10 Replies Latest reply on Jun 22, 2017 11:32 AM by jasonglass

JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 20, 2017 10:55 PM

Hi All!

So problem, and likely a simple (I hope!) answer! We're using Jboss EAP 6, we have a JMS queue. We're switching to SaaS (unfortunately) so our vendor is trying to connect to the JMS queue, but since its saas, theres FW rules and IP address NAT'ing in place and I believe its causing issues (well i know it is). So basically I'm wondering if theres a way to get the JMS subsystem to *think* its bound to a NAT'ed VIP/IP so when it ?advertises? the connect back port, the remote client doesnt end up with a no route to host exception.

So for example, locally the servers IP in our network is say 10.140.40.157. The JMS is bound to this, everything works properly within our own network, I can consume from the queue. To our vendor, for example 10.140.40.157 is NAT'ed to 10.250.40.157 then the firewall rules NAT this to 10.140.40.157 - however, and though I'm familiar with JMS, it appears when setting up the queue connection factory, that the JBoss server is "saying" hey, you need to connect me me on my real port and IP of 10.140.40.157 and obviously when the vendor tries to connect, since that IP range isnt part of their network, it throws an No route to host exception. So basically the vendor connects to the NAT IP, all is good, but then half way through the communication process the JBoss server says okay, lets continue communicating on this other port and IP and everything will be all good. The problem is, the vendors network doesnt understand how to route that IP. So my question is, is there a way to tell the jms subsystem to ?pretend? its binding to an IP or FQDN thats understood/routeable by the vendor.

So its sort of like the "-b" binding IP/Name. Is there a way to configure the server so its ?advertising? for JMS and Messaging a binding IP address which the vendor can route to rather than its real physical address so the communications can continue?

For example, a simple JMS client has this:

String jndiProps =

"java.naming.factory.url.pkgs=org.jboss.ejb.client.naming\n"

+ "java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory\n"

+ "java.naming.provider.url=remote://10.140.40.157:30202\n" //works

But if you look at the SSL traces as SSL is being enforced we get:

Padded plaintext after DECRYPTION: len = 288

0000: 00 00 FA 72 00 00 00 00 00 00 00 00 00 00 00 00 ...r............

0010: 24 00 24 65 32 38 36 37 63 63 34 2D 35 36 30 31 $.$e2867cc4-5601

0020: 2D 31 31 65 37 2D 61 62 31 63 2D 37 33 37 64 31 -11e7-ab1c-737d1

0030: 65 62 34 61 31 65 66 00 00 01 5C C7 78 74 73 FF eb4a1ef...\.xts.

0040: 00 00 00 05 00 6E 00 65 00 74 00 74 00 79 00 00 .....n.e.t.t.y..

0050: 00 3A 00 3A 6F 72 67 2E 68 6F 72 6E 65 74 71 2E .:.:org.hornetq.

0060: 63 6F 72 65 2E 72 65 6D 6F 74 69 6E 67 2E 69 6D core.remoting.im

0070: 70 6C 2E 6E 65 74 74 79 2E 4E 65 74 74 79 43 6F pl.netty.NettyCo

0080: 6E 6E 65 63 74 6F 72 46 61 63 74 6F 72 79 00 00 nnectorFactory..

0090: 00 03 00 00 00 04 00 70 00 6F 00 72 00 74 03 00 .......p.o.r.t..

00A0: 00 00 05 00 36 00 30 00 30 00 30 00 33 00 00 00 ....6.0.0.0.3...

00B0: 04 00 68 00 6F 00 73 00 74 03 00 00 00 0D 00 0D ..h.o.s.t.......

00C0: 31 30 2E 31 34 30 2E 34 30 2E 31 35 37 00 00 00 10.140.40.157...

00D0: 0B 00 0B 73 73 6C 2D 65 6E 61 62 6C 65 64 03 00 ...ssl-enabled..

00E0: 00 00 04 00 74 00 72 00 75 00 65 00 FF 01 00 00 ....t.r.u.e.....

00F0: 00 09 00 09 75 6E 64 65 66 69 6E 65 64 50 7A 8B ....undefinedPz.

0100: 9C FF 13 DE EB 78 C2 E2 25 50 F9 91 D6 AE 51 91 .....x..%P....Q.

0110: 41 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E 0E A...............

So basically the JBoss JMS server is telling the client, hey, you made a successful connection on the NAT'ed IP, but I want you to talk to me on port 60003 and internal IP 10.140.40.157 which then becomes not route'able as the vendors server doesnt understand that network IP address. If our JMS JBoss server instead gave the NAT'ed IP instead or a FQDN, then everything would likely proceed and work as expected, so how do I get the JMS to advertise it as being bound to a specific IP or FQDN.

Any thoughts all, any help, insight or suggestions would be greatly appreciated!

Thank you in advance!

Jay

1. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

gaohoward Jun 21, 2017 12:08 AM (in response to jasonglass)

Perhaps you can configure your connection factory's connector to point to the external IP?

Howard
1 of 1 people found this helpful
Actions
2. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 1:37 PM (in response to gaohoward)

So again, I've been using JMS for years, but its more "it works" then you just leave it alone ;-)
I have the following system properties set, I'll start researching myself but would any of these or similar ones not listed allow me to specify the NAT IP as you suggested?
            String jndiProps =
                    "java.naming.factory.url.pkgs=org.jboss.ejb.client.naming\n"
                            + "java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory\n"
                            + "java.naming.provider.url=remote:// 10.140.40.157:10202\n"
                            + "java.naming.security.principal=user.userid\n"
                            + "java.naming.security.credentials=myPassword\n"
                            + "jboss.naming.client.ejb.context=true\n"
                            + "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true\n"
                            + "jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER\n"
                            + "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false\n"
                            + "jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS=true\n"
                            + "jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true";
.
.
.
//rest of code
Properties props = new Properties();
            props.load(new StringReader(jndiProps));
            ctx = new InitialContext(props);

System.out.println("looking up queue");
   queue1 = (Queue) ctx.lookup("java:/com/mycompany/simp/imp/mydepartment/ejb/TestQueue");
   System.out.println("Creating Factory");
    facory = (QueueConnectionFactory) ctx.lookup("java:/System/MyCompany/ApplicationType/Management/Application/4-3;1-0;IMP/Comp/QueueConnectionFactory");
   System.out.println("Creating queue connection");
   queueConnection = facory.createQueueConnection("user.userid", "myPassword");
   System.out.println("Creating queue session");
   session2 = queueConnection.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
System.out.println("Creating a queue receiver");
QueueReceiver receiver = session2.createReceiver(queue1);
queueConnection.start();
System.out.println("Started the queue connection");

Thank you Howard!

Jay
Actions
3. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 1:21 PM (in response to jasonglass)

I've also been trying some of these in case they work for JBoss EAP 6, but not having any luck, e.g. the suggestions and things that worked for others
AS 7 Messaging ( HORNETQ ) Client access remote:// Problem with Server listening on 0.0.0.0 Interface
Actions
4. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 1:28 PM (in response to jasonglass)

Theres also this, but 8 years ago, hoping things have changed
EJB, JMS and JNDI over HTTP via NAT Firewall with Unified Invoker
Actions
5. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 1:39 PM (in response to jasonglass)

Hang tight, my last attempt may have ?fixed? (cant say its a fix but more of a hack ;-) ) it as I now see

NettyConnectorFa
0AA0: 63 74 6F 72 79 3E 05 6E   65 74 74 79 53 03 64 3E ctory>.nettyS.d>
0AB0: 04 70 6F 72 74 3E 05 36   30 30 30 33 3E 04 68 6F .port>.60003>.ho
0AC0: 73 74 3E 0D 31 30 2E 32   35 30 2E 32 34 30 2E 32 st>.10.250.40.1
0AD0: 30 3E 0B 73 73 6C 2D 65   6E 61 62 6C 65 64 3E 04 57>.ssl-enabled>.
0AE0: 74 72 75 65 00 00 05 DC   00 00 00 00 00 00 07 D0 true

, wait for it...
Actions
6. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 2:55 PM (in response to jasonglass)

So sort of worked, with this:
<connector name="netty">
                        <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
                          <param key="host" value="10.250.140.157"/>
                          <param key="port" value="60003"/>
                          <param key="ssl-enabled" value="true"/>
                        </connector>

The server outside our network can connect through the NAT, actually received one Message, but now the JBoss server itself apparently cant connect to itself as it thinks its supposed to connect to that unrouteable NAT'ed IP. Anyone with some suggestions?
Actions
7. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 3:17 PM (in response to jasonglass)

I added this, and so far so good locally, waiting for the remote server to be tested!
<param key="host" value="My.Server.Fqdn"/>

... wait for it...
Actions
8. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 21, 2017 5:22 PM (in response to jasonglass)

And it looks to be working! The FQDN worked on remote server and local JBoss server after adding the FQDN to the keystore as trusted and massaging /etc/hosts! Thank you all who glanced at this and tried to help - especially howard!
Actions
9. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

gaohoward Jun 22, 2017 12:36 AM (in response to jasonglass)

Glad you sorted things out.

Howard
Actions
10. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address

jasonglass Jun 22, 2017 11:32 AM (in response to gaohoward)

Yong Hao Gao wrote:

Perhaps you can configure your connection factory's connector to point to the external IP?

Howard
While I sorta figured it out myself - I am going to mark howards as the correct answer as he di point me in the right direction!
Actions

Go to original post