5 Replies Latest reply: Nov 9, 2012 12:27 PM by Charles Lamb RSS

    NoSQL behind firewall does not work

    dimo
      Hi guys,

      I am trying to run the NoSQL nodes behind a firewall without any success.

      I am running the RMI registry on port 5100 which I have allowed in the firewall. When I telnet to that port I get a connection. However, when using the normal API I get connection exceptions. I have debugged the issue down to the following RMI related problem - the NoSQL database seems to bind different remote objects on random ports (checkout the two calls to UnicastRemoteObject.exportObject(object, 0) in oracle.kv.impl.util.registry.RegistryUtils - 0 is the default meaning any available port). This of course does not work behind a firewall unless I allow connections to any port which basically deactivates the firewall.

      What can I do to fix that? Is there a way to force the NoSQL JVM process to use one single RMI port (the registry port)? Can I configure at least a range of ports to be used?

      Cheers,
      Dimo
        • 1. Re: NoSQL behind firewall does not work
          Charles Lamb
          dimo wrote:
          Hi guys,

          I am trying to run the NoSQL nodes behind a firewall without any success.

          I am running the RMI registry on port 5100 which I have allowed in the firewall. When I telnet to that port I get a connection. However, when using the normal API I get connection exceptions. I have debugged the issue down to the following RMI related problem - the NoSQL database seems to bind different remote objects on random ports (checkout the two calls to UnicastRemoteObject.exportObject(object, 0) in oracle.kv.impl.util.registry.RegistryUtils - 0 is the default meaning any available port). This of course does not work behind a firewall unless I allow connections to any port which basically deactivates the firewall.

          What can I do to fix that? Is there a way to force the NoSQL JVM process to use one single RMI port (the registry port)? Can I configure at least a range of ports to be used?
          Hello Dimo,

          Yes, this is a problem. In R2 we will introduce the ability to specify a socket factory which you can use to limit the RMI ports to a specific range. You would then open that range of ports in your firewall.

          Charles
          • 2. Re: NoSQL behind firewall does not work
            dimo
            Hi Charles,

            thank you for the reply!

            Do you have any idea when R2 will be available? Can we get some workaround from the enterprise support guys? I do not think we can go into production with open firewalls...

            Best regards,
            Dimo
            • 3. Re: NoSQL behind firewall does not work
              Charles Lamb
              Please contact me via email (charles.lamb).

              Charles
              • 4. Re: NoSQL behind firewall does not work
                dimo
                Hi Charles,

                thank you for the reply. We had to open the firewalls for it to work - however I have seen a few docs / whitepapers where a firewall is drawn between app and db. No mention however that the firewall must allow any port which effectively deactivates it.

                It would be great if nosql had a configuration option per java process (admin, rn, sn...) where one could define the RMI port. I experimented a bit and it should be pretty straightforward to set a socket factory for each process and add a configuration option per process type. At least I was able to do it for the all-in-one process.

                Cheers
                Dimo

                Edited by: dimo on Nov 9, 2012 4:30 PM
                • 5. Re: NoSQL behind firewall does not work
                  Charles Lamb
                  dimo wrote:
                  Hi Charles,

                  thank you for the reply. We had to open the firewalls for it to work - however I have seen a few docs / whitepapers where a firewall is drawn between app and db. No mention however that the firewall must allow any port which effectively deactivates it.

                  It would be great if nosql had a configuration option per java process (admin, rn, sn...) where one could define the RMI port. I experimented a bit and it should be pretty straightforward to set a socket factory for each process and add a configuration option per process type. At least I was able to do it for the all-in-one process.

                  Cheers
                  Dimo
                  Hi Dimo,

                  This will be available as an option to the makebootconfig command in R2.

                  Charles