Disable XCOM non-secure listener ports (8044 & 8046) on Linux & UNIX (AIX)
search cancel

Disable XCOM non-secure listener ports (8044 & 8046) on Linux & UNIX (AIX)

book

Article ID: 231321

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC

Issue/Introduction

Looking for a way to disable non-secure XCOM TCP ports 8044 & 8046 on Linux and UNIX e.g. AIX.
Found the following KB for Windows: Disable non-secure XCOM for Windows listener port 8044
We don't use XCOM GUI due to the Java requirement.
Is there a way to disable this by editing the global parameter files (GLB, CNF)?

Environment

Release : 11.6, 12.0

Component : XCOM Data Transport for Linux PC, XCOM Data Transport for UNIX

Resolution

For Unix/Linux it is actually not possible to use the XCOM GUI to control the listener port enablement because the "Choose Listeners" drop-down option is disabled:


That is because on Windows those Listener settings are stored in the Windows registry.
On Unix/Linux service the internet service daemon (inetd or xinetd) controls the XCOM listener port availability: Remote Session Control Parameters

EXAMPLES

1. XCOM for AIX
Per above doc. page, file /etc/inetd.conf has these lines added at XCOM install time:
txpi stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0
txpis stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL
txpi6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 NONE IPV6
txpis6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL IPV6

For the default 4 listeners for ipv4 (non-secure 8044 & secure 8045) and ipv6 (non-secure 8046 and secure 8047) netstat output shows:
# netstat -na | grep 804 | grep LISTEN
tcp4       0      0  *.8044                 *.*                    LISTEN
tcp4       0      0  *.8045                 *.*                    LISTEN
tcp        0      0  *.8046                 *.*                    LISTEN
tcp        0      0  *.8047                 *.*                    LISTEN

To disable the non-secure ipv4 listener (port 8044) & ipv6 listener (port 8046) comment out the txpi and txpi6 lines in the file /etc/inetd.conf i.e.
#txpi stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0
txpis stream tcp nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL
#txpi6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 NONE IPV6
txpis6 stream tcp6 nowait root /home/CA/XCOM/bin/xcomtcp xcomtcp REMOTE 0 SSL IPV6

Then refresh the running inetd process by using command:
# refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.

The same netstat command then shows that only the 2 secure listeners for ipv4 (port 8045) and ipv6 (port 8047) are running:
# netstat -na | grep 804 | grep LISTEN
tcp4       0      0  *.8045                 *.*                    LISTEN
tcp        0      0  *.8047                 *.*                    LISTEN


2. XCOM for Linux e.g. RHEL 7.x
Per above doc page, directory /etc/xinetd.d/ contains symbolic links to the 4 XCOM txpi files txpi, txpis, txpi6, txpi6s i.e.
lrwxrwxrwx  1 root root   22 Oct 13 18:03 txpi -> /opt/CA/XCOM/txpi/txpi
lrwxrwxrwx  1 root root   23 Oct 13 18:03 txpi6 -> /opt/CA/XCOM/txpi/txpi6
lrwxrwxrwx  1 root root   23 Oct 13 18:03 txpis -> /opt/CA/XCOM/txpi/txpis
lrwxrwxrwx  1 root root   24 Oct 13 18:03 txpis6 -> /opt/CA/XCOM/txpi/txpis6

For the default 4 listeners for ipv4 (non-secure 8044 & secure 8045) and ipv6 (non-secure 8046 and secure 8047) netstat output shows:
# netstat -na | grep 804 | grep LISTEN
tcp        0      0 0.0.0.0:8044            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8045            0.0.0.0:*               LISTEN
tcp6       0      0 :::8046                 :::*                    LISTEN
tcp6       0      0 :::8047                 :::*                    LISTEN

To disable the non-secure ipv4 listener (port 8044) & ipv6 listener (port 8046):
a. In directory /opt/CA/XCOM/txpi, backup existing txpi & txpi6 files:
cp -p txpi txpi_bak
cp -p txpi6 txpi6_bak
b. Edit txpi and txpi6:
CHANGE: disable = no
TO: disable = yes

Restart the xinetd service:
# systemctl restart xinetd

The same netstat command then shows that only the 2 secure listeners for ipv4 (port 8045) and ipv6 (port 8047) are running:
# netstat -na | grep 804 | grep LISTEN
tcp        0      0 0.0.0.0:8045            0.0.0.0:*               LISTEN
tcp6       0      0 :::8047                 :::*                    LISTEN

Additional Information

IMPORTANT NOTE:

XCOM Data Transport for Linux r12.0 has been certified to run on RHEL 9 or SLES 15 SP03.

In order to run XCOM on these levels of the Operating System you need to install the latest XCOM solution LU11905 that installs XCOM listener services in SYSTEMD format since the XINETD system service has been deprecated on these latest Operating Systems. Also, solutions are cumulative and include all published fixes for XCOM Linux r12.0.   

Powered by Wolken Software