 |
 |
Hi all, Here is some information from the dCache SRM developer regarding the new SRM tomcat service. ---------- > Question 1: > > Does tomcat need to listen > on 8005, 8009, 8080 (=webcache) and 5001? Which of these ports should be > firewalled to prevent external (or internal) access? Port 8005 is used locally by shutdown script so it is best not to let anyone to connect to it. 8080 is http access to tomcat, and since srm web service is using gsi authentication and verification of the user's credential, before execution any of the requests, it is not a security risk to have it open, if you trust tomcat to be secure ( it might allow attackers to exploit some other known tomcat/axis vulnerabilities). What ports 5001 is used by SOAPMonitor service. Port 8009 is used for AJPv13 (Apache JServ Protocol which has something to do with communication between the web server and the servlet container). In the future versions I will modify installation scripts so that services on port 8009, 5001 and 8080 would be disabled. In case of shutdown, the service will protected by dynamically generated password (see http://marc.theaimsgroup.com/?l=tomcat-user&m=103133645416097&w=2). > Question 2: > > Also, the tomcat process is running as root. Is there any way to run it > under a user account? Yes, root access is needed, since for some operations srm has to get certain attributes directly from pnfs. Thanks, Timur ----------- So if you install 1.7.0-16 then you should make sure the above ports can't be accessed. It's still not clear to me wny things have to run as root in dCache. Maybe Owen can comment further. Cheers, Greig