1. Azul
  2. Payara Knowledge Base
  3. Using the Payara Platform
  4. Best Practices and Recommendations

Payara Server Secure Configuration & Hardening Guide

1. Administrative Security

Separate the management plane from runtime workloads. The Payara DAS (Domain Administration Server) should never be exposed to the public internet. Place it in a dedicated management subnet accessible only via VPN or bastion hosts etc.

Apply the principle of least privilege across infrastructure and application layers. Run Payara instances under a dedicated non-root OS account with restricted filesystem permissions.

In public clouds, deploy Payara instances into private subnets. Only the load balancer should be internet-facing to allow North-South traffic. Restrict East-West traffic using security groups or network security rules. East–west traffic is network traffic that flows laterally between systems inside the same environment or subnets. North–south traffic is network traffic that enters and leaves the environment or subnets

Administrative access must be strictly controlled. Default credentials and unrestricted admin access are a common cause of compromise in application servers. Best practices include enabling secure admin mode, restricting admin listeners to management networks, and integrating with centralized identity providers supporting MFA. 

asadmin commands:

enable-secure-admin

 

2. HTTP/HTTPS Listeners and Transport Security

Production systems must enforce encrypted transport and eliminate plaintext listeners. Disable HTTP listeners and allow only HTTPS with TLS 1.2 or TLS 1.3. 

asadmin commands:

disable-network-listener http-listener-1
set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled-protocols=TLSv1.2,TLSv1.3

asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ciphers=\
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
TLS_RSA_WITH_AES_256_GCM_SHA384,\
TLS_RSA_WITH_AES_128_GCM_SHA256

set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-enabled=false

restart-domain

While Payara doesn't have explicit disable list, the above list of ciphers explicitly disables the weaker/less-secure ciphers like RC4, DES / 3DES, NULL ciphers, EXPORT ciphers, MD5, CBC etc.

 

3. Protected Admin Access

Use centralized authentication mechanisms such as LDAP for admin access. Avoid local user stores for production environments. By default Payara uses a file-based store for admin-realm. But we can change that to use LDAP for admin-realm.

asadmin commands:

configure-ldap-for-admin

 

If however, we would like to integrate with modern IdP such as Azure Entra, Okta etc then we will have to put them in-front of the admin interface. There are multiple approaches to this but a simple and common one is 

Admin → MFA (IdP) → VPN / Zero Trust → Internal network → Payara Admin Console

This approach will cover the requirements for most compliances and audits typically 

“Administrative interfaces are not publicly accessible and require MFA via network access controls.”

 

4. Application and Container Security

Container-level security controls reduce the impact of application vulnerabilities. Ensure JACC authorization is enforced and disable auto-deployment in production.

asadmin commands:

set configs.config.server-config.admin-service.das-config.autodeploy-enabled=false
set configs.config.server-config.security-service.activate-default-principal-to-role-mapping=false

 

5. Auditing and Logging

Audit logging must be enabled to track administrative actions and security events. Optionally, logs should be forwarded to centralized systems and protected from tampering.

asadmin commands:

set-admin-audit-configuration --enabled=true --dynamic=true --auditlevel=MODIFIERS
set-admin-audit-service-notifier-configuration --notifier=log --enabled=true --dynamic=true
set configs.config.server-config.security-service.audit-enabled=true

 

6. Patch Compliance and Mandatory Criteria

Security patches must be applied based on severity and exploitability. Patches are mandatory when they address remote code execution, authentication bypass, or critical cryptographic flaws. Maintain documented testing and rollback procedures.

 

7. References and Standards

OWASP Top 10

OWASP ASVS

CIS Benchmarks

NIST SP 800-52, SP 800-53

FIPS 140-2 / 140-3

ISO/IEC 27001

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful