Disabling JMX listener ports for vCenter Server (Windows)
search cancel

Disabling JMX listener ports for vCenter Server (Windows)

book

Article ID: 336228

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides the steps to disable JMX ports on some vCenter Server and Platforms Services Controller components. This is to address the security vulnerability defined in CVE-2016-3427.

The following steps are applicable only to vCenter Server 6.0 (Embedded or External PSC).



Environment

VMware vCenter Server 6.0.x

Resolution

Disabling JMX port Manually on Single Sign-On

  1. Login to Platform Services Controller Windows host.
  2. Run the following command to verify that JMX port is enabled:
    netstat -apn tcp | findstr 6969.
    An output similar to the following is displayed:
    C:\Users\Administrator>netstat -apn tcp | findstr 6969
    TCP 127.0.0.1:6969 0.0.0.0:0 LISTENING
  3. Take backup of catalina.properties file installed by vmware-sts. The following is the the default location of catalina.properties file:
    C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\catalina.properties
  4. Open and edit the catalina.properties file using a text editor.
  5. Search the following configuration line:
    base.jmx.port=6969
  6. Replace 6969 with -1, the configuration line should be similar to the following:
    base.jmx.port=-1
  7. Save the file and close the editor.
  8. To restart the VMware Security Token Service, perform the following steps:
    1. Click Start, click in the Start Search box.
    2. Type services.msc, press ENTER.
    3. Select VMware Security Token Service and click Restart.
    4. Select Yes on the Restart Other Services prompt.
  9. Run the following command to verify if all the services are successfully restarted, and that JMX port is now disabled:
    netstat -apn tcp | findstr 6969
    Note: This should not show any listening ports on 6969

Disabling JMX port Manually on VDCS

  1. Login to vCenter Server windows host.
  2. Take backup of catalina.properties file installed by vmware-vdcs. The following is the the default location of catalina.properties file:
    C:\Program Files\VMware\vCenter Server\vdcs\vdcserver\conf\catalina.properties
  3. Open and edit the catalina.properties file using a text editor.
  4. Search the following configuration line:
    base.jmx.port=
    Note: You can use default port number 51058 to run netstat.
  5. Run the following command to verify that JMX port is enabled:
    netstat -apn tcp | findstr 51058
    An output similar to the following is displayed:
    C:\Users\Administrator>netstat -apn tcp | findstr 51058
    TCP 127.0.0.1:51058 0.0.0.0:0 LISTENING
  6. Replace 51058 with -1, the configuration line should be similar to the following:
    base.jmx.port=-1
  7. Save the file and close the editor.
  8. To restart the VDCS Service, perform the following steps:
    1. Click Start, click in the Start Search box.
    2. Type services.msc, press ENTER.
    3. Select VMware Content Library Service and click Restart.
    4. Select Yes on the Restart Other Services prompt.
  9. Run the following command to verify if all the services are successfully restarted, and that JMX port is now disabled:
    netstat -apn tcp | findstr 51058
    Note: This should not show any listening ports on 51058. Port 51058 is the port number mentioned in catalina.properties against base.jmx.port.

Disabling JMX port Manually on vCenter Server (Perfchart)

  1. Login to Windows vCenter Server using mstsc.
  2. Run the following command to verify that JMX port is enabled:
    netstat -apn tcp | findstr 6070
    An output similar to the following is displayed:
    C:\Users\Administrator>netstat -apn tcp | findstr 6070
    TCP 127.0.0.1:6070 0.0.0.0:0 LISTENING
  3. Take backup of catalina.properties file installed by vmware-perfchart. The following is the the default location of catalina.properties file:
    C:\ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\conf\catalina.properties
  4. Open and edit the catalina.properties file using a text editor.
  5. Search the following configuration line:
    base.jmx.port=
    Note: You can use default port number 6070 to run netstat.
  6. Replace 6070 with -1, the configuration line should be similar to the following:
    base.jmx.port=-1
  7. Save the file and close the editor.
  8. To restart the VMware Perfchart Service, perform the following steps:
    1. Click Start, click in the Start Search box.
    2. Type services.msc, press ENTER.
    3. Select VMware Perfchart Service and click Restart.
    4. Select Yes on the Restart Other Services prompt.
  9. Run the following command to verify if all the services are successfully restarted, and that JMX port is now disabled:
    netstat -apn tcp | findstr 6070
    Note: This should not show any listening ports on 6070.

Disabling JMX port on Windows Using Python Script

  1. Login to vCenter Server/Platform Services Controller Windows host.
  2. Download the DisableJMX.py script file attached to the KB article to the following location:
    C:\DisableJMX.py
  3. Run the DisableJMX.py script by passing through the catalina.properties file path as an argument.
    Note: Make sure you use the python binary provided by VMware vCenter Server by opening command prompt at location C:\Program Files\VMware\vCenter Server\python\
    For example:
    python.exe C:\DisableJMX.py C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\catalina.properties

    The default catalina.properties paths for the components are:
    VMware Security Token Service:
    C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\catalina.properties
    Note: After running the script you need to manually restart STS service.

    VMware Perfcharts:
    C:\ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\conf\catalina.properties
    Note: After running the script you need to manually restart perfcharts service.
    VMware VDCS:
    C:\Program Files\VMware\vCenter Server\vdcs\vdcserver\conf\catalina.properties
    Note: After running the script you need to manually restart Content Library service.

  4. Check if DisableJMX.py script restarted services.
  5. Run the following command to verify if the JMX port is disabled:
    netstat -apn tcp | findstr 6969.
    Note: This should not show any listening ports on 6969
    netstat -apn tcp | findstr 6070
    Note: This should not show any listening ports on 6070
    netstat -apn tcp | findstr 51058
    Note: This should not show any listening ports on 6969

Attachments

DisableJMX.zip get_app
Powered by Wolken Software