Firewall rules may cause Application Server startup
failures.
If you have a personal firewall installed, you may experience this problem.
The presence of strict firewall rules on the same machine as a Application Server installation
may cause startup failures of the Admin Server and App Server instances. Specifically,
the Admin Server and App Server instances attempt to establish local connections
within the Application Server environment. Since these connection attempts access
ports using the host name of the system rather than localhost, local firewall
rules may block such attempts.
The local firewall may also inadvertently generate alerts saying that
either the “Portal of Doom Trojan” attack (for example, TCP connection
attempts on port 3700) or similar attacks have occurred when, in fact, such
access attempts have been made by the Application Server and are in no way a security
threat to your machine. Under some conditions, the port number which the Application Server uses
for various local communications may overlap with port numbers used in known
popular attacks. Some symptoms of this problem:
Solution
Modify the firewall policy to allow the Application Server to make connection
attempts to ports on the local system.
To avoid inaccurate alerts concerning possible attacks, either modify
the relevant rules or change the conflicting port number(s) used by the Application Server.
To determine the port numbers used by the Admin Server and App Server
instances, see the server.xml file in the following location
of your Application Server installation: domain_config_dir/domain1/admin-server/config/server.xml domain_config_dir/domain1/server1/config/server.xml
where domain_config_dir is the location of
your initial server configuration. For example:Solaris 9 integrated install: /var/appserver/domains/...Solaris 8, 9 unbundled install: /var/opt/SUNWappserver7/domains/...
Look for the port settings in the <iiop-listener>
and <jms-service> elements. You can either change these
port numbers to other unused port numbers, or you can modify your firewall
policy to allow connection attempts from clients on the local machine to these
port numbers on the same machine.
|