A customer was flagged during a security audit for CVE-2015-0225, "Java JMX RMI Accessible with Common Credentials". To remediate this audit item, the customer had to make sure that either the JMX was password protected or not accessible to anyone.
The way to set this up is not straightforward. The customer thinks it would be better if the JMX configurations were read from a file. In the end, they decided to block the remote JMX access on the server to pass security code scan.
One issue in coming up with a solution is to make sure that each of the JAVA processes is using a unique port. One way to do that is to use $AGENT_ID and pass to $XAP_COMPONENT_OPTIONS. Perhaps a solution would be better documentation. Is XAP_COMPONENT_OPTIONS going away? We don't document this environment variable.