The Apache JServ Protocol (AJP) is a binary protocol that can proxy incoming requests from a web server to an application server behind the web server. AJP is a highly trusted protocol. It must not be made available to untrusted clients because they could gain access to confidential information or execute code on the application server.
ARIS uses AJP for communication between the loadbalancer runnable that bases on Apache HTTPD and ARIS applications that base on Apache Tomcat. The vulnerable Tomcat AJP connector is mandatory and must stay active for ARIS applications.
If you have installed ARIS Server according to our recommendations, you can block access to the ports of all runnables except the HTTP and HTTPS ports used by the loadbalancer runnable by setting appropriate firewall rules. By default these HTTP and HTTPS ports are 80 and 443 on Windows operating systems and 1080 and 1443 on Linux operating systems.
To prevent unauthorized access, check that the AJP ports of your ARIS installations are only accessible from networks from which users access ARIS. The show node ACC command gives an overview of open AJP ports by. It lists all ports used by ARIS runnables. The connector.ajp.port parameter (in former ARIS versions called CATALINA_AJP_PORT) identifies AJP ports. If any of these ports are accessible from an external network, you must block access immediately by your firewall.
Important: If your ARIS system is a multiple node installation, the AJP ports must remain open for data transfer between multiple nodes. These open AJP ports do not represent a security gap, because distributed ARIS installations must always be protected by a firewall.