10 Replies Latest reply on Jun 22, 2017 11:32 AM by Jason Glass

    JMS Message Queue, NAT'ed IP - change ?advertised? address

    Jason Glass Newbie

        Hi All!

       

      So problem, and likely a simple (I hope!) answer!  We're using Jboss EAP 6, we have a JMS queue.  We're switching to SaaS (unfortunately) so our vendor is trying to connect to the JMS queue, but since its saas, theres FW rules and IP address NAT'ing in place and I believe its causing issues (well i know it is).  So basically I'm wondering if theres a way to get the JMS subsystem to *think* its bound to a NAT'ed VIP/IP so when it ?advertises? the connect back port, the remote client doesnt end up with a no route to host exception.

       

      So for example, locally the servers IP in our network is say 10.140.40.157.  The JMS is bound to this, everything works properly within our own network, I can consume from the queue.  To our vendor, for example 10.140.40.157 is NAT'ed to 10.250.40.157 then the firewall rules NAT this to 10.140.40.157 - however, and though I'm familiar with JMS, it appears when setting up the queue connection factory, that the JBoss server is "saying" hey, you need to connect me me on my real port and IP of 10.140.40.157 and obviously when the vendor tries to connect, since that IP range isnt part of their network, it throws an No route to host exception.  So basically the vendor connects to the NAT IP, all is good, but then half way through the communication process the JBoss server says okay, lets continue communicating on this other port and IP and everything will be all good.  The problem is, the vendors network doesnt understand how to route that IP.  So my question is, is there a way to tell the jms subsystem to ?pretend? its binding to an IP or FQDN thats understood/routeable by the vendor.

       

      So its sort of like the "-b" binding IP/Name.  Is there a way to configure the server so its ?advertising? for JMS and Messaging a binding IP address which the vendor can route to rather than its real physical address so the communications can continue?

       

      For example, a simple JMS client has this:

      String jndiProps =

                          "java.naming.factory.url.pkgs=org.jboss.ejb.client.naming\n"

                                  + "java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory\n"

                                 + "java.naming.provider.url=remote://10.140.40.157:30202\n" //works

       

      But if you look at the SSL traces as SSL is being enforced we get:

       

       

      Padded plaintext after DECRYPTION:  len = 288

      0000: 00 00 FA 72 00 00 00 00   00 00 00 00 00 00 00 00  ...r............

      0010: 24 00 24 65 32 38 36 37   63 63 34 2D 35 36 30 31  $.$e2867cc4-5601

      0020: 2D 31 31 65 37 2D 61 62   31 63 2D 37 33 37 64 31  -11e7-ab1c-737d1

      0030: 65 62 34 61 31 65 66 00   00 01 5C C7 78 74 73 FF  eb4a1ef...\.xts.

      0040: 00 00 00 05 00 6E 00 65   00 74 00 74 00 79 00 00  .....n.e.t.t.y..

      0050: 00 3A 00 3A 6F 72 67 2E   68 6F 72 6E 65 74 71 2E  .:.:org.hornetq.

      0060: 63 6F 72 65 2E 72 65 6D   6F 74 69 6E 67 2E 69 6D  core.remoting.im

      0070: 70 6C 2E 6E 65 74 74 79   2E 4E 65 74 74 79 43 6F  pl.netty.NettyCo

      0080: 6E 6E 65 63 74 6F 72 46   61 63 74 6F 72 79 00 00  nnectorFactory..

      0090: 00 03 00 00 00 04 00 70   00 6F 00 72 00 74 03 00  .......p.o.r.t..

      00A0: 00 00 05 00 36 00 30 00   30 00 30 00 33 00 00 00  ....6.0.0.0.3...

      00B0: 04 00 68 00 6F 00 73 00   74 03 00 00 00 0D 00 0D  ..h.o.s.t.......

      00C0: 31 30 2E 31 34 30 2E 34   30 2E 31 35 37 00 00 00  10.140.40.157...

      00D0: 0B 00 0B 73 73 6C 2D 65   6E 61 62 6C 65 64 03 00  ...ssl-enabled..

      00E0: 00 00 04 00 74 00 72 00   75 00 65 00 FF 01 00 00  ....t.r.u.e.....

      00F0: 00 09 00 09 75 6E 64 65   66 69 6E 65 64 50 7A 8B  ....undefinedPz.

      0100: 9C FF 13 DE EB 78 C2 E2   25 50 F9 91 D6 AE 51 91  .....x..%P....Q.

      0110: 41 0E 0E 0E 0E 0E 0E 0E   0E 0E 0E 0E 0E 0E 0E 0E  A...............

       

      So basically the JBoss JMS server is telling the client, hey, you made a successful connection on the NAT'ed IP, but I want you to talk to me on port 60003 and internal IP 10.140.40.157 which then becomes not route'able as the vendors server doesnt understand that network IP address.  If our JMS JBoss server instead gave the NAT'ed IP instead or a FQDN, then everything would likely proceed and work as expected, so how do I get the JMS to advertise it as being bound to a specific IP or FQDN.

       

      Any thoughts all, any help, insight or suggestions would be greatly appreciated!

       

      Thank you in advance!

       

      Jay

        • 1. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
          Yong Hao Gao Master

          Perhaps you can configure your connection factory's connector to point to the external IP?

           

          Howard

          1 of 1 people found this helpful
          • 2. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
            Jason Glass Newbie

            So again, I've been using JMS for years, but its more "it works" then you just leave it alone ;-)

            I have the following system properties set, I'll start researching myself but would any of these or similar ones not listed allow me to specify the NAT IP as you suggested?

                        String jndiProps =

                                "java.naming.factory.url.pkgs=org.jboss.ejb.client.naming\n"

                                        + "java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory\n"

                                        + "java.naming.provider.url=remote:// 10.140.40.157:10202\n"

                                        + "java.naming.security.principal=user.userid\n"

                                        + "java.naming.security.credentials=myPassword\n"

                                        + "jboss.naming.client.ejb.context=true\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false\n"

                                        + "jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS=true\n"

                                        + "jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true";

            .
            .
            .

            //rest of code

            Properties props = new Properties();

                        props.load(new StringReader(jndiProps));

                        ctx = new InitialContext(props);

             

              System.out.println("looking up queue");

               queue1 = (Queue) ctx.lookup("java:/com/mycompany/simp/imp/mydepartment/ejb/TestQueue");

               System.out.println("Creating Factory");

                facory = (QueueConnectionFactory) ctx.lookup("java:/System/MyCompany/ApplicationType/Management/Application/4-3;1-0;IMP/Comp/QueueConnectionFactory");

               System.out.println("Creating queue connection");

               queueConnection = facory.createQueueConnection("user.userid", "myPassword");

               System.out.println("Creating queue session");

               session2 = queueConnection.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);

              System.out.println("Creating a queue receiver");

              QueueReceiver receiver = session2.createReceiver(queue1);

              queueConnection.start();

              System.out.println("Started the queue connection");

             

            Thank you Howard!

             

            Jay

            • 3. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
              Jason Glass Newbie

              I've also been trying some of these in case they work for JBoss EAP 6, but not having any luck, e.g. the suggestions and things that worked for others

              AS 7 Messaging ( HORNETQ ) Client access remote:// Problem with Server listening on 0.0.0.0 Interface

              • 5. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                Jason Glass Newbie

                Hang tight, my last attempt may have ?fixed? (cant say its a fix but more of a hack ;-) ) it as I now see

                 

                NettyConnectorFa

                0AA0: 63 74 6F 72 79 3E 05 6E   65 74 74 79 53 03 64 3E  ctory>.nettyS.d>

                0AB0: 04 70 6F 72 74 3E 05 36   30 30 30 33 3E 04 68 6F  .port>.60003>.ho

                0AC0: 73 74 3E 0D 31 30 2E 32   35 30 2E 32 34 30 2E 32  st>.10.250.40.1

                0AD0: 30 3E 0B 73 73 6C 2D 65   6E 61 62 6C 65 64 3E 04  57>.ssl-enabled>.

                0AE0: 74 72 75 65 00 00 05 DC   00 00 00 00 00 00 07 D0  true

                 

                , wait for it...

                • 6. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                  Jason Glass Newbie

                  So sort of worked, with this:

                  <connector name="netty">

                                          <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

                                            <param key="host" value="10.250.140.157"/>

                                            <param key="port" value="60003"/>

                                            <param key="ssl-enabled" value="true"/>

                                          </connector>

                   

                  The server outside our network can connect through the NAT, actually received one Message, but now the JBoss server itself apparently cant connect to itself as it thinks its supposed to connect to that unrouteable NAT'ed IP.  Anyone with some suggestions?

                  • 7. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                    Jason Glass Newbie

                    I added this, and so far so good locally, waiting for the remote server to be tested!
                    <param key="host" value="My.Server.Fqdn"/>

                     

                    ... wait for it...

                    • 8. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                      Jason Glass Newbie

                      And it looks to be working!  The FQDN worked on remote server and local JBoss server after adding the FQDN to the keystore as trusted and massaging /etc/hosts!  Thank you all who glanced at this and tried to help - especially howard! 

                      • 9. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                        Yong Hao Gao Master

                        Glad you sorted things out.

                         

                        Howard

                        • 10. Re: JMS Message Queue, NAT'ed IP - change ?advertised? address
                          Jason Glass Newbie

                          Yong Hao Gao wrote:

                           

                          Perhaps you can configure your connection factory's connector to point to the external IP?

                           

                          Howard

                          While I sorta figured it out myself - I am going to mark howards as the correct answer as he di point me in the right direction!