PK00174: WEBSPHERE PORTS 1507 AND 5559 SECURITY EXPOSURE BINDING TO ZERO IP ADDRESS | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
APAR status Closed as program error. Error description Problem Summary: WHen Dual NIC interfaces are in play, Websphere ports bind to Zero-IP address, in this case, WEMPs ports 1507 and 5559. This is a security issue for customers.Local fix testfix has been providedProblem summary **************************************************************** * USERS AFFECTED: This problem affects customers who use the * * Embedded Messaging Server provided with * * WebSphere Application Server Version * * 5.1.1. * **************************************************************** * PROBLEM DESCRIPTION: The Embedded JMS Server that ships * * with WebSphere Application Server * * Version 5.1.1.x provides a message * * broker that uses a number of ports for * * all it's communication with the * * outside world: * * * * 1507 - The Data Replication Services * * port * * 5559 - The port used by the broker * * to listen for incoming * * requests * * * * These ports are all bound to the TCP/IP * * address 0.0.0.0. This means that * * customers with single or multiple * * instances of WebSphere Application * * Server in multiple Network card * * scenarios would experience port * * binding failures. * **************************************************************** * RECOMMENDATION: * **************************************************************** The problem here was caused by the fact that the ports used by the Embedded JMS Server's message broker were never being bound to specific TCP/IP addresses.Problem conclusion The fix for this APAR is currently targeted for inclusion in the JMS Cumulative Fix 4 for WebSphere Application Server - IC46552. This can be downloaded from the following URL: https://www14.software.ibm.com/webapp/iwm/web/ preLogin.do?source=wsmqcsd After the Cumulative Fix has been installed, you will need to carry out the following steps in order to bind ports 1507 and 5559 to specific TCP/IP addresses: - When the application server has restarted, bring up the WebSphere Administrative Console and login. - Expand the Servers entry in the left hand tree view, and click on the Application Servers link. - The Application Servers panel will now appear, containing a list of application servers. Click on the entry for the appropriate application server. - In the next panel, click on the Process Definition link within the Additional Properties table. - The Process Definition panel should now appear. Click on the Java Virtual Machine link. - In the Generic JVM arguments field, enter: -D-DDisthubNetAddr=x.x.x.x where x.x.x.x is the TCP/IP address that ports 1507 and 5559 will be bound to. - Click OK, and save the configuration changes. - Logoff the Administrative Console. - Restart the Application Server.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 00I
Software edition:
Reference #: PK00174
IBM Group: Software Group
Modified date: Jul 11, 2005
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.