Spring Boot 2 application cannot overwrite RMIRegistry default port 1099 to make JMX connections safe

Question

Unfortunately, our Spring Boot 2 Application exposes the RMI Registry default port 1099 and our security team complains about that. We expect that JMX should exclusively be used via port 8999 in a safe manner. Currently, you can connect in both ways - insecure via port 1099 and secure by port 8999. We do not understand this so far because we actually have set the proper System Properties to prevent this:

-Dcom.sun.management.jmxremote=true 
-Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.rmi.port=8999
-Dcom.sun.management.jmxremote.ssl=false 
-Dcom.sun.management.jmxremote.authenticate=true 
-Dcom.sun.management.jmxremote.password.file=/opt/our_app/jmxremote.password 
-Dcom.sun.management.jmxremote.access.file=/opt/our_app/jmxremote.access

Why is port 1099 still open? I have to mention that Spring Actuator is in use too but I cannot find any configuration there to control the port, so it seems not to be the issue.

Answer 1

Thanks to Ravi Sharam who has given the solution in the comment above.

We had the following dependency in our project:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-activemq</artifactId>
</dependency>

By starting the application additionally with System Property

-Dorg.apache.activemq.broker.jmx.createConnector=false

the open default port 1099 was removed. Let's check it with netstat:

root@protect01:/opt/our_app# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      29956/rpcbind
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      19282/systemd-resol
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1421/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      25126/master
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      988/java
tcp6       0      0 :::8999                 :::*                    LISTEN      988/java
tcp6       0      0 :::111                  :::*                    LISTEN      29956/rpcbind
tcp6       0      0 :::80                   :::*                    LISTEN      3986/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      1421/sshd
tcp6       0      0 127.0.0.1:8089          :::*                    LISTEN      988/java
tcp6       0      0 ::1:25                  :::*                    LISTEN      25126/master
tcp6       0      0 :::34139                :::*                    LISTEN      988/java
tcp6       0      0 :::11099                :::*                    LISTEN      988/java
tcp6       0      0 :::443                  :::*                    LISTEN      3986/apache2
tcp6       0      0 :::45093                :::*                    LISTEN      988/java

No open port 1099 is there anymore and only the expected one 8999. Yippiiii!