Disable XCOM non-secure listener ports (8044 & 8046) on Linux & UNIX (AIX)
Article ID: 231321
Updated On:
Products
Issue/Introduction
Looking for a way to disable non-secure XCOM TCP ports 8044 & 8046 on Linux and UNIX e.g. AIX.
Found the following KB for Windows: Disable non-secure XCOM for Windows listener port 8044
We don't use XCOM GUI due to the Java requirement.
Is there a way to disable this by editing the global parameter files (GLB, CNF)?
Environment
Release : 11.6
Component : XCOM Data Transport for Linux PC, XCOM Data Transport for UNIX
Resolution
For Unix/Linux it is actually not possible to use the XCOM GUI to control the listener port enablement because the "Choose Listeners" drop-down option is disabled:
That is because on Windows those Listener settings are stored in the Windows registry.
On Unix/Linux service the internet service daemon (inetd or xinetd) controls the XCOM listener port availability: Remote Session Control Parameters
EXAMPLES
1. XCOM for AIX
Per above doc. page, file /etc/inetd.conf has these lines added at XCOM install time:
txpi stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0
txpis stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL
txpi6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 NONE IPV6
txpis6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL IPV6
For the default 4 listeners for ipv4 (non-secure 8044 & secure 8045) and ipv6 (non-secure 8046 and secure 8047) netstat output shows:
# netstat -na | grep 804 | grep LISTEN
tcp4 0 0 *.8044 *.* LISTEN
tcp4 0 0 *.8045 *.* LISTEN
tcp 0 0 *.8046 *.* LISTEN
tcp 0 0 *.8047 *.* LISTEN
To disable the non-secure ipv4 listener (port 8044) & ipv6 listener (port 8046) comment out the txpi and txpi6 lines in the file /etc/inetd.conf i.e.
#txpi stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0
txpis stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL
#txpi6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 NONE IPV6
txpis6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL IPV6
Then refresh the running inetd process by using command:
# refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.
The same netstat command then shows that only the 2 secure listeners for ipv4 (port 8045) and ipv6 (port 8047) are running:
# netstat -na | grep 804 | grep LISTEN
tcp4 0 0 *.8045 *.* LISTEN
tcp 0 0 *.8047 *.* LISTEN
2. XCOM for Linux e.g. RHEL 7.x
Per above doc page, directory /etc/xinetd.d/ contains symbolic links to the 4 XCOM txpi files txpi, txpis, txpi6, txpi6s i.e.
lrwxrwxrwx 1 root root 22 Oct 13 18:03 txpi -> /opt/CA/XCOM/txpi/txpi
lrwxrwxrwx 1 root root 23 Oct 13 18:03 txpi6 -> /opt/CA/XCOM/txpi/txpi6
lrwxrwxrwx 1 root root 23 Oct 13 18:03 txpis -> /opt/CA/XCOM/txpi/txpis
lrwxrwxrwx 1 root root 24 Oct 13 18:03 txpis6 -> /opt/CA/XCOM/txpi/txpis6
For the default 4 listeners for ipv4 (non-secure 8044 & secure 8045) and ipv6 (non-secure 8046 and secure 8047) netstat output shows:
# netstat -na | grep 804 | grep LISTEN
tcp 0 0 0.0.0.0:8044 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8045 0.0.0.0:* LISTEN
tcp6 0 0 :::8046 :::* LISTEN
tcp6 0 0 :::8047 :::* LISTEN
To disable the non-secure ipv4 listener (port 8044) & ipv6 listener (port 8046):
a. In directory /opt/CA/XCOM/txpi, backup existing txpi & txpi6 files:
cp -p txpi txpi_bak
cp -p txpi6 txpi6_bak
b. Edit txpi and txpi6:
CHANGE: disable = no
TO: disable = yes
Restart the xinetd service:
# systemctl restart xinetd
The same netstat command then shows that only the 2 secure listeners for ipv4 (port 8045) and ipv6 (port 8047) are running:
# netstat -na | grep 804 | grep LISTEN
tcp 0 0 0.0.0.0:8045 0.0.0.0:* LISTEN
tcp6 0 0 :::8047 :::* LISTEN
Feedback
