JRS 5.6 firewall issues

[cbarlow3]

We were experiencing really strange performance issues with JSR 5.6 on AIX/DB2 with Tomcat (like the Tomcat instance taking about 19 minutes to start up vs. around 50 seconds we were used to in other installs), and after looking through the Tomcat logs, we discovered a couple of mysterious problems that we can work around, but that we would rather find out more info on if possible, as they look like pretty serious security issues:

1. Apparently JRS is contacting some server(s) on the internet during the startup process.  Since this particular install has a firewall configuration that doesn't allow that, it eventually times out and continues with the startup.  We know we opted out of the heartbeat message already.  Is there some other outgoing message that we need to configure, and if so, what is it, what is it for, and how do we opt out of it as well?  Our workaround is an environment variable setting that limits host name resolution, which prevents it from wasting time trying to connect to any internet servers.

2. Additionally, JRS is now "listening" on two different socket ports.  One of them (10990) is documented in the JRS guide as the default diagnostic port, and is configurable so that we can turn it off.  But we have not found any mention of the other one.  The other port does not seem to be fixed at a specific port number--while the 19 minute startup is happening, we saw tha tit tried listening on a bunch of ports in succession (like 42556, then 42557, and so on). Wehn it finally comes up after 19 minutes, it has settled on a port, but it is a different one every time.  It appears to be related to issue #1, because when we put in place the workaround for #1, the Tomcat instance does NOT end up listening on an extra port.  It is almost as if JRS is trying to contact an outside internet server, as well as trying to listen on a port so that the outside internet server can initiate a connection back to Tomcat.  Just about any firewall setup won't allow this to occur, so we're not sure what JRS is trying to accomplish, but it sounds like a pretty scary security concern.

Does anyone know any details on what these attempted external communications are and what the correct way is to disable them?  Thanks.

Carl Barlow

[hozawa]

I have couple of installation behind the firewall and everything is OK.

>1. Apparently JRS is contacting some server(s) on the internet during the startup process.

You've probably elected to join the heartbeat program. Turn that off by editing js.config.properties file:

# Enable or disable HeartBeat
heartbeat.enabled=false
heartbeat.askForPermission.enabled=false
heartbeat.permissionGranted.enabled=false

 

[cbarlow3]

Thanks, hozawa. We were pretty sure we had opted out of the heartbeat, but just to make sure, we did modify the file you mentioned, bring down the instance of Tomcat and brought it back up (without our workarounds in place), and it again took 19 minutes to come up. I think the js.config.properties file configures the instance to prompt or not prompt for the opt-in and also to set the default value, but the actual opt-in information for each operating system user (AIX user in our case) is STORED in the user's home directory in a subdirectoy called .jaspserserver in a file with a long hex name (the one we have on our system we're testing with happens to be a filename of 89D4743F9A031BD26014D513992AE4DB, for example). Our file looks like this:

#heartbeat local ID file

#Wed Sep 17 13:58:40 CDT 2014

version=5.6.0

heartbeat.id=4595214

permission.granted=false

 

So I think there must be some other nefarious connection at work besides the heartbeat.

[hozawa]

Have you looked at the following discussion? It's probably not JasperReports Server but the network configuration - DNS lookup?

 

http://www.linuxquestions.org/questions/aix-43/aix-7-1-on-power-750-is-very-slow-with-no-high-memory-or-process-consumption-4175496983/

 

BTW, my JasperReports Server on AS400 + DB2 is taking a very long time too startup but I've found the problem to be with java performance on AS400.

[hozawa]

JasperReports Server is also using ehcache and doing a multicast and finding servers on the same LAN segment. It seems the way ehcache is implemented on JRS causes problems without "proper" network configuration.

I've asked Jaspersoft Support if there is no way to disable ehcache and they've told me there isn't.

[jt.shyman]

Ran into the same issue. It seems to be related to name resolution. I've "resolved" it by playing with the resolv.conf and hosts files. Still working out the exact changes necessary but my thoughts are Jasper is trying to resolve its own IP address and connect to the resolved IP. For some reason, this isn't working well when the resolved IP is a publicly routed IP.

I solved the long startup time issue simply by adding the server's short hostname to the hosts file on the 127.0.0.1 address and restarting tomcat.