Port 8080 visible, 1060 not

Poster	Content
pjr nk4um Moderator Posts: 763	Hi Glenn, The default binding for port 1060 is to 0.0.0.0 which is all NICs. I just tried a vanilla install of NKEE-5.1.1 and successfully talked to 1060 on both lo and eth0 interfaces with different IPs. I would take a look at your firewall rules perhaps as the first line of enquiry. As for locking down the backend - you can add role based access control here... http://localhost:1060/tools/ee/befsecurity/manage/ To make this effective you also need to add an SSL socket connector to jetty in the backend fulcrum config /modules/...fulcrum-backend.../etc/HTTPJettyConfig.xml There's a commented out connect in the default config that you just need to uncomment and set up the keystore and cert alias... {xml} <Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="Port">8443</Set> <Set name="maxIdleTime">30000</Set> <Set name="Acceptors">2</Set> <Set name="statsOn">true</Set> <Set name="lowResourcesConnections">100</Set> <Set name="lowResourceMaxIdleTime">5000</Set> <Set name="keystore">../keystore</Set> <Set name="password">test123</Set> <Set name="keyPassword">test123</Set> <Set name="truststore">../keystore</Set> <Set name="trustPassword">test123</Set> </New> </Arg> </Call> {/xml} You'll need a certificate in a keystore. This guide explains all you need to know... http://docs.codehaus.org/display/JETTY/How+to+configure+SSL If this is still not sufficient then we can also set up a BASIC / DIGEST security handler which can make ROC requests to an authentication endpoint - which could then call LDAP or whatever. But that will need a little specific customisation to suit your clients infrastructure. Let me know if you need more assistance. Peter 2011-12-07T11:00:23.355ZDecember 7, 2011 11:00Locking Down the Backend Fulcrum Hi Glenn, The default binding for port 1060 is to 0.0.0.0 which is all NICs. I just tried a vanilla install of NKEE-5.1.1 and successfully talked to 1060 on both lo and eth0 interfaces with different IPs. I would take a look at your firewall rules perhaps as the first line of enquiry. As for locking down the backend - you can add role based access control here... http://localhost:1060/tools/ee/befsecurity/manage/ To make this effective you also need to add an SSL socket connector to jetty in the backend fulcrum config /modules/...fulcrum-backend.../etc/HTTPJettyConfig.xml There's a commented out connect in the default config that you just need to uncomment and set up the keystore and cert alias... <Callname="addConnector"> <Arg> <Newclass="org.mortbay.jetty.security.SslSocketConnector"> <Setname="Port">8443</Set> <Setname="maxIdleTime">30000</Set> <Setname="Acceptors">2</Set> <Setname="statsOn">true</Set> <Setname="lowResourcesConnections">100</Set> <Setname="lowResourceMaxIdleTime">5000</Set> <Setname="keystore">../keystore</Set> <Setname="password">test123</Set> <Setname="keyPassword">test123</Set> <Setname="truststore">../keystore</Set> <Setname="trustPassword">test123</Set> </New> </Arg> </Call> You'll need a certificate in a keystore. This guide explains all you need to know... http://docs.codehaus.org/display/JETTY/How+to+configure+SSL If this is still not sufficient then we can also set up a BASIC / DIGEST security handler which can make ROC requests to an authentication endpoint - which could then call LDAP or whatever. But that will need a little specific customisation to suit your clients infrastructure. Let me know if you need more assistance. Peter
Glenn nk4um User Posts: 37	Just revisiting this; I have a default installation of NetKernel-SE 5.1.1, and it would seem that port 1060 is visible anywhere on the local network; is this something that's changed with version 5? I've checked in modules/urn.org.netkernel.fulcrum.backend-1.6.8/etc/HTTPServerConfig.xml and the netkernel.http.backend.host setting is as I would expect: {xml}<Set name="port"> <SystemProperty name="netkernel.http.backend.port" default="1060" /> </Set> <Set name="host"> <SystemProperty name="netkernel.http.backend.host" default="0.0.0.0" /> </Set> {/xml} And I'm not overriding this in jvmsettings.cnf or anywhere else. Is there another setting I'm missing? Also, I'm encountering some resistance from the client's sysadmins with regard to setting up SSH tunnelling. Are there any other ways to lock down the NetKernel backend, for example having it available to all machines but with (say) HTTP basic authentication on the admin interface? It would smooth the installation path in relatively locked-down environments like the one I'm dealing with at the moment. Regards Glenn. 2011-12-07T10:33:42.470ZDecember 7, 2011 10:33 Just revisiting this; I have a default installation of NetKernel-SE 5.1.1, and it would seem that port 1060 is visible anywhere on the local network; is this something that's changed with version 5? I've checked in modules/urn.org.netkernel.fulcrum.backend-1.6.8/etc/HTTPServerConfig.xml and the netkernel.http.backend.host setting is as I would expect: And I'm not overriding this in jvmsettings.cnf or anywhere else. Is there another setting I'm missing? Also, I'm encountering some resistance from the client's sysadmins with regard to setting up SSH tunnelling. Are there any other ways to lock down the NetKernel backend, for example having it available to all machines but with (say) HTTP basic authentication on the admin interface? It would smooth the installation path in relatively locked-down environments like the one I'm dealing with at the moment. Regards Glenn.
Glenn nk4um User Posts: 37	Thanks Peter. I did wonder if it was some sort of security restriction. I agree that the tunnelling approach is the best way to go; however it looks like tunnelling is disabled in the sshd config of the server in question I'll have to pull some strings to get that enabled. I'll let you know how I get on. Regards Glenn. 2011-10-24T14:44:40.027ZOctober 24, 2011 14:44 Thanks Peter. I did wonder if it was some sort of security restriction. I agree that the tunnelling approach is the best way to go; however it looks like tunnelling is disabled in the sshd config of the server in question I'll have to pull some strings to get that enabled. I'll let you know how I get on. Regards Glenn.
pjr nk4um Moderator Posts: 763	I should have said - opening up the backed fulcrum is not really best practice. Its much better to use ssh to port tunnel the localhost:1060 to your local machine and then connect. For example here's how you'd use ssh to tunnel to foo.corp.com... ssh -L 1066:localhost:1060 foo.corp.com So with this tunnel open, http://localhost:1066 (on your client side machine) gives access to the BEF on 1060 of foo.corp.com Does this help? P. 2011-10-24T12:38:39.373ZOctober 24, 2011 12:38 I should have said - opening up the backed fulcrum is not really best practice. Its much better to use ssh to port tunnel the localhost:1060 to your local machine and then connect. For example here's how you'd use ssh to tunnel to foo.corp.com... ssh -L 1066:localhost:1060 foo.corp.com So with this tunnel open, http://localhost:1066 (on your client side machine) gives access to the BEF on 1060 of foo.corp.com Does this help? P.
pjr nk4um Moderator Posts: 763	Hi Glenn, Yes this is a security constraint that was added so that by default the BEF only binds the local loop interface. Here's the relevant part of the Jetty config... {xml} <Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.nio.SelectChannelConnector"> <Set name="port"> <SystemProperty name="netkernel.http.backend.port" default="1060" /> </Set> <Set name="host"> <SystemProperty name="netkernel.http.backend.host" default="0.0.0.0" /> </Set> <Set name="maxIdleTime">30000</Set> <Set name="Acceptors">1</Set> <Set name="lowResourcesConnections">50</Set> <Set name="lowResourceMaxIdleTime">5000</Set> <Set name="statsOn">true</Set> </New> </Arg> </Call> {/xml} But you don't need to edit this. All you have to do is specify the hostname of the NIC interface you want to to bind to with the JVM property '''netkernel.http.backend.host''' So if the server is accessed on the net as "foo.corp.com" then set the property to that and then.. http://foo.corp.com:1060/ ..will be accessible. Does that help? P. 2011-10-24T12:32:59.217ZOctober 24, 2011 12:32 Hi Glenn, Yes this is a security constraint that was added so that by default the BEF only binds the local loop interface. Here's the relevant part of the Jetty config... <Callname="addConnector"> <Arg> <Newclass="org.eclipse.jetty.server.nio.SelectChannelConnector"> <Setname="port"> <SystemPropertyname="netkernel.http.backend.port" default="1060" /> </Set> <Setname="host"> <SystemPropertyname="netkernel.http.backend.host" default="0.0.0.0" /> </Set> <Setname="maxIdleTime">30000</Set> <Setname="Acceptors">1</Set> <Setname="lowResourcesConnections">50</Set> <Setname="lowResourceMaxIdleTime">5000</Set> <Setname="statsOn">true</Set> </New> </Arg> </Call> But you don't need to edit this. All you have to do is specify the hostname of the NIC interface you want to to bind to with the JVM property netkernel.http.backend.host So if the server is accessed on the net as "foo.corp.com" then set the property to that and then.. http://foo.corp.com:1060/ ..will be accessible. Does that help? P.
Glenn nk4um User Posts: 37	I'm attempting to get a test instance of NK up and running inside a client's network. I have downloaded and installed NK on the machine in question. I can use a web browser (links or lynx for example) to connect to both the frontend and backend fulcrums from the local machine, i.e. the one NK is running on. From other machines on the network however, I can connect to port 8080 on the NK machine (I get the default front-end fulcrum page) but not to port 1060. As far as I can see there is no firewall running on the machine in question. netstat shows that the same Java process (which I assume is NK) is listening on ports 1060 and 8080. There are no errors when I start up NetKernel. I've tried changing the port NK is running on to 1061 in case there was a conflict but that didn't help. Can anyone suggest where I should be looking next? Thanks Glenn. 2011-10-24T12:21:52.727ZOctober 24, 2011 12:21Port 8080 visible, 1060 not I'm attempting to get a test instance of NK up and running inside a client's network. I have downloaded and installed NK on the machine in question. I can use a web browser (links or lynx for example) to connect to both the frontend and backend fulcrums from the local machine, i.e. the one NK is running on. From other machines on the network however, I can connect to port 8080 on the NK machine (I get the default front-end fulcrum page) but not to port 1060. As far as I can see there is no firewall running on the machine in question. netstat shows that the same Java process (which I assume is NK) is listening on ports 1060 and 8080. There are no errors when I start up NetKernel. I've tried changing the port NK is running on to 1061 in case there was a conflict but that didn't help. Can anyone suggest where I should be looking next? Thanks Glenn.

nk4um

Port 8080 visible, 1060 not