1. Administrator's Guide
  2. ACSLS GUI
  3. Firewall and the GUI

Firewall and the GUI

If firewall protection is enabled on your ACSLS server, it will impact remote user access to the ACSLS GUI unless an explicit policy is configured with the firewall software.

On Solaris

Consult the man pages for ipf and ipfilter. The ipfilter firewall is enabled (disabled) by root using the following command:
svcadm enable ipfilter (svcadm disable ipfilter)
  • To learn the current status of ipfilter:
    svcs ipfilter

Firewall policies can be defined in the file, /etc/ipf/ipf.conf. To allow free communication between components on the local host (such as, between ACSLS and WebLogic), include a statement, like the example below: 

pass in quick from 127.0.0.1 to 127.0.0.1, or 
pass in quick from 127.0.0.1 to all

  • To provide a policy allowing remote Web-based browsers to access the ACSLS GUI, you must open up ports 7001 and 7002. 

    pass in quick from any to any port = 7001 
pass in quick from any to any port = 7002

For ACSLS ACSAPI clients, you must discover which ports are in use by ACSLS. Use the following command from your UNIX shell: 

rpcinfo -p | egrep "300031 | 536871166"

The port IDs are listed in the last field of the display. You must add 'pass in quick' statements for each of these. It is also be necessary to include a 'pass in quick' statement for the RPC portmapper port, 111.

For further firewall information for ACSLS, see Firewall Security Option.

The last statement in your proposed rule set, block in from any, assumes that no traffic should reach the host unless specifically allowed in previous statements.

On Linux

Consult the man pages for iptables. The iptables firewall is enabled (or disabled) by user root,using the following command:
service iptables start (service iptables stop)
  • To check the status of iptables:
    service iptables status

The policy file for iptables is /etc/sysconfig/iptables.To include a policy that allows remote http/https access to the ACSLS GUI, you should update that file to include exceptions for ports 7001 and 7002, using statements like the example below: 

-A input -p tcp --dport 7001 -j ACCEPT 
-A input -p tcp --dport 7002 -j ACCEPT

For more information on iptables, see Verifying the GUI is Operational.

For ACSLS ACSAPI clients, you must discover which ports are in use by ACSLS. Use the following command from your Linux shell:
rpcinfo -p | egrep "300031 | 536871166"

The port IDs are listed in the last field of the display. You must add exceptions for each of these ports in your iptables policy. It is also necessary to provide an exception statement for the RPC portmapper port, 111.

For further firewall information for ACSLS, see Firewall Security Option.

Configuring a Self-Assigned Digital Certificate for HTTPS

When you install WebLogic on your ACSLS server, a simple 512-bit public key is automatically available to support basic https exchanges with client browsers. Normally, no further configuration should be necessary. However, some browsers, notably the Microsoft Internet Explorer, require a lengthier key of no less than 1024 bits.

Internet Explorer and FireFox Version 39 and above require a WebLogic set-up procedure for use with https servers that do not employ certificates verified by a third-party digital signing authority.

Refer to "Configuring a Self-Assigned Digital Certificate for HTTPS" in the ACSLS 8.5 Installation Guide for procedures.