10 Replies Latest reply on Jun 22, 2017 11:32 AM by jasonglass

    JMS Message Queue, NAT'ed IP - change ?advertised? address

    jasonglass

        Hi All!

       

      So problem, and likely a simple (I hope!) answer!  We're using Jboss EAP 6, we have a JMS queue.  We're switching to SaaS (unfortunately) so our vendor is trying to connect to the JMS queue, but since its saas, theres FW rules and IP address NAT'ing in place and I believe its causing issues (well i know it is).  So basically I'm wondering if theres a way to get the JMS subsystem to *think* its bound to a NAT'ed VIP/IP so when it ?advertises? the connect back port, the remote client doesnt end up with a no route to host exception.

       

      So for example, locally the servers IP in our network is say 10.140.40.157.  The JMS is bound to this, everything works properly within our own network, I can consume from the queue.  To our vendor, for example 10.140.40.157 is NAT'ed to 10.250.40.157 then the firewall rules NAT this to 10.140.40.157 - however, and though I'm familiar with JMS, it appears when setting up the queue connection factory, that the JBoss server is "saying" hey, you need to connect me me on my real port and IP of 10.140.40.157 and obviously when the vendor tries to connect, since that IP range isnt part of their network, it throws an No route to host exception.  So basically the vendor connects to the NAT IP, all is good, but then half way through the communication process the JBoss server says okay, lets continue communicating on this other port and IP and everything will be all good.  The problem is, the vendors network doesnt understand how to route that IP.  So my question is, is there a way to tell the jms subsystem to ?pretend? its binding to an IP or FQDN thats understood/routeable by the vendor.

       

      So its sort of like the "-b" binding IP/Name.  Is there a way to configure the server so its ?advertising? for JMS and Messaging a binding IP address which the vendor can route to rather than its real physical address so the communications can continue?

       

      For example, a simple JMS client has this:

      String jndiProps =

                          "java.naming.factory.url.pkgs=org.jboss.ejb.client.naming\n"

                                  + "java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory\n"

                                 + "java.naming.provider.url=remote://10.140.40.157:30202\n" //works

       

      But if you look at the SSL traces as SSL is being enforced we get:

       

       

      Padded plaintext after DECRYPTION:  len = 288

      0000: 00 00 FA 72 00 00 00 00   00 00 00 00 00 00 00 00  ...r............

      0010: 24 00 24 65 32 38 36 37   63 63 34 2D 35 36 30 31  $.$e2867cc4-5601

      0020: 2D 31 31 65 37 2D 61 62   31 63 2D 37 33 37 64 31  -11e7-ab1c-737d1

      0030: 65 62 34 61 31 65 66 00   00 01 5C C7 78 74 73 FF  eb4a1ef...\.xts.

      0040: 00 00 00 05 00 6E 00 65   00 74 00 74 00 79 00 00  .....n.e.t.t.y..

      0050: 00 3A 00 3A 6F 72 67 2E   68 6F 72 6E 65 74 71 2E  .:.:org.hornetq.

      0060: 63 6F 72 65 2E 72 65 6D   6F 74 69 6E 67 2E 69 6D  core.remoting.im

      0070: 70 6C 2E 6E 65 74 74 79   2E 4E 65 74 74 79 43 6F  pl.netty.NettyCo

      0080: 6E 6E 65 63 74 6F 72 46   61 63 74 6F 72 79 00 00  nnectorFactory..

      0090: 00 03 00 00 00 04 00 70   00 6F 00 72 00 74 03 00  .......p.o.r.t..

      00A0: 00 00 05 00 36 00 30 00   30 00 30 00 33 00 00 00  ....6.0.0.0.3...

      00B0: 04 00 68 00 6F 00 73 00   74 03 00 00 00 0D 00 0D  ..h.o.s.t.......

      00C0: 31 30 2E 31 34 30 2E 34   30 2E 31 35 37 00 00 00  10.140.40.157...

      00D0: 0B 00 0B 73 73 6C 2D 65   6E 61 62 6C 65 64 03 00  ...ssl-enabled..

      00E0: 00 00 04 00 74 00 72 00   75 00 65 00 FF 01 00 00  ....t.r.u.e.....

      00F0: 00 09 00 09 75 6E 64 65   66 69 6E 65 64 50 7A 8B  ....undefinedPz.

      0100: 9C FF 13 DE EB 78 C2 E2   25 50 F9 91 D6 AE 51 91  .....x..%P....Q.

      0110: 41 0E 0E 0E 0E 0E 0E 0E   0E 0E 0E 0E 0E 0E 0E 0E  A...............

       

      So basically the JBoss JMS server is telling the client, hey, you made a successful connection on the NAT'ed IP, but I want you to talk to me on port 60003 and internal IP 10.140.40.157 which then becomes not route'able as the vendors server doesnt understand that network IP address.  If our JMS JBoss server instead gave the NAT'ed IP instead or a FQDN, then everything would likely proceed and work as expected, so how do I get the JMS to advertise it as being bound to a specific IP or FQDN.

       

      Any thoughts all, any help, insight or suggestions would be greatly appreciated!

       

      Thank you in advance!

       

      Jay

        • 1. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
          gaohoward

          Perhaps you can configure your connection factory's connector to point to the external IP?

           

          Howard

          1 of 1 people found this helpful
          • 2. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
            jasonglass

            So again, I've been using JMS for years, but its more "it works" then you just leave it alone ;-)

            I have the following system properties set, I'll start researching myself but would any of these or similar ones not listed allow me to specify the NAT IP as you suggested?

                        String jndiProps =

                                "java.naming.factory.url.pkgs=org.jboss.ejb.client.naming\n"

                                        + "java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory\n"

                                        + "java.naming.provider.url=remote:// 10.140.40.157:10202\n"

                                        + "java.naming.security.principal=user.userid\n"

                                        + "java.naming.security.credentials=myPassword\n"

                                        + "jboss.naming.client.ejb.context=true\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS=true\n"

                                        + "jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true";

            .
            .
            .

            //rest of code

            Properties props = new Properties();

                        props.load(new StringReader(jndiProps));

                        ctx = new InitialContext(props);

             

              System.out.println("looking up queue");

               queue1 = (Queue) ctx.lookup("java:/com/mycompany/simp/imp/mydepartment/ejb/TestQueue");

               System.out.println("Creating Factory");

                facory = (QueueConnectionFactory) ctx.lookup("java:/System/MyCompany/ApplicationType/Management/Application/4-3;1-0;IMP/Comp/QueueConnectionFactory");

               System.out.println("Creating queue connection");

               queueConnection = facory.createQueueConnection("user.userid", "myPassword");

               System.out.println("Creating queue session");

               session2 = queueConnection.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);

              System.out.println("Creating a queue receiver");

              QueueReceiver receiver = session2.createReceiver(queue1);

              queueConnection.start();

              System.out.println("Started the queue connection");

             

            Thank you Howard!

             

            Jay

            • 3. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
              jasonglass

              I've also been trying some of these in case they work for JBoss EAP 6, but not having any luck, e.g. the suggestions and things that worked for others

              AS 7 Messaging ( HORNETQ ) Client access remote:// Problem with Server listening on 0.0.0.0 Interface

              • 4. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                jasonglass

                Theres also this, but 8 years ago, hoping things have changed

                EJB, JMS and JNDI over HTTP via NAT Firewall with Unified Invoker

                • 5. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                  jasonglass

                  Hang tight, my last attempt may have ?fixed? (cant say its a fix but more of a hack ;-) ) it as I now see

                   

                  NettyConnectorFa

                  0AA0: 63 74 6F 72 79 3E 05 6E   65 74 74 79 53 03 64 3E  ctory>.nettyS.d>

                  0AB0: 04 70 6F 72 74 3E 05 36   30 30 30 33 3E 04 68 6F  .port>.60003>.ho

                  0AC0: 73 74 3E 0D 31 30 2E 32   35 30 2E 32 34 30 2E 32  st>.10.250.40.1

                  0AD0: 30 3E 0B 73 73 6C 2D 65   6E 61 62 6C 65 64 3E 04  57>.ssl-enabled>.

                  0AE0: 74 72 75 65 00 00 05 DC   00 00 00 00 00 00 07 D0  true

                   

                  , wait for it...

                  • 6. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                    jasonglass

                    So sort of worked, with this:

                    <connector name="netty">

                                            <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

                                              <param key="host" value="10.250.140.157"/>

                                              <param key="port" value="60003"/>

                                              <param key="ssl-enabled" value="true"/>

                                            </connector>

                     

                    The server outside our network can connect through the NAT, actually received one Message, but now the JBoss server itself apparently cant connect to itself as it thinks its supposed to connect to that unrouteable NAT'ed IP.  Anyone with some suggestions?

                    • 7. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                      jasonglass

                      I added this, and so far so good locally, waiting for the remote server to be tested!
                      <param key="host" value="My.Server.Fqdn"/>

                       

                      ... wait for it...

                      • 8. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                        jasonglass

                        And it looks to be working!  The FQDN worked on remote server and local JBoss server after adding the FQDN to the keystore as trusted and massaging /etc/hosts!  Thank you all who glanced at this and tried to help - especially howard! 

                        • 9. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                          gaohoward

                          Glad you sorted things out.

                           

                          Howard

                          • 10. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                            jasonglass

                            Yong Hao Gao wrote:

                             

                            Perhaps you can configure your connection factory's connector to point to the external IP?

                             

                            Howard

                            While I sorta figured it out myself - I am going to mark howards as the correct answer as he di point me in the right direction!