How to disable and enable admin console (admin-listener, port 4848) from the command line

Question

I would like to control when and where the admin service is accessible

How do I do one of the following (if possible)

1. Enable the admin console only from localhost (I know about disable-secure-admin, but still I don't want anyone to see the console login page when they add 4848 in the end) I will use SSH tunnle to connect

2. Or, be able to use a certificate, so only certified clients will be able to even see the console

3. Or, be able on demand to start / stop the admin service when needed, not opening it to the outside world (e.g. start stop __asadmin virtual server)

Is any of the above possible?

Answer 1

Ok, I found it by guess-work

Solution to scenario #1

• Make sure you have SSH tunnel on port 4848 first
• Go to Configuration -> server-config -> Network Config -> Network Listeners -> admin-listener
• Under the General tab, in the Address: field replace 0.0.0.0 to 127.0.0.1
• Restart the server

Solution to scenario #3

I didn't find any command line way to enable / disable virtual servers, network listeners or protocols, but editing domain.xml shows that it's all there, just comment out and restart.

Answer 2

1. Use asadmin to update the The HTTP Network Listener named admin-listener.

2. asadmin enable-secure-admin-principal "Instructs GlassFish Server, when secure admin is enabled, to accept admin requests from clients identified by the specified SSL certificate".

3. asadmin enable-secure-admin "enables secure admin (if it is not already enabled), optionally changing the alias used for DAS-to-instance admin messages or the alias used for instance-to-DAS admin messages". Also a good blog on the subject. This doesn't turn admin on/off, but enables/disables for remote access to the admin console without the complications of (1).