Jump to: navigation, search

Restricting Ports

You can control access to GMS APIs by configuring your firewall to allow or block other hosts (such as public internet, intranet, specific IP addresses, and so on) from accessing TCP/IP ports on the host where GMS is running.

You can configure and enable port control through the following process:

  1. Set configuration options.
  2. Copy code snippet from Service Management UI.
  3. Paste code snippet into the jetty-http.xml file.
  4. Restart GMS.

Configuration

Configuration Options

You can control port access to GMS APIs by adding a port_restrictions section in the GMS configuration, at the node level or cluster level. This section is optional and not defined in the default template. The content of this section is a list of key/values. Where key is an URI pattern (/genesys/1/storage/*, /genesys/1/service/*, /genesys/1/service/request-interaction, and so on), and the value is a list of ports or a port range.

  1. In Configuration Manager, select Environment > Applications.
  2. Locate and open the Application object for GMS.
  3. Select the Options tab.
  4. Add the port_restrictions section, and then set the options and values with the URL and ports you wish to control.
  5. Save your changes.


Example port_restrictions section:

Option Name Option Value Description
/genesys/1/storage* 80-90 Storage API will be accessible from port 80 to port 90.
/genesys/1/service/* 92-98,100 Services API will be accessible from port 92 to port 98, plus the port 100.
Important
  • There are no default values or default option names. You can define various URL patterns; such as /genesys/1/resource*, /genesys/1/resource*, /genesys/1/service/*, /genesys/1/service/request-interaction, and so on.
  • If the request is sent on another port, an HTTP error 403 Forbidden occurs.
  • The Admin UI and APIs not listed in the port_restrictions section will be available on all ports listed in the port_restrictions section.

Service Management UI

  1. In the Service Management User Interface, go to the Services and Tools > Tools > Config tab. The xml snippet is displayed.
  2. Select and copy the entire Set connectors code snippet.

Example code snippet:

GMS-webui-configjettysnippet.png

jetty-http.xml File

  1. Go to the <GMS_HOME>/etc/jetty-http.xml file, and add the code snippet in the Set connectors section of the file, after the GMS default HTTP connector (used to open default port 8080).

Example Set connectors section: UPDATED XML FOR JETTY 9.4

 <!-- =========================================================== -->
<!-- Set connectors                                              -->
<!-- =========================================================== -->
<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="acceptors" type="int"><Property name="http.acceptors" default="-1"/></Arg>
        <Arg name="selectors" type="int"><Property name="http.selectors" default="-1"/></Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <Item>
              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                <Arg name="config"><Ref refid="httpConfig" /></Arg>
              </New>
            </Item>
          </Array>
        </Arg>
        <Set name="host"><Property name="jetty.host" /></Set>        
        <Set name="port"><Property name="jetty.http.port" deprecated="jetty.port" default="8080" /></Set>        
        <Set name="idleTimeout"><Property name="http.timeout" default="30000"/></Set>
        <Set name="soLingerTime"><Property name="http.soLingerTime" default="-1"/></Set>
        <Set name="acceptorPriorityDelta"><Property name="jetty.http.acceptorPriorityDelta" deprecated="http.acceptorPriorityDelta" default="0"/></Set>
        <Set name="acceptQueueSize"><Property name="jetty.http.acceptQueueSize" deprecated="http.acceptQueueSize" default="0"/></Set>
        <Get name="SelectorManager">
          <Set name="connectTimeout"><Property name="jetty.http.connectTimeout" default="15000"/></Set>
          <Set name="reservedThreads"><Property name="jetty.http.reservedThreads" default="-2"/></Set>
        </Get>
      </New>
    </Arg>
  </Call>

2. Restart GMS.

Disabling Port Restrictions

  1. In Configuration Manager, select Environment > Applications.
  2. Locate and open the Application object for GMS.
  3. Select the Options tab.
  4. Select the port_restrictions section.
  5. Right-click, and enter a hash tag (#) in front of port_restrictions so it appears like this: #port_restrictions. The port restrictions are now disabled, and the Service Management User Interface > Lab > Config tab will display: port restrictions has not been enabled.


Setting Default GMS Port

By default, the GMS Port is set to 8080. You can modify this value by editing the <GMS_HOME>/etc/jetty-http.xml file and changing this value in the addConnector section. When you are finished, restart GMS.

<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="acceptors" type="int">
<Property name="http.acceptors" default="-1"/></Arg>
        <Arg name="selectors" type="int">
<Property name="http.selectors" default="-1"/></Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <Item>
              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                <Arg name="config"><Ref refid="httpConfig" /></Arg>
              </New>
            </Item>
          </Array>
        </Arg>
        <Set name="host"><Property name="jetty.host" /></Set>
        <Set name="port"><Property name="jetty.port" default="8080" /></Set>
        <Set name="idleTimeout">
<Property name="http.timeout" default="30000"/></Set>
        <Set name="soLingerTime">
<Property name="http.soLingerTime" default="-1"/></Set>
        <Set name="acceptorPriorityDelta">
<Property name="http.acceptorPriorityDelta" default="0"/></Set>
        <Set name="selectorPriorityDelta">
<Property name="http.selectorPriorityDelta" default="0"/></Set>
        <Set name="acceptQueueSize">
<Property name="http.acceptQueueSize" default="0"/></Set>
      </New>
    </Arg>
  </Call>


Important
Make sure that the values of the external_url_base option set for the load-balancer URL base and the server/web_port option used for CometD node to node communication are consistent with each other.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on April 11, 2018, at 12:11.