CCE Tomcat Shutdown Port

The Tomcat config (C:\icm\tomcat\conf\server.xml) for the CCE servers contains the tomcat shutdown port of 8005.

<Server port="8005" shutdown="SHUTDOWN">

This is a default Tomcat configuration setup.

The issue with using Port 8005 is that it the Microsoft Server Configuration Manager server SMS Agent Host also uses 8005.
If Tomcat is unable to bind to this port (if SMS Agent Host gets it first), Tomcat will not start successful and shutdown.
So this is an issue!
Reference:

• https://2pintsoftware.com/configmgr-express-updates-deep-dive/
• https://social.technet.microsoft.com/Forums/en-US/4c5d22b8-3a36-4e61-b19f-35840854bb7d/express-patching-and-port-8005?forum=ConfigMgrCompliance

The Tomcat guide recommends the followings:

• Setting the port attribute to -1 disables the shutdown port.
• If the shutdown port is not disabled, a strong password should be configured for shutdown.

It should be noted that Tomcat only listens to this port on the loopback address - 127.0.0.1:8005, so this port is only accessible from the local server. But let's try that!, i.e. disable the tomcat shutdown port as recommended by the tomcat security guide!

However if you do disable port in the config file: C:\icm\tomcat\conf\server.xml, as per below
<Code><Server port=“-1” shutdown=“SHUTDOWN”></code>

You will get then get the following error when viewing the SETUP web page:
And the error in the websetup logs is as follows:

%ICM-ERROR-SSLIISPrechecksInterceptor.intercept: Internet Information Server (IIS) was recently installed.  The machine must be restarted if it hasn't been already and the SSL Encryption Utility under Start > All Programs > Cisco Unified CCE Tools > SSL Encryption Utility must be run by selecting "ALL INSTANCES".

You will notice that when if you run the SSL Encryption Utility as recommended above - you will see the following error:

[Information] [SSLUtil] Comparing input: C:\icm\ssl\cfg\server-iis.xml output: C:\icm\tomcat\conf\server.xml

So the reason the setup webpage gives the error - is that the setup Java Class do various checks - one of which is clearly the above comparison of current server.xml file and a baseline config file C:\icm\ssl\cfg\server-iis.xml

If you make the SAME change and set the shutdown port set to “-1” on this comparison config file - the setup webpage will function successfully.

Note: This change should also be done to the CVP Servers.
They only require their CallServer Tomcat config file to be changed (set to “-1”).
The CVP Call Server Tomcat config file is located: C:\Cisco\CVP\CallServer\Tomcat\conf\server.xml