snippets: WebLogic listens on one interface

Setting the listen-address attribute it a Bad Idea. Hosts are multi-homed, and if you want to restrict access, don't stick your application on a machine that has an interface to the network you don't want it accessed from.

The WebLogic documents describe very accurately the considerations (except their last point about Windows NT machines is a bit whacked):

Listen Address Considerations

The following table describes important considerations related to setting the listen address value.

If the Listen Address is set to . . .	Then, the following is true . . .
IP address or DNS name	Processes must specify the IP address or DNS name to connect to the server instance. Clients that specify localhost will fail to connect. You must update existing processes that use localhost to connect to the server instance. Note: To resolve a DNS name to an IP address, WebLogic Server must be able to contact an appropriate DNS server or obtain the IP address mapping locally. Therefore, if you specify a DNS name for the listen address, you must either leave a port open long enough for the WebLogic Server instance to connect to a DNS server and cache its mapping or you must specify the IP address mapping in a local file. If you specify an IP address for the listen address and then a client request specifies a DNS name, WebLogic Server will attempt to resolve the DNS name, but if it cannot access DNS name mapping, the request will fail.
localhost	Processes must specify localhost to connect to the server instance. Only processes that reside on the machine that hosts the server instance (local processes) will be able to connect to the server instance. Remote (non-local) processes will not be able to connect to the server instance.
Undefined or Blank ("")	Processes can specify the IP address, DNS name, or localhost to connect to the server instance. Processes that specify localhost must reside on the machine that hosts the server instance. If the server instance must be accessible as localhost (for instance, if you have administrative scripts that connect to localhost), and must also be accessible by remote processes, leave the listen address blank. Note: For WebLogic servers running on multi-homed Windows NT machines, you should not leave the listen address value undefined or blank. (Multi-homed machines are configured with multiple IP addresses.) Otherwise, the WebLogic Server reserves and listens on its port for each of the machine IP addresses. This precludes other servers from using the same port on the machine.

If the Listen Address is set to . . .

Then, the following is true . . .

IP address or DNS name

Processes must specify the IP address or DNS name to connect to the server instance.

Clients that specify localhost will fail to connect.

You must update existing processes that use localhost to connect to the server instance.

Note: To resolve a DNS name to an IP address, WebLogic Server must be able to contact an appropriate DNS server or obtain the IP address mapping locally. Therefore, if you specify a DNS name for the listen address, you must either leave a port open long enough for the WebLogic Server instance to connect to a DNS server and cache its mapping or you must specify the IP address mapping in a local file. If you specify an IP address for the listen address and then a client request specifies a DNS name, WebLogic Server will attempt to resolve the DNS name, but if it cannot access DNS name mapping, the request will fail.

localhost

Processes must specify localhost to connect to the server instance.

Only processes that reside on the machine that hosts the server instance (local processes) will be able to connect to the server instance.

Remote (non-local) processes will not be able to connect to the server instance.

Undefined or Blank ("")

Processes can specify the IP address, DNS name, or localhost to connect to the server instance.

Processes that specify localhost must reside on the machine that hosts the server instance.

If the server instance must be accessible as localhost (for instance, if you have administrative scripts that connect to localhost), and must also be accessible by remote processes, leave the listen address blank.

Note: For WebLogic servers running on multi-homed Windows NT machines, you should not leave the listen address value undefined or blank. (Multi-homed machines are configured with multiple IP addresses.) Otherwise, the WebLogic Server reserves and listens on its port for each of the machine IP addresses. This precludes other servers from using the same port on the machine.

I should really stop regurgitating information that is readily available on the web. The original point of this blog was to document findings that were not documented elsewhere.

Back to basics...

snippets

Wednesday, August 30, 2006

WebLogic listens on one interface

No comments:

Blog Archive

About Me