    [–savemasterpassword[=]]
    [–nodedir ] [–domaindir ]
    [-?|–help[=]] [domain_name_or_node_name]
    Command change-master-password failed.

    What happened ?

    1. Hi Thierry,

      The problem is that your command is missing one dash in the “passwordfile” option. It should be prefixed with double dash as you can see in examples in my article. You should add one more dash before the “passwordfile” option, like this “change-master-password –passwordfile=/opt/masterpwdfile” and not “change-master-password –passwordfile=/opt/masterpwdfile.

      It’s possible that your editor interpreted 2 dashes as a single long dash. I’ve seen this in Microsoft Office but some other editors also may be trying to be too clever.

Leave a Reply

Your email address will not be published. Required fields are marked *