Block the incoming traffic for the non-authenticated port of IBM AD Zookeeper

In the following section, you can find all the necessary information on how to configure the Firewall for both Windows and Linux® to restrict incoming traffic on the IBM AD ZooKeeper's port that is not running in authenticate mode.

IBM AD ZooKeeper server used by IBM Application Discovery and Delivery Intelligence (IBM ADDI) and IBM Application Discovery (IBM AD) can run in non-authenticated way or mixed mode. For more information, see Setting up IBM AD ZooKeeper to run in Mixed Mode.

When IBM AD ZooKeeper is configured in mixed mode, it still accepts non-authenticated requests. You can filter out those calls if the requests come from outside the machine where IBM AD ZooKeeper is running.

Check the following procedures for each operating system on how to close IBM AD ZooKeeper non-authenticated port.

How to close the IBM AD ZooKeeper non-authenticated port on Windows 10

Note: The following instructions apply to the Windows 10 distribution and to the default Windows Defender Firewall. In case that you are using any other firewall, the same major steps apply.
To close the IBM AD ZooKeeper non-authenticated port, perform the following steps:
  1. On the Windows taskbar, click Start > Control Panel > System and Security > Windows Defender Firewall.
  2. Click Advanced Settings.
  3. Make sure that Windows Defender Firewall is on.
  4. In the Windows Firewall with Advanced Security window, click Inbound Rules > New Rule.
    Note: The inbound rules are handling the requests that are coming from other machines.
  5. On the Rule Type page, click Port and then click Next.
  6. On the Protocol and Ports page, click Specific local ports and then type the 2181 port number that is used by IBM AD ZooKeeper to communicate on non-authenticated mode.
  7. Click Next.
  8. On the Action page, click Block the connection and then click Next.
  9. On the Profile page, select all profiles and click Next.
  10. On the Name page, type a name for the rule and click Finish.

    Example: Block ZK 2181 port

  11. In the Windows Firewall with Advanced Security window, click Inbound Rules > New Rule.
    Note: The inbound rules are handling the requests that are coming from other machines.
  12. On the Rule Type page, click Port and then click Next.
  13. On the Protocol and Ports page, click Specific local ports and then type the 2281 port number that is used by IBM AD ZooKeeper to communicate on TLS.
  14. Click Next.
  15. On the Action page, click Allow the connection and then click Next.
  16. On the Profile page, select all profiles and click Next.
  17. On the Name page, type a name for the rule and click Finish.

    Example: Allow ZK 2281 port

  18. Once the IBM AD ZooKeeper non-authenticated port is closed, make sure to check the TCP Port Requirements and Firewall Exceptions page. In order for IBM AD to run correctly you need to enable all other components ports.

How to enable the IBM AD ZooKeeper to run in authenticated mode (TLS enabled) on Linux Ubuntu 18.04

Note:
  • The following instructions apply to the Linux Ubuntu 18.04 distribution. The same procedure applies when using another Linux OS where IBM ADDI or IBM AD is installed.
  • The Uncomplicated Firewall (UFW) interface is used to simplify the process of configuring a firewall. By default, UFW is installed on Linux Ubuntu. If for some reason, it has been uninstalled, you can install it by using the sudo apt install ufw command.

By default, Linux firewalls are blocking all the incoming traffic. You need to enable the firewall and allow incoming traffic to 2281 port number (default port of the TLS communication for IBM AD ZooKeeper). The other ports are going to be blocked for any incoming traffic. In case that another port needs to be opened, a new rule needs to be defined on the firewall.

To enable the firewall and allow incoming traffic to 2281 port number, perform the following steps:
  1. Check the UFW status by using the sudo ufw status verbose command.
  2. In case that the firewall is disabled, use the sudo ufw enable command.
  3. Make sure that the firewall is enabled by using the sudo ufw status verbose command.
  4. Assuming that the 2281 port number is used by IBM AD ZooKeeper to communicate on TLS, add it to the firewall by using the sudo ufw allow 2281 command.
  5. Check the UFW status by using the sudo ufw status verbose command.
    Note: As a result, two new rules should be displayed. One is for IPV6 the other one for IPV4.
  6. Once IBM AD ZooKeeper IBM AD ZooKeeper runs in authenticated mode make sure to check the TCP Port Requirements and Firewall Exceptions page. In order for IBM AD to run correctly you need to enable all other components ports.