This discussion is archived
5 Replies Latest reply: Nov 9, 2012 10:27 AM by Charles Lamb RSS

NoSQL behind firewall does not work

dimo Newbie
Currently Being Moderated
Hi guys,

I am trying to run the NoSQL nodes behind a firewall without any success.

I am running the RMI registry on port 5100 which I have allowed in the firewall. When I telnet to that port I get a connection. However, when using the normal API I get connection exceptions. I have debugged the issue down to the following RMI related problem - the NoSQL database seems to bind different remote objects on random ports (checkout the two calls to UnicastRemoteObject.exportObject(object, 0) in oracle.kv.impl.util.registry.RegistryUtils - 0 is the default meaning any available port). This of course does not work behind a firewall unless I allow connections to any port which basically deactivates the firewall.

What can I do to fix that? Is there a way to force the NoSQL JVM process to use one single RMI port (the registry port)? Can I configure at least a range of ports to be used?

Cheers,
Dimo
  • 1. Re: NoSQL behind firewall does not work
    Charles Lamb Pro
    Currently Being Moderated
    dimo wrote:
    Hi guys,

    I am trying to run the NoSQL nodes behind a firewall without any success.

    I am running the RMI registry on port 5100 which I have allowed in the firewall. When I telnet to that port I get a connection. However, when using the normal API I get connection exceptions. I have debugged the issue down to the following RMI related problem - the NoSQL database seems to bind different remote objects on random ports (checkout the two calls to UnicastRemoteObject.exportObject(object, 0) in oracle.kv.impl.util.registry.RegistryUtils - 0 is the default meaning any available port). This of course does not work behind a firewall unless I allow connections to any port which basically deactivates the firewall.

    What can I do to fix that? Is there a way to force the NoSQL JVM process to use one single RMI port (the registry port)? Can I configure at least a range of ports to be used?
    Hello Dimo,

    Yes, this is a problem. In R2 we will introduce the ability to specify a socket factory which you can use to limit the RMI ports to a specific range. You would then open that range of ports in your firewall.

    Charles
  • 2. Re: NoSQL behind firewall does not work
    dimo Newbie
    Currently Being Moderated
    Hi Charles,

    thank you for the reply!

    Do you have any idea when R2 will be available? Can we get some workaround from the enterprise support guys? I do not think we can go into production with open firewalls...

    Best regards,
    Dimo
  • 3. Re: NoSQL behind firewall does not work
    Charles Lamb Pro
    Currently Being Moderated
    Please contact me via email (charles.lamb).

    Charles
  • 4. Re: NoSQL behind firewall does not work
    dimo Newbie
    Currently Being Moderated
    Hi Charles,

    thank you for the reply. We had to open the firewalls for it to work - however I have seen a few docs / whitepapers where a firewall is drawn between app and db. No mention however that the firewall must allow any port which effectively deactivates it.

    It would be great if nosql had a configuration option per java process (admin, rn, sn...) where one could define the RMI port. I experimented a bit and it should be pretty straightforward to set a socket factory for each process and add a configuration option per process type. At least I was able to do it for the all-in-one process.

    Cheers
    Dimo

    Edited by: dimo on Nov 9, 2012 4:30 PM
  • 5. Re: NoSQL behind firewall does not work
    Charles Lamb Pro
    Currently Being Moderated
    dimo wrote:
    Hi Charles,

    thank you for the reply. We had to open the firewalls for it to work - however I have seen a few docs / whitepapers where a firewall is drawn between app and db. No mention however that the firewall must allow any port which effectively deactivates it.

    It would be great if nosql had a configuration option per java process (admin, rn, sn...) where one could define the RMI port. I experimented a bit and it should be pretty straightforward to set a socket factory for each process and add a configuration option per process type. At least I was able to do it for the all-in-one process.

    Cheers
    Dimo
    Hi Dimo,

    This will be available as an option to the makebootconfig command in R2.

    Charles

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points