What is the random port opened by Jira Datacenter used for and what is the range of choices?

We've noticed that JIRA datacenter will always listen on the web traffic port and additionally on 8005, 40001, and a "random" port (we've seen e.g. 44698, 42255, 54267).

What are these ports used for?

What is the range of the ports that might be the "randomly" chosen one?

1 answer

1 accepted

1 vote
Accepted answer
Chris Fuller Atlassian Team Oct 02, 2016

8005 is used as the tomcat control port.  This is the one that commands like stop-jira.sh use to attempt a graceful shutdown of the application server.  This port is only opened on the loopback interface, so you needn't normally worry about it.

Most of the other ports you are asking about are associated with Java Remote Method Invocation, or RMI.  This allows one JVM to request that another JVM run code on its behalf, but largely hides the networking layer from the consumer, so it looks to the caller like it is invoking the method on any other local object.  Its use was a design decision made by the caching technology we chose to use for JIRA Data Center (JDC), which is called Ehcache

1099, which you did not list, is a control port used for RMI communication.  This is a registry service for RMI services, with a purpose vaguely like DNS.

40001, this is the default port that we suggest using for Ehcache to create its services on.  Each individual cache gets a URL that refers to it and that client can send requests to in order to say things like "Value X was removed from my cache, so you should remove it too".  You may configure this to a different port number if you wish.  (See Installing JIRA Data Center: Cluster.properties file parameters for the relevant setting).

The "random" port has to do with RMI's default behaviour for handling incoming requests.  Here is somebody explaining it better than I could.  Specifically, this an RMI server socket used for handling individual requests, and we could create a custom RMIServerSocketFactory to modify the behaviour, but by default the port is left unspecified (0) meaning that a TCP ephemeral port is selected.  This range is operating system-specific and usually tunable with a registry setting (Windows) or kernel parameter (UNIX/Linux).  Of course, since this is a configuration parameter for the entire TCP/IP stack, this has system-wide implications, so it would be "nicer" if we added the extra supporting code necessary to be able to select the port range directly, instead.

@Chris Fuller Thanks for the explanation. We were also curious is the RMI traffic for JIRA Datacenter over SSL?

And also, is the request authenticated such that only other JIRA instances in the same Datacenter cluster may connect?

Chris Fuller Atlassian Team Oct 05, 2016

The answer to both questions is "no".  As documented in the installation instructions here:

https://confluence.atlassian.com/display/JIRA/Installing+JIRA+Data+Center#InstallingJIRADataCenter-Security

and advised on a specific known security threat that results from allowing external access to RMI

https://jira.atlassian.com/browse/JRA-46203

you absolutely do need to secure access to the port yourself.  The recommendation is that you ensure the security of the network itself, either by using firewalls or establishing a secure network tunnel (IPSec, etc.)

Note/edit: The "specific InvokerTransformer vulnerability" I referred to is only meant as an example of what can go wrong.  We have done the corresponding update to Apache Collections in https://jira.atlassian.com/browse/JRA-47638

so that specific vulnerability is addressed, but the very nature of what RMI does and the fact that these method calls influence cached data means that the port should be secured, anyway.

thanks @Chris Fuller though i'm not sure i see the relevant text in https://confluence.atlassian.com/adminjiraserver071/installing-jira-data-center-802592197.html#InstallingJIRADataCenter-Security could you point it out please?

Chris Fuller Atlassian Team Oct 05, 2016

sigh

So the link I pasted is apparently only available to people with the rights to edit the page.  I can see it, but you get redirected to what it published.  So somebody added the security info, but never published it. sad

The unpublished section reads:

Security

Ensure that only permit cluster nodes are allowed to connect to a JIRA Data Center instance's ehcache RMI port, which by default is port port 40001, through the use of a firewall and/or network segregation. Not restricting access to the ehcache RMI port could result in the compromise of a JIRA Data Center instance.

I'm not honestly certain why the changes weren't included in the public page.  I'll follow up w/ our docs people to figure out what needs to be done to fix this.

 

thanks for sharing. this seems to only mention the known port; is it not important in your view to protect the random port?

Chris Fuller Atlassian Team Oct 05, 2016

That reaches the extent of my knowledge about RMI's internals, I'm afraid.  However, I will say that Oracle's own RMI security recommendations suggest that they would not consider that communication to be intrinsically secure, either.  It's better to be safe than sorry.

 

thanks. indeed i agree.

The docs have been updated to include the Security details provided by Chris. Apologies for the omission! 

https://confluence.atlassian.com/display/AdminJIRAServer072/Installing+JIRA+Data+Center#InstallingJIRADataCenter-Security

Thanks,

Warren

Thanks for all of the information.  @Chris Fuller is there a bug we can watch to change the JIRA RMI port to a specific port?   This would make it easier to secure.  

Hi Ali, 

Please see feature request for this: https://jira.atlassian.com/browse/JRA-64974 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,484 views 15 20
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you