Block the incoming traffic for the non-authenticated port of IBM AD Zookeeper
In the following section, you can find all the necessary information on how to configure the Firewall for both Windows and Linux® to restrict incoming traffic on the IBM AD ZooKeeper's port that is not running in authenticate mode.
IBM AD ZooKeeper server used by IBM Application Discovery and Delivery Intelligence (IBM ADDI) and IBM Application Discovery (IBM AD) can run in non-authenticated way or mixed mode. For more information, see Setting up IBM AD ZooKeeper to run in Mixed Mode.
When IBM AD ZooKeeper is configured in mixed mode, it still accepts non-authenticated requests. You can filter out those calls if the requests come from outside the machine where IBM AD ZooKeeper is running.
Check the following procedures for each operating system on how to close IBM AD ZooKeeper non-authenticated port.
How to close the IBM AD ZooKeeper non-authenticated port on Windows 10
- On the Windows taskbar, click .
- Click Advanced Settings.
- Make sure that Windows Defender Firewall is on.
- In the Windows Firewall with Advanced Security window, click
Note: The inbound rules are handling the requests that are coming from other machines.
.
- On the Rule Type page, click Port and then click Next.
- On the Protocol and Ports page, click Specific local ports and then type the 2181 port number that is used by IBM AD ZooKeeper to communicate on non-authenticated mode.
- Click Next.
- On the Action page, click Block the connection and then click Next.
- On the Profile page, select all profiles and click Next.
- On the Name page, type a name for the rule and click Finish.
Example:
Block ZK 2181 port
- In the Windows Firewall with Advanced Security window, click
Note: The inbound rules are handling the requests that are coming from other machines.
.
- On the Rule Type page, click Port and then click Next.
- On the Protocol and Ports page, click Specific local ports and then type the 2281 port number that is used by IBM AD ZooKeeper to communicate on TLS.
- Click Next.
- On the Action page, click Allow the connection and then click Next.
- On the Profile page, select all profiles and click Next.
- On the Name page, type a name for the rule and click Finish.
Example:
Allow ZK 2281 port
- Once the IBM AD ZooKeeper non-authenticated port is closed, make sure to check the TCP Port Requirements and Firewall Exceptions page. In order for IBM AD to run correctly you need to enable all other components ports.
How to enable the IBM AD ZooKeeper to run in authenticated mode (TLS enabled) on Linux Ubuntu 18.04
- The following instructions apply to the Linux Ubuntu 18.04 distribution. The same procedure applies when using another Linux OS where IBM ADDI or IBM AD is installed.
- The Uncomplicated Firewall (UFW) interface is used to simplify the process of configuring a
firewall. By default, UFW is installed on Linux Ubuntu. If
for some reason, it has been uninstalled, you can install it by using the
sudo apt install ufw
command.
By default, Linux firewalls are blocking all the incoming traffic. You need to enable the firewall and allow incoming traffic to 2281 port number (default port of the TLS communication for IBM AD ZooKeeper). The other ports are going to be blocked for any incoming traffic. In case that another port needs to be opened, a new rule needs to be defined on the firewall.
- Check the UFW status by using the
sudo ufw status verbose
command. - In case that the firewall is disabled, use the
sudo ufw enable
command. - Make sure that the firewall is enabled by using the
sudo ufw status verbose
command. - Assuming that the 2281 port number is used by IBM AD ZooKeeper to communicate
on TLS, add it to the firewall by using the
sudo ufw allow 2281
command. - Check the UFW status by using the
sudo ufw status verbose
command.Note: As a result, two new rules should be displayed. One is for IPV6 the other one for IPV4. - Once IBM AD ZooKeeper IBM AD ZooKeeper runs in authenticated mode make sure to check the TCP Port Requirements and Firewall Exceptions page. In order for IBM AD to run correctly you need to enable all other components ports.