IBM Streams 4.2.1

Firewall configuration guidelines for IBM Streams

If firewall usage is required, the preferred configuration is to set up a firewall at the perimeter of the IBM® Streams cluster to restrict network access to resources in the cluster but not communication between the resources. When any communication passes through a firewall, latency is introduced. These guidelines apply to clients that are in the IBM Streams cluster as well as clients that are external to the cluster.

Tip: When you configure a port for a service, the placement of the service can be controlled by host tags so that the ports are open only on the resources that are configured to run that service. For information about using host tags, see Assigning tags to resources in a domain.

Guidelines for clients that are in the IBM Streams cluster

If your security plan requires a firewall on the resource or between resources, the following communications must be enabled between resources and must be blocked from unauthorized external access:
  • If you are using a Secure Shell (SSH) environment for IBM Streams, SSH communication between runtime resources.

  • Communication between IBM Streams management services, which is limited to ports in the local port range (TCP/IP port numbers automatically assigned by the host machine). You can use the port range configuration property for the domain to control the range.

  • TCP communication between processing elements, which is limited to ports in the local port range.

  • HTTPS connections between the web management service (SWS) and IBM Streams interfaces such as the Streams Console. Each IBM Streams domain that is running the SWS service requires a user-assigned HTTPS port.

  • Connections between the management API service (JMX) and IBM Streams interfaces such as the Streams Java™ Monitoring and Management Console, the Streams Console, and Streams Studio. Each IBM Streams domain that is running the JMX service requires a user-assigned port.

  • All communication protocols between applications and any systems, such as an external Apache ZooKeeper server or external analytics services.

Guidelines for clients that are external to the IBM Streams cluster

The following communications must be enabled:
  • The Streams Console and clients of the REST API require HTTPS connections to the web management service (SWS). The SWS service requires a user-assigned HTTPS port.
    • The SWS service (sws.port).

  • Streams Studio and clients of the management API service (JMX) require SSL/TCP connections to the following services. These services require a user-assigned port. A static port selection is preferred.

  • Streams Studio and clients of the management API service (JMX) require HTTPS connections to the following services. All of these services dynamically allocate HTTPS ports in the port range configuration property for the domain. You can also set them to a static value.
    • The domain JMX service (jmx.httpPort).
    • The instance JMX service (sam.jmxHttpPort)
    • The instance view service (view.httpPort)

  • Streams Studio requires a Remote System Explorer (RSE) connection to the system where IBM Streams is installed. For information about the specific ports that are used, see Configuring Streams Studio for remote development.
Parent topic: Planning to install IBM Streams
Related concepts:
Domain and instance services
Related tasks:
Changing the secure port number for the web management service (SWS)
Changing the secure port number for the management API service (JMX)
Assigning tags to resources in a domain
Related information:
Conflicts requesting ports from the local port range