Port Usage

Privilege Management for Unix and Linux uses sockets and ports for inter-program communication. These may be Unix/Linux domain socket ports or TCP/IP ports.

Privilege Management for Unix and Linux uses ports to form two types of connections:

  • Direct connection: A request to a service on a well-known port such as:
    • pbrun to pbmasterd’s well-known port
    • pbrun to pblogd’s well-known port (local mode only)
    • pbsh or pbksh to pbmasterd’s well-known port
    • pbsh or pbksh to pblogd’s well-known port (local mode only)
    • pbmasterd to pblogd’s well-known port, if the configuration policy calls the logmktemp() function
    • pbmasterd to pblocald’s well-known port
    • pblocald to pblogd’s well-known port
    • A browser to pbguid’s well-known port
    • pbguid to pbmasterd’s well-known port
    • REST services communicating between hosts
    • For TCP/IP, the allownonreservedconnections setting can affect this type of connection.

  • Dynamic connection: This connection type is an optimization which enables two programs that are both connected to a common third program to connect directly to each other when the common program is no longer needed.
  • For example, pbrun starts pbmasterd, which in turn starts pblocald. When the pbmasterd work is done, it can instruct pbrun and pblocald to connect directly to each other. This action streamlines the network traffic and enables pbmasterd to exit without affecting the other two programs, thus saving resources.

    Two dynamic connections that Privilege Management for Unix and Linux uses are:

    • pbrun and pblocald when pbmasterd is finished. The pbrunreconnection variable can control the direction of the connection.
    • pblocald and pblogd when pbmasterd is finished and the configuration policy uses the logmktemp() function. The direction of the connection can be controlled by the pblogdreconnection variable in the policy language.

    For TCP/IP ports in each case, one program opens a listening port (in the range minlisteningport to maxlisteningport) then waits for the other to connect to it from an outgoing port (in the range minoutgoingingport to maxoutgoingingport).

    For Unix/Linux domain sockets, temporary sockets are formed in the localsocketdir directory.

For more information, please see allownonreservedconnections

TCP/IP Ports

TCP/IP uses numeric ports from 1 and 65535. Reserved ports, which are accessible only to root, are in the range 1 to 1023. Non-reserved are in the range 1024 to 65535.

allownonreservedconnections

  • Version 4.0.0 and later: allownonreservedconnections setting available.

Privilege Management programs can initiate connections using reserved ports (for example, ports 600-1023), as well as non-reserved ports. Support for non-reserved ports was introduced in v3.0.5. The default behavior is to check for connections on reserved ports. This check can be disabled by setting allownonreservedconnections to yes.

allownonreservedconnections yes
allownonreservedconnections yes
  • Log hosts
  • Policy server hosts
  • Run hosts

minlisteningport and maxlisteningport

  • Version 4.0.0 and later: minlisteningport and maxlisteningport settings available.

When a dynamic connection is needed between two Privilege Management for Unix and Linux programs, one program opens a listening port in the range between minlisteningport and maxlisteningport.

To control the range of ports that are used to listen for these dynamic connections, you can set minlisteningport and maxlisteningport to define the range of allowable ports.

minlisteningport 10000
maxlisteningport 10200
minlisteningport 1024
maxlisteningport 65535
  • Log hosts
  • Policy server hosts
  • Run hosts
  • Submit hosts

minoutgoingport and maxoutgoingport

  • Version 4.0.0 and later: minoutgoingport and maxoutgoingport settings available.

When a Privilege Management program needs to contact another program, the program opens an outgoing port in the range between minoutgoingingport and maxoutgoingport. This range is used for connections to a well-known service port and for dynamic connection.

If you want to use unreserved ports, then make sure that allownonreservedconnections is set to yes for the host that receives the connection.

minoutgoingport 20000
maxoutgoingport 20200
minoutgoingport 600
maxoutgoingport 1023
  • Log hosts
  • Policy server hosts
  • Run hosts
  • Submit hosts

For more information, please see allownonreservedconnections.

Program Ports

  • localport
  • logport
  • masterport
  • pbrestport
  • guiport
  • sguiport
  • Solrport
  • syncport
  • rcswebsvcport

For more information, please see the following:

Unix/Linux Domain Sockets

Unix/Linux Domain Sockets are temporary files used for dynamic connections created in the localsocketdir directory.

localsocketdir

  • Version 3.5 and earlier: localsocketdir setting not available.
  • Version 4.0 and later: localsocketdir setting available.

The localsocketdir setting provides the path to a directory for Unix/Linux domain socket connections used in dynamic connections. The directory should be owned by root and should be readable and writable only by root (for example, drwx------).

localsocketdir /var/pbLocalSockets

No default value

  • Log hosts
  • Policy server hosts
  • Run hosts
  • Submit hosts