[Mulgara-dev] [Topaz-dev] connecting to mulgara on remote server requires allowing connections to a random high port
Amit Kapoor
amitkapoor at mindspring.com
Tue Apr 22 20:52:25 UTC 2008
Hi Russ,
I am going to take a guess at what is going on and let others with more
technical knowledge correct me. I believe it is a inherent limitation in
Mulgara right now, and think it should not be too hard to fix.
I think the basic problem is Mulgara registering its 'server object' using
an anonymous port with the RMI registry and an administrator not knowing
this cannot configure that specific port on the firewall.
On Tue, Apr 22, 2008 at 12:48:40PM -0700, Russell Uman wrote:
> running mulgara on branch server, ambra locally.
>
> [root at sfweb02 WEB-INF]# /etc/init.d/mulgara status
> mulgara (30571) is running from /usr/local/topaz/mulgara
> PID USER RSS %MEM ELAPSED TIME %CPU COMMAND
> 30571 topaz 128616 6.6 22:57 00:00:10 0.7 java
> java 30571 topaz 5u IPv6 3719905 TCP *:53773 (LISTEN)
This is the Mulgara RMI server object. I believe Mulgara is asking the OS
to assign it a port and gets one at random.
> java 30571 topaz 8u IPv6 3719907 TCP *:21212 (LISTEN)
> java 30571 topaz 10u IPv6 3719911 TCP *:1099 (LISTEN)
RMI Registry port. This has to be open via iptables, if you want other
machines to have access to Mulgara.
> java 30571 topaz 128u IPv6 3720176 TCP *:35791 (LISTEN)
> java 30571 topaz 129u IPv6 3720177 TCP 127.0.0.1:6789
> (LISTEN)
>
> i get the following errors in ambra.log when i try to start ambra:
>
> WARN [main] WebAppListenerInitModels - bootstrap of models failed
> org.topazproject.otm.OtmException: Error talking to
> 'rmi://sfweb02.plos.org/topazproject'
> Caused by: org.mulgara.connection.ConnectionException: Unable to connect
> to a server
> Caused by: org.mulgara.server.driver.SessionFactoryFinderException:
> Couldn't create session factory for rmi://sfweb02.plos.org/topazproject
> Caused by: java.net.NoRouteToHostException: No route to host: connect
Ambra looks up Mulgara from the RMI registry at port 1099 and gets back the
object at port 53773.
> i opened up tcpdump to see what was going on:
>
> 12:26:53.003432 IP 10.135.1.11.1099 > 10.135.2.75.1191: . ack 81 win
> 5840
> 12:26:53.004408 IP 10.135.1.11.1099 > 10.135.2.75.1191: P 19:252(233)
> ack 81 win 5840
> 12:26:53.038449 IP 10.135.2.75.1192 > 10.135.1.11.53773: S
> 3355006600:3355006600(0) win 65535 <mss 1460,nop,nop,sackOK>
> 12:26:53.038470 IP 10.135.1.11 > 10.135.2.75: ICMP host 10.135.1.11
> unreachable - admin prohibited, length 56
>
> well, i hadn't opened iptables for port 53773, so no wonder.
Tries to connect and is rejected by iptables.
> after disabling iptables, ambra is able to connect to the mulgara server
> on branch.
Yup.
> this isn't good practice from a security standpoint, and i'm
> disappointed to see it creeping back in (we already require a completely
> open firewall between mulgara and ambra to allow ehcache traffic between
> mulgara and ambra: http://www.topazproject.org/trac/ticket/775)
>
> is there any way to fix this with rmi?
I think there are two ways:
1. iptables (or a proxy) is able to sniff the randomly assigned port in the
return data from the RMI registry and opens that to the world. I did a
google search and did not find anything here. Maybe others on the list
know of a better solution.
2. Mulgara fixes the port it allocates to the server object registered with
the RMI registry. Looks like fairly simple to do with
UnicastRemoteObject, but not knowing Mulgara code I don't know if there
is a catch here. Ronald, Paul, Andrae?
regards
Amit
More information about the Mulgara-dev
mailing list