On Debian 13:
sudo apt update
sudo apt install openjdk-17-jdk
On RHEL 10:
sudo dnf install java-17-openjdk-devel
Verify:
java -version
sudo useradd --system --home /opt/payara --shell /usr/sbin/nologin payara
Install unzip if needed.
On Debian 13:
sudo apt install unzip
On RHEL 10:
sudo dnf install unzip
cd /tmp
PAYARA_VERSION=7.2026.2
curl -LO "https://repo1.maven.org/maven2/fish/payara/distributions/payara/${PAYARA_VERSION}/payara-${PAYARA_VERSION}.zip"
sudo mkdir -p /opt/payara
sudo unzip "payara-${PAYARA_VERSION}.zip" -d /opt
EXTRACTED_DIR="$(find /opt -maxdepth 1 -type d -name 'payara*' ! -name 'payara' | head -n1)"
sudo mv "${EXTRACTED_DIR}"/* /opt/payara/
sudo chown -R payara:payara /opt/payara
Check the latest release before installation:
https://www.payara.fish/downloads/payara-platform-community/
sudo tee /etc/systemd/system/payara.service >/dev/null <<'SERVICE'
[Unit]
Description=Payara Server
After=network.target
[Service]
Type=forking
User=payara
Group=payara
Environment=PAYARA_HOME=/opt/payara
Environment=JAVA_HOME=/usr/lib/jvm/java-17-openjdk
ExecStart=/opt/payara/bin/asadmin start-domain
ExecStop=/opt/payara/bin/asadmin stop-domain
Restart=on-failure
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=full
ProtectHome=true
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
CapabilityBoundingSet=
AmbientCapabilities=
[Install]
WantedBy=multi-user.target
SERVICE
Note: On Debian, you may need to set JAVA_HOME to /usr/lib/jvm/java-17-openjdk-amd64.
If your app needs write access outside /opt/payara, add ReadWritePaths= entries to the service.
Stronger hardening (optional). This narrows filesystem/device access and may need ReadWritePaths for domains, logs, or uploads. If Payara fails to start, remove or relax these:
ProtectSystem=strict
PrivateDevices=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectProc=invisible
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictFileSystems=ext4 xfs
UMask=0077
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable --now payara
On UFW:
sudo ufw allow 8080/tcp
sudo ufw allow 4848/tcp
On firewalld:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --permanent --add-port=4848/tcp
sudo firewall-cmd --reload
http://SERVER_IP:8080http://SERVER_IP:48484848/tcp to trusted IPs only.Do you need help or support for Payara Server? Feel free to contact us!
Prefer automation? Choose your deployment method:
| Method | Description | Playbook |
|---|---|---|
| Native Installation | Installs Payara Server directly on the host system | Payara Server Ansible Setup |
| Docker Deployment | Deploys Payara Server using Docker Compose | Payara Server Docker Ansible Setup |
Prefer manual container setup? See Payara Server Docker Setup.
See Payara Configuration for configuration guidance.
See Payara Security for hardening and operational security controls.
Any questions?
Feel free to contact us. Find all contact information on our contact page.