New configuration option to define initial port for JMX

Description

A customer was flagged during a security audit for CVE-2015-0225, "Java JMX RMI Accessible with Common Credentials". To remediate this audit item, the customer had to make sure that either the JMX was password protected or not accessible to anyone.

The way to set this up is not straightforward. The customer thinks it would be better if the JMX configurations were read from a file. In the end, they decided to block the remote JMX access on the server to pass security code scan.

One issue in coming up with a solution is to make sure that each of the JAVA processes is using a unique port. One way to do that is to use $AGENT_ID and pass to $XAP_COMPONENT_OPTIONS. Perhaps a solution would be better documentation. Is XAP_COMPONENT_OPTIONS going away? We don't document this environment variable.

Activity

Show:
Evgeny Fisher
October 14, 2020, 6:40 AM
Edited

.NET is not fixed, another Jira issue must be opened for it

This is example of setenv-overrides.sh script for enabling this feature:

export EXT_JAVA_OPTIONS="-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.access.file=/home/evgeny/dev/jmx/jmxremote.access
-Dcom.sun.management.jmxremote.password.file=/home/evgeny/dev/jmx/jmxremote.password"

export GS_JMX_REMOTE_BASE_PORT=8400

Evgeny Fisher
October 19, 2020, 12:36 PM

Which customer needs this fix as part of .NET? How many of these 7 tickets are .NET?

Dixson Huie
October 19, 2020, 12:48 PM
Edited

12818 and FD 5206 are .NET. I have sent you an email.

Dixson Huie
October 20, 2020, 5:49 PM

I’ve opened for this.

Dixson Huie
6 days ago

Customer configured the following System properties:

export GS_MANAGER_OPTIONS="-Dcom.gs.ui.metrics.db.retention.delay-duration=PT20S -Dcom.gs.ui.metrics.db.retention.batch-size=500000

But it still lead to increase in metricsdb size.

Assignee

Evgeny Fisher

Reporter

Dixson Huie

Labels

Priority

Medium

SalesForce Case ID

12736,12818,12819,12841,12756,12853, FD5206

Fix versions

Commitment Version/s

None

Due date

None

Product

None

Edition

Open Source

Platform

All
Configure