0

I have application deployed on tomcat 8.5.63 version and Java 1.8 version. Whenever I am deploying the application tomcat is opening up tcp port 1099 for JMX rmi by default. And to which I am able to connect without any authentication from remote client using jvisualvm tool. I don't want that port to get opened up by default. I have tried changing the various jvm arguments based on other solution in SO but no luck. Given below are the recent configuration which I have tried.

CATALINA_OPTS="-Xms512m -Xmx1024m -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=16105 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.login.config=Tomcat -Djava.security.auth.login.config=$CATALINA_HOME/login.config -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access -Dcom.sun.management.jmxremote.rmi.port=16106

I have specifically mentioned the -Dcom.sun.management.jmxremote.rmi.port=16106 to be used for JMX rmi but not able to understand why it still listening to port 1099. Please advise.

Note: I did saw some answers mentioning to pass XX:+DisableAttachMechanism as jvm argument to block jxm. But what if we want to have have jxm also enabled and default port(1099) should not be used.

Gaurav Parek
  • 317
  • 6
  • 20
  • How do you start Tomcat? Through the `catalina.sh/startup.sh` scripts or in a different way? – Piotr P. Karwasz Apr 28 '21 at 10:11
  • Using start Script only. – Gaurav Parek Apr 28 '21 at 10:19
  • Then check if any of the scripts contains other `com.sun.management` properties (except those you gave in your question) and whether the default `management.properties` file (in the JRE installation folder) does not provide the port 1099. There is no default port for JMX. – Piotr P. Karwasz Apr 28 '21 at 10:26
  • I checked there are no other properties other than mentioned in question. Also I verified management.properties file as well, it does not provide 1099. And yes JMX does not have default port but for RMI 1099 port is default If I am not wrong. – Gaurav Parek Apr 28 '21 at 10:48
  • By default the RMI port is `0`, i.e. random. You can add `logProps="true"` to the `` in your `server.xml` to check what are the actual system properties values when Tomcat starts. – Piotr P. Karwasz Apr 28 '21 at 11:15
  • Possible duplicate of https://stackoverflow.com/questions/65323367/why-tomcat-server-is-accessible-thru-jmxrmi-port-1099 – Christopher Schultz Apr 28 '21 at 21:27
  • @ChristopherSchultz: I did check your answer there but even when I am passing -Dcom.sun.management.jmxremote.rmi.port=16106 the port 1099 is still open. Also I tried to pass XX:+DisableAttachMechanism as well but still the same issue. Please advise. – Gaurav Parek Apr 29 '21 at 07:04
  • Did you try directing Tomcat to set the port for you? – Christopher Schultz Apr 29 '21 at 19:30
  • So is this question answered yet? I have same issue. Port 1099 is unauthenticated. It is clearly security vulnerability. Whats the point of defining "-Dcom.sun.management.jmxremote.port" and enabling authentication on it, when you can simply connect on port 1099. 1099 is wide open, which shouldnt be. – YS_NE Jun 15 '21 at 05:03
  • Correct even I am still facing the same issue. There is no answer yet for this. – Gaurav Parek Jun 16 '21 at 12:26
  • @GauravParek Did you find any solution for this ? I am facing same issue ? – Rahman Jan 21 '22 at 15:10
  • @Yogi_NE Did you find any solution for this ? I am facing same issue ? – Rahman Jan 21 '22 at 15:11
  • No, this question is still open. – YS_NE Jan 26 '22 at 16:51

0 Answers0