Configuring firewall rules

For each port variable contained in the DMCFG, the table below contains an indication of its bind address and required reachability; this information can be used as a guidance when configuring firewall rules.

Port Name
Description
Bind Address
Required reachability

port contained in CEMAN_DB_URL

jdbc connection used by CEMAN to connect to the database

database machine(s) node(s)

From each CEMAN node

ceman_https_port

Internal Data One WUI / CEMAN-core listening port

Each CEMAN node external address

From load balancer

jgroups_infinispan_bind_port

CEMAN-core JGroups primary listening port

Each CEMAN node external address

From each CEMAN node

jgroups_infinispan_bind_port+2

CEMAN-core JGroups secondary listening port

Each CEMAN node external address

From each CEMAN node

jgroups_iam_infinispan_bind_port

CEMAN IAM JGroups primary listening port

Each CEMAN node external address

From each CEMAN node

jgroups_iam_infinispan_bind_port+1

CEMAN IAM JGroups secondary listening port

Each CEMAN node external address

From each CEMAN node

ceman_localcontroller_port

CEMAN-core local controller listening port, internally used by the product to stop/check a running CEMAN-core

Each CEMAN node external address

From the same node

activemq_https_port

AMQ broker web console HTTPS listening port

Each CEMAN node external address

From browser machines requiring WUI access

brokerconfig_acceptor_core_port

AMQ active-passive broker native protocol listening port

Each CEMAN node external address

From each managed node

brokerconfig_jgroups_port

AMQ active-passive broker JGroups primary listening port

Each CEMAN node external address

Each CEMAN node external address

brokerconfig_jgroups_port+3

AMQ active-passive broker JGroups secondary listening port

Each CEMAN node external address

Each CEMAN node external address

brokerconfig_aa_acceptor_core_port

AMQ active-active broker native protocol listening port

Each CEMAN node external address

From each CEMAN node

brokerconfig_aa_jgroups_port

AMQ active-active broker JGroups primary listening port

Each CEMAN node external address

From each CEMAN node

brokerconfig_aa_jgroups_port+3

AMQ active-active broker JGroups secondary listening port

Each CEMAN node external address

From each CEMAN node

brokerconfig_aa_scaledown_jgroups_port

AMQ active-active broker scaledown JGroups primary listening port

Each CEMAN node external address

From each CEMAN node

brokerconfig_aa_scaledown_jgroups_port+3

AMQ active-active broker scaledown JGroups secondary listening port

Each CEMAN node external address

From each CEMAN node

KEYCLOAK_HTTPS_PORT

Internal Data One IAM listening port

Each CEMAN node external address

From load balancer

ceman_http_port_balanced

External load balancer HTTP/S port, used by the user via browser to reach Data One WUI

Load balancer external address

From browser machines requiring WUI access

IAM_PROXY_PORT

External load balancer HTTP/S port port, used behind-the-scenes by the browser to contact Data One WUI

Load balancer external address

From browser machines requiring WUI access

net_port

DATA WATCHER embedded MongoDB listening port

Each DATA WATCHER node external address

From each DATA WATCHER node

activemq_localcontroller_port

AMQ local controller listening port, internally used by the product to stop/check a running AMQ broker

Each CEMAN node localhost

From the same node

storm_worker_port... storm_worker_port+9

DATA WATCHER base listening port for Storm workers port range Ports from storm_worker_port to storm_worker_port+ 9 could be listened to (in a worst-case scenario, typical actual number is less than that).

Each DATA WATCHER node external address

From each DATA WATCHER node

zk_port

DATA WATCHER Zookeeper listening port

Each DATA WATCHER node external address

From each DATA WATCHER node

steng_https_port

Set the STENG HTTPS port

Each STENG node external address

From each CEMAN node

steng_localcontroller_port

STENG local controller listening port, internally used by the product to stop/check a running STENG Peer

Each STENG node localhost

From the same node

gateway_Command_Port

DMZ command listening port

Each DMZ node external address

From each STENG node

Will you use Data One for MFT with Data Mover? Additional rules will be needed.

These rules are the minimal set of rules required by the product to run. When using Data One for MFT with Data Mover you will define file transfer protocol servers and file transfer client connections that require additional firewall traversal rules to be added, in a protocol-specific way.

Last updated