What is the random port opened by Jira Datacenter used for and what is the range of choices?

dmitri September 30, 2016

We've noticed that JIRA datacenter will always listen on the web traffic port and additionally on 8005, 40001, and a "random" port (we've seen e.g. 44698, 42255, 54267).

What are these ports used for?

What is the range of the ports that might be the "randomly" chosen one?

1 answer

1 accepted

1 vote
Answer accepted
crf
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 2, 2016

8005 is used as the tomcat control port.  This is the one that commands like stop-jira.sh use to attempt a graceful shutdown of the application server.  This port is only opened on the loopback interface, so you needn't normally worry about it.

Most of the other ports you are asking about are associated with Java Remote Method Invocation, or RMI.  This allows one JVM to request that another JVM run code on its behalf, but largely hides the networking layer from the consumer, so it looks to the caller like it is invoking the method on any other local object.  Its use was a design decision made by the caching technology we chose to use for JIRA Data Center (JDC), which is called Ehcache

1099, which you did not list, is a control port used for RMI communication.  This is a registry service for RMI services, with a purpose vaguely like DNS.

40001, this is the default port that we suggest using for Ehcache to create its services on.  Each individual cache gets a URL that refers to it and that client can send requests to in order to say things like "Value X was removed from my cache, so you should remove it too".  You may configure this to a different port number if you wish.  (See Installing JIRA Data Center: Cluster.properties file parameters for the relevant setting).

The "random" port has to do with RMI's default behaviour for handling incoming requests.  Here is somebody explaining it better than I could.  Specifically, this an RMI server socket used for handling individual requests, and we could create a custom RMIServerSocketFactory to modify the behaviour, but by default the port is left unspecified (0) meaning that a TCP ephemeral port is selected.  This range is operating system-specific and usually tunable with a registry setting (Windows) or kernel parameter (UNIX/Linux).  Of course, since this is a configuration parameter for the entire TCP/IP stack, this has system-wide implications, so it would be "nicer" if we added the extra supporting code necessary to be able to select the port range directly, instead.

dmitri October 5, 2016

@Chris Fuller Thanks for the explanation. We were also curious is the RMI traffic for JIRA Datacenter over SSL?

dmitri October 5, 2016

And also, is the request authenticated such that only other JIRA instances in the same Datacenter cluster may connect?

crf
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 5, 2016

The answer to both questions is "no".  As documented in the installation instructions here:

https://confluence.atlassian.com/display/JIRA/Installing+JIRA+Data+Center#InstallingJIRADataCenter-Security

and advised on a specific known security threat that results from allowing external access to RMI

https://jira.atlassian.com/browse/JRA-46203

you absolutely do need to secure access to the port yourself.  The recommendation is that you ensure the security of the network itself, either by using firewalls or establishing a secure network tunnel (IPSec, etc.)

Note/edit: The "specific InvokerTransformer vulnerability" I referred to is only meant as an example of what can go wrong.  We have done the corresponding update to Apache Collections in https://jira.atlassian.com/browse/JRA-47638

so that specific vulnerability is addressed, but the very nature of what RMI does and the fact that these method calls influence cached data means that the port should be secured, anyway.

dmitri October 5, 2016

thanks @Chris Fuller though i'm not sure i see the relevant text in https://confluence.atlassian.com/adminjiraserver071/installing-jira-data-center-802592197.html#InstallingJIRADataCenter-Security could you point it out please?

crf
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 5, 2016

sigh

So the link I pasted is apparently only available to people with the rights to edit the page.  I can see it, but you get redirected to what it published.  So somebody added the security info, but never published it. sad

The unpublished section reads:

Security

Ensure that only permit cluster nodes are allowed to connect to a JIRA Data Center instance's ehcache RMI port, which by default is port port 40001, through the use of a firewall and/or network segregation. Not restricting access to the ehcache RMI port could result in the compromise of a JIRA Data Center instance.

I'm not honestly certain why the changes weren't included in the public page.  I'll follow up w/ our docs people to figure out what needs to be done to fix this.

 

Like James Pope likes this
dmitri October 5, 2016

thanks for sharing. this seems to only mention the known port; is it not important in your view to protect the random port?

crf
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 5, 2016

That reaches the extent of my knowledge about RMI's internals, I'm afraid.  However, I will say that Oracle's own RMI security recommendations suggest that they would not consider that communication to be intrinsically secure, either.  It's better to be safe than sorry.

 

dmitri October 5, 2016

thanks. indeed i agree.

Wazza
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 5, 2016

The docs have been updated to include the Security details provided by Chris. Apologies for the omission! 

https://confluence.atlassian.com/display/AdminJIRAServer072/Installing+JIRA+Data+Center#InstallingJIRADataCenter-Security

Thanks,

Warren

Ali November 7, 2016

Thanks for all of the information.  @Chris Fuller is there a bug we can watch to change the JIRA RMI port to a specific port?   This would make it easier to secure.  

Andriy Yakovlev _Atlassian_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 28, 2017

Hi Ali, 

Please see feature request for this: https://jira.atlassian.com/browse/JRA-64974 

Suggest an answer

Log in or Sign up to answer