[GLASSFISH-17151] EJB remote deployed on GF 3.1 behind a NAT unaccessible via a simple Java app Created: 05/Aug/11  Updated: 19/Sep/14

Status: Reopened
Project: glassfish
Component/s: orb
Affects Version/s: 3.1
Fix Version/s: 4.1

Type: Bug Priority: Blocker
Reporter: Blaise Gosselin Assignee: Harshad Vilekar
Resolution: Unresolved Votes: 5
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS Linux Debian 6
JDK 1.6.0.26


Issue Links:
Related
is related to GLASSFISH-17147 App client cannot find EJB behind NAT Open
Tags: 3_1_2-exclude, 3_1_2-release-note-added, 3_1_2-release-notes, orb-review

 Description   

I have 2 Glassfish servers version 3.1: a FRONT server and a BACK server.
The FRONT server is in a DMZ.
The BACK server is in on a private lan, not accessible directly from the DMZ, but through a firewall that does a NAT on the IP of the BACK server.
-> IP-PU-B = Public IP address of the BACK
-> IP-PR-B = Private IP address of the BACK

Thus, the FRONT server only knows the public IP of the BACK server (the "NATed" IP). The Glassfish on the BACK server knows only its own "private" IP address, not its NATed address (it is only valid for machines on the DMZ).

Here is my client code:
try {
InitialContext context = new InitialContext();
System.out.println("Context initialized!");
HelloService service = (HelloService) context.lookup("HelloEJB");
System.out.println("Service retrieved!");
String name = service.countryCount();
System.out.println("Hello " + name);
} catch (Exception e) {
e.printStackTrace();
}

And here is my jndi.properties content in my client app:
java.naming.factory.initial = com.sun.enterprise.naming.SerialInitContextFactory
java.naming.factory.url.pkgs = com.sun.enterprise.naming
java.naming.factory.state = com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl
org.omg.CORBA.ORBInitialHost = IP-PU-B
org.omg.CORBA.ORBInitialPort = 3700

This code doesn't work if I launch my application from the DMZ trying to access the EJB remote via the IP address IP-PU-B.
This code works if I launch the application from "inside the network" trying to access the EJB remote via the IP address IP-PR-B.

The problem is due to the IIOP protocol as implemented on the Glassfish server. It does a first call on the ORB to locate the EJB (which is deployed on the same server as the ORB). Thus, the ORB sends the private IP to the client, instead of the public IP (which it has no way of knowing, as it is determined by the firewall)... The client then tries to connect on the private IP, which does not go though the firewall.

We have already tried the following solutions:

  • Connecting to a Remote EJB Module Through a Firewall
    Link: http://download.oracle.com/docs/cd/E19226-01/820-7695/6niugesud/index.html
    We have put the IP-PU-B as value for the variable "com.sun.corba.ee.ORBVAAHost".
    In that case, the problem between the FRONT and the BACK still exists, and moreover there is also a problem when I try to access the EJB remote from the Java application run on the BACK to the EJB remote on the BACK.
  • Replace Network address of the orb-listener-1, no better result.
  • Use of variable "java.rmi.server.hostname", no better result.

Is there a specific way to configure Glassfish behind a NAT to make it send the public IP instead of the private one?

Thanks in advance for your help!



 Comments   
Comment by Blaise Gosselin [ 09/Aug/11 ]

Important info: I just tested with the version 3.0.1, and it works correctly when I change the "Network address" of the "orb-listener-1".

It must then be a regression...

Comment by Nicolasdew [ 14/Sep/11 ]

Hello everyone,

we are experiencing the same problem using glassfish 3.1.1
The weirdest thing when setting the parameter com.sun.corba.ee.ORBVAAHost = "our_public_address" is that sometimes i can see that this address is taken into account and sometimes not.
I can see that by analyzing the GIOP packet on wireshark.
Is it confirmed that it is a regression or a misuse ?
Thank you for your reply.

Comment by Blaise Gosselin [ 22/Sep/11 ]

Hi,

Is it possible to have an answer to this problem please?

We are currently facing CDI problems with version 3.0.1, while it is the only one that works through a firewall => WE ARE STUCK for the moment, and we will probably have to use another AS (such as JBoss) if one solution is not proposed/found to our issues! At least maybe you could indicate us the class/lib to change in the GF 3.1 to make it work through a firewall as expected!

Thanks in advance for your help!

KR,

Comment by Blaise Gosselin [ 27/Sep/11 ]

Good news: we have solved this issue by our-self!

A colleague of mine has investigated in the Glassfish source, and here is the result.

Modifications in org.glassfish.enterprise.iiop.impl.GlassFishORBManager:

  1. Change method getClearTextIiopListener to test the “security-enabled” attribute of the iiop-listener (our clear text listener had an SSL element, probably set by the administration console…).
GlassFishORBManager.java
    private IiopListener getClearTextIiopListener() {
        if (iiopListeners != null)  {
            for (IiopListener il : iiopListeners) {
                if (!"true".equals(il.getSecurityEnabled())) {
                    return il ;
                }
            }
        }
		
        return null ;
    }
  1. Change the checkForAddrAny method to set the ORBConstants.SERVER_HOST_PROPERTY property to orbInitialHost. This allows us to send the hostname to the front server, and not the un-NATed IP. This is the same behavior as in Glassfish 3.0, and is needed in our case (natted network between the EJB server and the client).
GlassFishORBManager.java
    private String checkForAddrAny(Properties props, String orbInitialHost) {
        if ((orbInitialHost.equals("0.0.0.0")) || (orbInitialHost.equals("::"))
                || (orbInitialHost.equals("::ffff:0.0.0.0"))) {
            try {
                String localAddress = java.net.InetAddress.getLocalHost().getHostAddress();
                return localAddress;
            } catch (java.net.UnknownHostException uhe) {
                logger.log(Level.WARNING,
                    "Unknown host exception - Setting host to localhost");
				
                return DEFAULT_ORB_INIT_HOST;
            }
        } else {
            props.setProperty(ORBConstants.SERVER_HOST_PROPERTY, orbInitialHost);
            return orbInitialHost;
        }
    }

That's it!

Comment by Harshad Vilekar [ 15/Oct/11 ]

The fix is putback to 3.1.2 workspace. Blaise, could you please confirm if the issue is resolved in (tonight's or later) 3.1.2 build ?

First change was not required - getSsl() correctly returns null for ClearTextIiopListener. Please check you admin settings if there is issue.

Comment by Harshad Vilekar [ 16/Nov/11 ]

The fix is verified by the reporter.

Comment by Harshad Vilekar [ 16/Dec/11 ]

Although the fix works with NAT, it has a side effect - resulting in regression (GLASSFISH-17689). Fix is reverted.

Comment by mone_java [ 24/Jan/12 ]

I have the same problem.... I tried with glassfish 3.1.2-b19-01_23_2012....

this is what my client sends to the server (wireshark):

0000 00 13 49 e2 a3 e9 f4 6d 04 16 75 5e 08 00 45 00 ..I....m ..u^..E.
0010 01 60 ad b9 40 00 40 06 6b 86 c0 a8 01 23 4f 0e .`..@.@. k....#O.
0020 0f 7f c3 9e 0e 75 34 13 d6 8c 7e 5c 1a d8 80 18 .....u4. ..~\....
0030 00 5c 21 ab 00 00 01 01 08 0a 00 37 7b 6c 00 23 .!..... ...7{l.#
0040 e1 d3 47 49 4f 50 01 02 00 00 00 00 01 20 00 00 ..GIOP.. ..... ..
0050 00 05 03 00 00 00 00 00 00 00 00 00 00 0b 4e 61 ........ ......Na
0060 6d 65 53 65 72 76 69 63 65 00 00 00 00 06 5f 69 meServic e....._i
0070 73 5f 61 00 00 00 00 00 00 03 00 00 00 11 00 00 s_a..... ........
0080 00 02 00 02 00 00 4e 45 4f 00 00 00 00 02 00 14 ......NE O.......
0090 00 00 00 00 00 06 00 00 00 a6 00 00 00 00 00 00 ........ ........
00a0 00 28 49 44 4c 3a 6f 6d 67 2e 6f 72 67 2f 53 65 .(IDL:om g.org/Se
00b0 6e 64 69 6e 67 43 6f 6e 74 65 78 74 2f 43 6f 64 ndingCon text/Cod
00c0 65 42 61 73 65 3a 31 2e 30 00 00 00 00 01 00 00 eBase:1. 0.......
00d0 00 00 00 00 00 6a 00 01 02 00 00 00 00 0a 31 32 .....j.. ......12
00e0 37 2e 30 2e 31 2e 31 00 95 21 00 00 00 19 af ab 7.0.1.1. .!......
00f0 cb 00 00 00 00 02 00 00 00 65 00 00 00 08 00 00 ........ .e......
0100 00 00 00 00 00 00 14 00 00 00 00 00 00 02 00 00 ........ ........
0110 00 01 00 00 00 20 00 00 00 00 00 01 00 01 00 00 ..... .. ........
0120 00 02 05 01 00 01 00 01 00 20 00 01 01 09 00 00 ........ . ......
0130 00 01 00 01 01 00 00 00 00 26 00 00 00 02 00 02 ........ .&......
0140 00 00 00 00 00 28 49 44 4c 3a 6f 6d 67 2e 6f 72 .....(ID L:omg.or
0150 67 2f 43 6f 73 4e 61 6d 69 6e 67 2f 4e 61 6d 69 g/CosNam ing/Nami
0160 6e 67 43 6f 6e 74 65 78 74 3a 31 2e 30 00 ngContex t:1.0.

and this what my server sends to my client:

0000 f4 6d 04 16 75 5e 00 13 49 e2 a3 e9 08 00 45 00 .m..u^.. I.....E.
0010 02 72 fb 33 40 00 33 06 29 fa 4f 0e 0f 7f c0 a8 .r.3@.3. ).O.....
0020 01 23 0e 75 c3 9e 7e 5c 1a d8 34 13 d7 b8 80 18 .#.u..~\ ..4.....
0030 00 6c cf 72 00 00 01 01 08 0a 00 23 e2 05 00 37 .l.r.... ...#...7
0040 7b 6c 47 49 4f 50 01 02 00 01 00 00 02 32 00 00 {lGIOP.. .....2..
0050 00 05 00 00 00 03 00 00 00 02 4e 45 4f 00 00 00 ........ ..NEO...
0060 00 02 00 14 00 00 00 00 00 06 00 00 01 30 00 00 ........ .....0..
0070 00 00 00 00 00 28 49 44 4c 3a 6f 6d 67 2e 6f 72 .....(ID L:omg.or
0080 67 2f 53 65 6e 64 69 6e 67 43 6f 6e 74 65 78 74 g/Sendin gContext
0090 2f 43 6f 64 65 42 61 73 65 3a 31 2e 30 00 00 00 /CodeBas e:1.0...
00a0 00 01 00 00 00 00 00 00 00 f4 00 01 02 00 00 00 ........ ........
00b0 00 0e 31 39 32 2e 31 36 38 2e 31 2e 32 30 32 00 ..192.16 8.1.202.
00c0 0e 74 00 00 00 19 af ab cb 00 00 00 00 02 00 00 .t...... ........
00d0 00 64 00 00 00 08 00 00 00 00 00 00 00 00 14 00 .d...... ........
00e0 00 00 00 00 00 03 00 00 00 01 00 00 00 20 00 00 ........ ..... ..
00f0 00 00 00 01 00 01 00 00 00 02 05 01 00 01 00 01 ........ ........
0100 00 20 00 01 01 09 00 00 00 01 00 01 01 00 00 00 . ...... ........
0110 00 26 00 00 00 02 00 02 00 00 00 00 00 21 00 00 .&...... .....!..
0120 00 7c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 .|...... ........
0130 00 24 00 00 00 20 00 00 00 66 00 00 00 00 00 00 .$... .. .f......
0140 00 01 00 00 00 0e 31 39 32 2e 31 36 38 2e 31 2e ......19 2.168.1.
0150 32 30 32 00 0e ec 00 40 00 00 00 00 00 08 06 06 202....@ ........
0160 67 81 02 01 01 01 00 00 00 17 04 01 00 08 06 06 g....... ........
0170 67 81 02 01 01 01 00 00 00 07 64 65 66 61 75 6c g....... ..defaul
0180 74 00 04 00 00 00 00 00 00 00 00 00 00 01 00 00 t....... ........
0190 00 08 06 06 67 81 02 01 01 01 00 00 00 0f 00 00 ....g... ........
01a0 00 00 00 00 00 2b 49 44 4c 3a 6f 6d 67 2e 6f 72 .....+ID L:omg.or
01b0 67 2f 43 6f 73 4e 61 6d 69 6e 67 2f 4e 61 6d 69 g/CosNam ing/Nami
01c0 6e 67 43 6f 6e 74 65 78 74 45 78 74 3a 31 2e 30 ngContex tExt:1.0
01d0 00 00 00 00 00 01 00 00 00 00 00 00 00 a2 00 01 ........ ........
01e0 02 00 00 00 00 0e 31 39 32 2e 31 36 38 2e 31 2e ......19 2.168.1.
01f0 32 30 32 00 0e 74 00 00 00 4d af ab cb 00 00 00 202..t.. .M......
0200 00 20 00 00 00 64 00 00 00 09 53 31 41 53 2d 4f . ...d.. ..S1AS-O
0210 52 42 00 00 00 00 00 00 00 02 00 00 00 08 52 6f RB...... ......Ro
0220 6f 74 50 4f 41 00 00 00 00 0d 54 4e 61 6d 65 53 otPOA... ..TNameS
0230 65 72 76 69 63 65 00 00 00 00 00 00 00 08 00 00 ervice.. ........
0240 00 01 00 00 00 01 14 00 00 00 00 00 00 02 00 00 ........ ........
0250 00 01 00 00 00 20 00 00 00 00 00 01 00 01 00 00 ..... .. ........
0260 00 02 05 01 00 01 00 01 00 20 00 01 01 09 00 00 ........ . ......
0270 00 01 00 01 01 00 00 00 00 26 00 00 00 02 00 02 ........ .&......

As you can see the server send to my client the private IP and not the public.... I don't understand what i can do for resolve this....
Thank you a lot!

set the public IP as IP for IIOP listener, will that not solve the problem ?

Comment by Rebecca Parks [ 24/Jan/12 ]

This has been flagged for the 3.1.2 Release Notes, but I'm not sure what the Release Notes should say. I think I understand the problem, which is summed up in this paragraph:

"The problem is due to the IIOP protocol as implemented on the Glassfish server. It does a first call on the ORB to locate the EJB (which is deployed on the same server as the ORB). Thus, the ORB sends the private IP to the client, instead of the public IP (which it has no way of knowing, as it is determined by the firewall)... The client then tries to connect on the private IP, which does not go though the firewall."

What I'm not sure I understand is the workaround. Is it the code that Blaise posted?

Comment by Harshad Vilekar [ 25/Jan/12 ]

There is no properly tested workaround available for this issue.

Comment by mone_java [ 25/Jan/12 ]

So for now, it is impossible to communicate with an EJB on a server debian? I have not tried it with windows server ... The code of Blaise Gosselin has been applied, or has been removed? Otherwise for now try with that code, because I need it to work!

ps And another question... Why the client sends to the server 127.0.1.1 ?

Comment by mone_java [ 29/Jan/12 ]

I tried the version 3.1.2_b06 but does not work.... What is your setting of the iiop listener?

Comment by thezebulette [ 16/Apr/12 ]

hello
I think I had the same problem trying to deploy my Eclipse RCP application ( EJB3 inside )

I don't have any problem accesing glassfish server on private adress
I can't ( and I had try all) calling my application on public adress outside the DMZ ..

What are the clue in fine ? any

Comment by ymajoros [ 15/Jan/13 ]

Hi,

Is it possible to have an answer to this problem please?

I work with Blaise Gosselin, who made the patch in #4, and we still have the issue. We have to patch every new version of Glassfish as described.

Thanks in advance for your help!

KR,

Comment by Tom Mueller [ 07/Feb/13 ]

Targeting for 4.0.1 as bugs related to the orb do not need to be fixed for the RI/SDK.

Comment by hoseka [ 22/Apr/13 ]

Hi all!
Can I solve this problem in version 3.1.2?
Does the correction proposed by Blaise Gosselin work?
Where can I get the source orb-iiop.jar to fix it and replace in my glassfish?

Comment by skgaju [ 05/Sep/13 ]

has anyone tried setting public IP to IIOP listener and Blaise Gosselin patch.

Generated at Sat Apr 25 22:18:12 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.