z2-Environment

h1. How to secure a Z2 installation

This how to is looking into some very basic measures to implement to provide basic protection to a z2 installation. While we

are considering z2 here, these suggestions apply to pretty much any Web application system.

h2. Run a Firewall to Block Port Access

Java applications typically have more ports open than you think. This could be JMX related, debugging support etc. The same is true for your operating system. So in general make sure that only those ports are accessible that are required to run your application. On Linux this may well be just one port for SSH access (i.e. 22 by default) and one for Web application access.

There are some variations on the latter. In most cases your application is not the actual entry point for Web access but instead there will be some request routing happening before to make sure maintenance scenarios (and outages) and load-balancing can be dealt with and most importantly for SSL termination.

Instead of protecting every single server node of your installation, you may consider setting up a "Virtual LAN":https://en.wikipedia.org/wiki/Virtual_LAN setup where you can concentrate all access limitations and rules to securing a single gateway node.

The z2 Environment hasa not particular means for managing port-based access and indeed the reason for this section is to make you aware of this fact.

Typically the following ports will be used by default with z2:

|_. Port |_. Purpose |_. Configuration |

| 8080 | Web Container (Jetty) | @environment.base/webServer/jetty-http.xml@ |

| 5000 | Java debug port for home process | @$Z2_HOME/bin/launch.properties@ |

| 5100+x | Java debug port for web worker process | @environment.base/webWorker.properties@ |

| 7800+x | JMX port for web worker process | @environment.base/webWorker.properties@ |

However depending on your configuration other ports may be opened. Also note [[How_to_Remote_Manage]].

h2. Use Whitelisting for Web Applications