I would like to control when and where the admin service is accessible

How do I do one of the following (if possible)

1. Enable the admin console only from localhost (I know about disable-secure-admin, but still I don't want anyone to see the console login page when they add 4848 in the end) I will use SSH tunnle to connect

2. Or, be able to use a certificate, so only certified clients will be able to even see the console

3. Or, be able on demand to start / stop the admin service when needed, not opening it to the outside world (e.g. start stop __asadmin virtual server)

Is any of the above possible?

Ok, I found it by guess-work

Solution to scenario #1

• Make sure you have SSH tunnel on port 4848 first
• Go to Configuration -> server-config -> Network Config -> Network Listeners -> admin-listener
• Under the General tab, in the Address: field replace 0.0.0.0 to 127.0.0.1
• Restart the server

Solution to scenario #3

I didn't find any command line way to enable / disable virtual servers, network listeners or protocols, but editing domain.xml shows that it's all there, just comment out and restart.

1. Use asadmin to update the The HTTP Network Listener named admin-listener.

2. asadmin enable-secure-admin-principal "Instructs GlassFish Server, when secure admin is enabled, to accept admin requests from clients identified by the specified SSL certificate".

3. asadmin enable-secure-admin "enables secure admin (if it is not already enabled), optionally changing the alias used for DAS-to-instance admin messages or the alias used for instance-to-DAS admin messages". Also a good blog on the subject. This doesn't turn admin on/off, but enables/disables for remote access to the admin console without the complications of (1).