Restrict ports for vIDM Postgres cluster deployed via vRSLCM
search cancel

Restrict ports for vIDM Postgres cluster deployed via vRSLCM

book

Article ID: 320258

calendar_today

Updated On:

Products

VMware VMware Aria Suite

Issue/Introduction

The purpose of this article is to restrict the ports required for PostgreSQL clustering to only the cluster nodes. Short description of the ports usage:
PortsDescription
5432Postgres connections
9999Pgpool-II connections
9898PCP process connections
9000Watchdog connections
9694For receiving watchdog's heartbeat signal


Environment

VMware vRealize Suite Lifecycle Manager 8.x
VMware Identity Manager 3.0
VMware vRealize Suite Lifecycle Manager 8.1.x

Resolution

To restrict the ports, follow below steps:

Note: Perform on all nodes

  1. Create a file name post, use the command:
vi /usr/local/horizon/conf/iptables/post
  1. Add the below content in the file created in step1:
 
POST_tcp_all=""
POST_tcp_vapp="5432 9999 9000 9898 9694"
POST_udp_all=""

POST_udp_vapp=""
  1. Provide the required permissions to enable.post file, use the commands:
touch /usr/local/horizon/conf/flags/enable.post
chmod 644 /usr/local/horizon/conf/flags/enable.post
  1. Ensure the file has read/write access, use the command:
Example:
# ls -lat usr/local/horizon/conf/flags/enable.post
-rw-r--r-- 1 root root 0 Apr 28 18:25 /usr/local/horizon/conf/flags/enable.post
  1. Open the file iptables.conf,using the command:
vi /usr/local/horizon/conf/iptables.cfg

Replace the line:
 
IPTABLE_tcp_all=" 5432 9999 9000 9898 9694 443 80"

with

IPTABLE_tcp_all="443 80"
  1. Open the file ipRedirect.sh,using the command:
vi /usr/local/horizon/scripts/ipRedirect.sh

Replace the below line:
 
IP=`/sbin/ip -o -f inet addr show dev ${IFC} | awk ‘{ print $4 }‘| sed -e ‘s/\/.*$//’`

with

IP=`/sbin/ip -o -f inet addr show dev ${IFC} | grep -v secondary | awk '{ print $4 }'| sed -e 's/\/.*$//'`
  1. Run the command to update the iptables:
​​​​​​​/usr/local/horizon/scripts/updateiptables.hzn
  1. To verify if the ports are open only to the required cluster nodes:
iptables -L -n --line-numbers | grep :<port>

Example:
#iptables -L -n --line-numbers | grep :5432

15 ACCEPT tcp -- Node1 0.0.0.0/0 tcp dpt:5432 ctstate NEW,ESTABLISHED
16 ACCEPT tcp -- Node2 0.0.0.0/0 tcp dpt:5432 ctstate NEW,ESTABLISHED
17 ACCEPT tcp -- Node3 0.0.0.0/0 tcp dpt:5432 ctstate NEW,ESTABLISHED
15 ACCEPT tcp -- Node1 0.0.0.0/0 tcp spt:5432 ctstate ESTABLISHED
16 ACCEPT tcp -- Node2 0.0.0.0/0 tcp spt:5432 ctstate ESTABLISHED
17 ACCEPT tcp -- Node3 0.0.0.0/0 tcp spt:5432 ctstate ESTABLISHED


Note: Use this command for the other ports to confirm the same.