Tomcat7 with enabled JMX opens 2 additional random

I run Tomcat7 using JDK7 on Centos6. I enable JMX using the following options:

CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9123 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=true"

Unfortunately, when I check what ports are opened I discover 2 additional random ports:

netstat -plunt | grep java
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 :::60555                            :::*                LISTEN      22752/java
tcp        0      0 ::ffff:127.0.0.1:8080               :::*                LISTEN      22752/java
tcp        0      0 :::9123                             :::*                LISTEN      22752/java
tcp        0      0 :::40867                            :::*                LISTEN      22752/java

I guess that JMX should open one additional port JMX enabled Java application appears to open a random high order port when JMX client connects

Why JMX in Tomcat opens 2 additional ports?

How can I configure these ports?

If I configure -Dcom.sun.management.jmxremote.local.only=true means additional ports also can be accessed using local access only?

How can I configure ::ffff:127.0.0.1 will appear before all ports opened by JMX?

You can use Tomcat's JMX Remote Lifecycle Listener which allows fixing the ports used by the JMX/RMI Server.
The JMX Remote Lifecycle Listener allows configuring the following ports:

rmiRegistryPortPlatform - The port to be used by the JMX/RMI registry for the Platform MBeans. This one should be used instead of the com.sun.management.jmxremote.port system property
rmiServerPortPlatform - The port to be used by the Platform JMX/RMI server.

In addtions you can configure the useLocalPorts attribute - Should any clients using these ports be forced to use local ports to connect to the the JMX/RMI server.

Notice that this listener requires catalina-jmx-remote.jar to be placed in $CATALINA_HOME/lib. This jar may be found in the extras directory of the binary download area.