Forums de discussion

Open TCP port after clean install

J G, modifié il y a 8 années.

Open TCP port after clean install

Junior Member Publications: 53 Date d'inscription: 21/01/16 Publications récentes
Hi,

I installed Liferay Portal Community Edition 6.2 CE GA6 with tomcat.
Liferay seems to open a random tcp port (checked with netstat -a -v -p -n | grep <pid>).

I also installed Liferay on a pre-installed tomcat. Same results.

What is the purpose of this open port (and should I close it)?

Thanks.

-- JG
thumbnail
David H Nebinger, modifié il y a 8 années.

RE: Open TCP port after clean install

Liferay Legend Publications: 14914 Date d'inscription: 02/09/06 Publications récentes
Not sure what it's for. Probably okay to block it at the firewall (you'll likely know you need it when things fail), but I wouldn't attempt somehow forced close of the port.
thumbnail
Juan Gonzalez, modifié il y a 8 années.

RE: Open TCP port after clean install

Liferay Legend Publications: 3089 Date d'inscription: 28/10/08 Publications récentes
Are you changing some properties in portal-ext.properties?
J G, modifié il y a 8 années.

RE: Open TCP port after clean install

Junior Member Publications: 53 Date d'inscription: 21/01/16 Publications récentes
I can not block it on the firewall, as it is a different port after a restart of tomcat.
It happens both with the version that includes tomcat, as with the version that can be installed in a self-provided tomcat installation.

I have tested my own tomcat installation without liferay and with the standard tomcat hello world example; then the port is not opened.
But if I include liferay, it opens a (as it seems random) tcp port for listening.

more portal-ext.properties shows:
liferay.home=/opt/liferay
include-and-override=/opt/liferay/portal-ext.properties

/opt/liferay/portal-ext.properties
contains the jdbc data
thumbnail
Olaf Kock, modifié il y a 8 années.

RE: Open TCP port after clean install

Liferay Legend Publications: 6396 Date d'inscription: 23/09/08 Publications récentes
Looks like the JVM's RMI connector that's documented to be on a random port (or on 1098)

When I connect with jconsole and look at the threads, here's one that gets added to the list when I connect to the port with telnet:

Name: RMI TCP Connection(32)-127.0.0.1
State: RUNNABLE
Total blocked: 0  Total waited: 0

Stack trace: 
java.net.SocketInputStream.socketRead0(Native Method)
java.net.SocketInputStream.read(SocketInputStream.java:152)
java.net.SocketInputStream.read(SocketInputStream.java:122)
java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
java.io.BufferedInputStream.read(BufferedInputStream.java:254)
   - locked java.io.BufferedInputStream@4e967926
java.io.DataInputStream.readInt(DataInputStream.java:387)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:724)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.access$400(TCPTransport.java:619)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:684)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler$1.run(TCPTransport.java:681)
java.security.AccessController.doPrivileged(Native Method)
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:681)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
java.lang.Thread.run(Thread.java:745)


Now for your unasked question: What can you do with it? I have to admit that I'm currently unaware of the consequences, but it doesn't feel good to have it open. I'll notify our security team and see if they have an opinion.

That being said, your server should be firewalled and only well known ports should be open to the world.
J G, modifié il y a 8 années.

RE: Open TCP port after clean install

Junior Member Publications: 53 Date d'inscription: 21/01/16 Publications récentes
Thanks for your prompt answer.
If it is of any help: the port that is opened is always > 1024, but my instance runs as users tomcat7
thumbnail
Tomas Polesovsky, modifié il y a 8 années.

RE: Open TCP port after clean install

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes
Hi,

if you are on Tomcat, there's already a good facility provided by Tomcat, please see https://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#JMX_Remote_Lifecycle_Listener_-_org.apache.catalina.mbeans.JmxRemoteLifecycleListener

You should be able to configure the ports there and configure authentication, in case you want to make it public.
J G, modifié il y a 8 années.

RE: Open TCP port after clean install

Junior Member Publications: 53 Date d'inscription: 21/01/16 Publications récentes
I tried what is suggested on the url you posted.
However, if I restart tomcat I get:

java.lang.ClassNotFoundException: org.apache.catalina.mbeans.JmxRemoteLifecycleListener

This gives my the idea that JmxRemote is not enabled in my setup.

Do you have any other suggestion?

Thanks

-- JG
thumbnail
Olaf Kock, modifié il y a 8 années.

RE: Open TCP port after clean install

Liferay Legend Publications: 6396 Date d'inscription: 23/09/08 Publications récentes
The link that Tomas gives points out a required jar.

I've checked a vanilla tomcat: While it doesn't have the open random port initially, it will have it once you've opened jconsole and asked it to connect to tomcat. E.g. something in Liferay (I've not hunted it down) seems to trigger the JMX settings without external input. If I understand Tomas' linked documentation correctly, you can fix the port through that listener. It's not that there won't be any port if you don't have that jar - it's more that you can fix the port instead of the JVM opening a random one.
thumbnail
Juan Gonzalez, modifié il y a 8 années.

RE: Open TCP port after clean install

Liferay Legend Publications: 3089 Date d'inscription: 28/10/08 Publications récentes
Hi J. G.,

based on Olaf research, can you try disabling JMX for ehcache to "false" and see how it goes (it is "true" by default)?

#
    # Set this to true to enable JMX integration in
    # com.liferay.portal.cache.EhcachePortalCacheManager. Set this to false if
    # the portal needs to be reloaded under WebSphere.
    #
    ehcache.portal.cache.manager.jmx.enabled=false
J G, modifié il y a 8 années.

RE: Open TCP port after clean install

Junior Member Publications: 53 Date d'inscription: 21/01/16 Publications récentes
I tried to add to tomcat's server.xml


  <listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />


It opens ports 10001 and 10002, but it still opens a random port.

I also added to portal-ext.properties


ehcache.portal.cache.manager.jmx.enabled=false


Same results: still a random port is opened