Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

Quick Launch

Average Rating:

facebook Twitter
Email
Print Bookmark Alert me when this article is updated

Feedback

HOW TO: Resolve jQuery and Bootstrap Security Issues in Informatica Cluster Service
Solution
For Enterprise Data Catalog deployed in an embedded cluster, the cluster manager might be using vulnerable versions of jQuery and Bootstrap. When the Enterprise Data Catalog application services access the cluster manager, you might encounter jQuery and Bootstrap security issues. These issues do not have an impact on Enterprise Data Catalog functionality and as a user, you do not access the cluster manager.

 

To resolve the security issues, you can configure a firewall that restricts access to ports configured for the cluster manager. You can configure the firewall to allow access to the ports only from the machine that hosts the Informatica domain.

 

You can configure a firewall of your choice to implement the access restrictions. Alternatively, you can configure a firewall using IP rules. To configure a firewall using IP rules, you can use firewalld, a Linux-based, firewall-management tool.

 

You must make sure that you enable SSL for the Informatica domain, the Catalog Service, and the Informatica Cluster Service when you configure a firewall to restrict access.

Configure a Firewall Using IP Rul​es

Perform the following steps to configure a firewall using IP rules:

  1. Disable the Catalog Service.
  2. Disable the Informatica Cluster Service.
  3. Download firewalld.
  4. Install and enable firewalld on the node that hosts Apache Ambari Server using the following commands:
    1. ​​​​sudo yum install firewalld
    2. sudo systemctl start firewalld
    3. sudo systemctl enable firewalld
  5. Optional. Use the following command to verify the status of the firewall: sudo systemctl status firewalld​
  6. Optional. Run the following commands to view the current zone settings in the firewall:
    1. sudo firewall-cmd --get-zones
    2. sudo firewall-cmd --get-default-zone
    3. sudo firewall-cmd --get-active-zones
  7. Run the following commands to convert the default trusted zone to an active zone in the firewall:
    1. sudo firewall-cmd --zone=trusted --add-interface=<Network_Interface>. For example, sudo firewall-cmd --zone=trusted --add-interface=ens160.
      Note: 
      If the network interface ens160 is already assigned to a zone, then use the command sudo firewall-cmd --zone=trusted --change-interface=ens160​
    2. sudo firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source not address="<Domain_IP_Address>" port protocol="tcp" port="<Ambari_Port>" drop'
  8. ​Optional. To verify the changes, run the following command: sudo firewall-cmd --list-all-zones
  9. Create an ipset and add all the cluster and domain node IP addresses in the ipset using the following commands:
    1. sudo firewall-cmd --permanent --new-ipset=<IPset_name> --type=hash:ip
    2. sudo firewall-cmd –reload
    3. sudo firewall-cmd --ipset=<IPset_name> --add-entry=<IP_Address​>
      ​Note: You can use the following command to view and verify the ipset entries: sudo firewall-cmd --permanent --ipset=<IPset_name> --get-entries​
  10. To restrict the access to the cluster manager ports, run the following command: sudo firewall-cmd --zone=trusted --add-rich-rule='rule source NOT ipset="<IPset_name>" port protocol="tcp" port="<Ambari_Port>" drop'​
  11. To make the access restrictions permanent, run the following commands:
    1. sudo firewall-cmd --runtime-to-permanent
    2. sudo firewall-cmd –reload
  12. ​Enable the Informatica Cluster Service.
  13. Enable the Catalog Service.​

Testing the Firewall

After you configure the ports and enable the firewall, the services running on the cluster, and the Catalog Service, run the following curl command to verify that the access to the Ambari Server is allowed only from the machine that hosts the Informatica domain:
  • Run curl http://<hostname>:8080/ from the machine that hosts the Informatica domain. The command must return an HTML text as response. This indicates that the firewall permits access from the machine that hosts the Informatica domain.
  • From another node in the cluster, run the same curl command. You must get one of the following errors:
    • curl: (7) Failed connect to <host name>:8080; No route to host.
    • curl: (7) Failed connect to <host name>:8080; Connection timed out.
      The errors indicate that the firewall has denied access to the Apache Ambari Server from any other node that does not host the Informatica domain.
  • You must be able to access other URLs such as the YARN Resource Manager URL from any node.​

Troubleshooting Firewall Issues

If you see the error message while starting the firewall:

Failed to start firewalld.service: Unit is masked

Run the following command before you restart the firewall to resolve the issue:

sudo systemctl unmask firewalld​​​
​​
More Information
Reference
Applies To
Product: Enterprise Data Catalog
Problem Type: Configuration; Security
User Type: Administrator
Project Phase: Configure
Product Version: Enterprise Data Catalog 10.4
Database:
Operating System:
Other Software:
Attachments
Last Modified Date:7/2/2020 2:53 AMID:627803
People who viewed this also viewed

Feedback

Did this KB document help you?



What can we do to improve this information (2000 or fewer characters)