Looking for a way to disable non-secure XCOM TCP ports 8044 & 8046 on Linux and UNIX e.g. AIX.
Found the following KB for Windows: Disable non-secure XCOM for Windows listener port 8044
We don't use XCOM GUI due to the Java requirement.
Is there a way to disable this by editing the global parameter files (GLB, CNF)?
XCOM™ Data Transport® for UNIX/Linux PC
For UNIX/Linux it is actually not possible to use the XCOM GUI to control the listener port enablement because the "Choose Listeners" drop-down option is disabled:
That is because on Windows those Listener settings are stored in the Windows registry.
On UNIX/Linux service the internet service daemon (inetd or xinetd) controls the XCOM listener port availability: Remote Session Control Parameters
EXAMPLES
1. XCOM for AIX
Per above doc. page, file /etc/inetd.conf has these lines added at XCOM install time:
txpi stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0
txpis stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL
txpi6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 NONE IPV6
txpis6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL IPV6
For the default 4 listeners for ipv4 (non-secure 8044 & secure 8045) and ipv6 (non-secure 8046 and secure 8047) netstat output shows:
# netstat -na | grep 804 | grep LISTEN
tcp4 0 0 *.8044 *.* LISTEN
tcp4 0 0 *.8045 *.* LISTEN
tcp 0 0 *.8046 *.* LISTEN
tcp 0 0 *.8047 *.* LISTEN
To disable the non-secure ipv4 listener (port 8044) & ipv6 listener (port 8046) comment out the txpi and txpi6 lines in the file /etc/inetd.conf i.e.
#txpi stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0
txpis stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL
#txpi6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 NONE IPV6
txpis6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL IPV6
Then refresh the running inetd process by using command:
# refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.
The same netstat command then shows that only the 2 secure listeners for ipv4 (port 8045) and ipv6 (port 8047) are running:
# netstat -na | grep 804 | grep LISTEN
tcp4 0 0 *.8045 *.* LISTEN
tcp 0 0 *.8047 *.* LISTEN
2. XCOM for Linux e.g. RHEL 7.x and higher
Per above doc page, directory /etc/xinetd.d/ contains symbolic links to the 4 XCOM txpi files txpi, txpis, txpi6, txpi6s i.e.
lrwxrwxrwx 1 root root 22 Oct 13 18:03 txpi -> /opt/CA/XCOM/txpi/txpi
lrwxrwxrwx 1 root root 23 Oct 13 18:03 txpi6 -> /opt/CA/XCOM/txpi/txpi6
lrwxrwxrwx 1 root root 23 Oct 13 18:03 txpis -> /opt/CA/XCOM/txpi/txpis
lrwxrwxrwx 1 root root 24 Oct 13 18:03 txpis6 -> /opt/CA/XCOM/txpi/txpis6
For the default 4 listeners for ipv4 (non-secure 8044 & secure 8045) and ipv6 (non-secure 8046 and secure 8047) netstat output shows:
# netstat -na | grep 804 | grep LISTEN
tcp 0 0 0.0.0.0:8044 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8045 0.0.0.0:* LISTEN
tcp6 0 0 :::8046 :::* LISTEN
tcp6 0 0 :::8047 :::* LISTEN
To disable the non-secure ipv4 listener (port 8044) & ipv6 listener (port 8046):
cp -p txpi txpi_bak
cp -p txpi6 txpi6_bak
b. Edit txpi and txpi6:
CHANGE: disable = no to: disable = yes
Restart the xinetd service:
# systemctl restart xinetd
The same netstat command then shows that only the 2 secure listeners for ipv4 (port 8045) and ipv6 (port 8047) are running:
# netstat -na | grep 804 | grep LISTEN
tcp 0 0 0.0.0.0:8045 0.0.0.0:* LISTEN
tcp6 0 0 :::8047 :::* LISTEN
IMPORTANT NOTE:
XCOM Data Transport for Linux r12.0 has been certified to run on RHEL 9 or SLES 15 SP03.
In order to run XCOM on these levels of the Operating System you need to install the latest XCOM solution LU11905 that installs XCOM listener services in SYSTEMD format since the XINETD system service has been deprecated on these latest Operating Systems. Also, solutions are cumulative and include all published fixes for XCOM Linux r12.0.