HermesJMS

[jay glass]

Hi all, having some issues setting up Hermes, or our JBoss server, to allow hermes to hit the JBoss servers JMS queues from behind the firewall(IPSEC)

I had hoped it would be as easy as just unblocking port 1099, but this does not seem to help, still get a connection refused exception.

so what ports need to be unblocked? After looking around a bit online, I found this link, which states just three ports need to be unblocked.

http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingJBossBehindAFirewall

what I gleamed from the above, is that 1099, 1098, and 4444 need to be unblocked, is this it? and it seems the default security credentials are user: admin and pword:<blank> is this true, it works locally on my machine, when browsing local queues, but will this work on a remote server if I have not changed the values on the remote server?

next, I would like to change those values on the remote server, I searched the file system looking for "admin" strings, but what was found and reported, did not seem to pertain, so where could I add a real user name and password, instead of using the default, I only need to open the ports temporarily for testing, but would rather secure it as much as possible, but am at loss as to where to begin.

lastly, by unblocking the above ports, what are the ramifications? I understand if I pasword protect the JMS, it may limit intrusions, but what I am wondering is, what could a malicious entity accomplish, by having those ports open, it seems that with default password, they might be able to delete queues, delete messages, add messages, etc, but I am confused as what they could accomplish with port 4444 being open.

Config:
Remote Server: JBoss Collaboration (Mail) Server 1.0m4
Remote server OS: Windows 2003 server
Hermes Build on local dev machine: 1.10 120406
Local dev machine OS: windows XP Media Center (dont ask)
Notes: Hermes works fine locally, but when connecting to remote server, i get this in log file....

Note: server name/ip changed, and this is only the beginning of the stack trace

Code: Select all

2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.browser.tasks.ThreadPool - task hermes.browser.tasks.JNDIBrowseTask@1adbfde starting
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.impl.SimpleClassLoaderManager - getting existing classLoader for JBoss 4.0.1
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.impl.LoaderSupport - set hermes.JNDIContextFactory providerURL=jnp://216.122.110.134
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.impl.LoaderSupport - set hermes.JNDIContextFactory initialContextFactory=org.jnp.interfaces.NamingContextFactory
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.impl.LoaderSupport - set hermes.JNDIContextFactory urlPkgPrefixes=org.jnp.interfaces:org.jboss.naming
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.impl.LoaderSupport - set hermes.JNDIContextFactory securityCredentials=admin
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.impl.LoaderSupport - set hermes.JNDIContextFactory securityPrincipal=admin
2006-06-27 13:19:21,187 [Hermes ThreadPool-2] DEBUG hermes.JNDIContextFactory - properties: {java.naming.provider.url=jnp://216.122.110.134, java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory, java.naming.factory.url.pkgs=org.jnp.interfaces:org.jboss.naming, java.naming.security.principal=admin, java.naming.security.credentials=admin}
2006-06-27 13:19:21,203 [Hermes ThreadPool-2] DEBUG hermes.browser.model.tree.ContextTreeNode - Searching context JBoss-remote-2...
2006-06-27 13:19:24,375 [Hermes ThreadPool-2] ERROR hermes.browser.model.tree.ContextTreeNode -
javax.naming.CommunicationException [Root exception is java.rmi.ConnectException: Connection refused to host: 216.122.110.134; nested exception is:
   java.net.ConnectException: Connection refused: connect]
   at org.jnp.interfaces.NamingContext.list(NamingContext.java:812)
   at org.jnp.interfaces.NamingContext.list(NamingContext.java:786)
   at javax.naming.InitialContext.list(InitialContext.java:395)
   at hermes.browser.model.tree.ContextTreeNode.setContext(ContextTreeNode.java:101)
   at hermes.browser.model.tree.ContextTreeNode.<init>(ContextTreeNode.java:65)
   at hermes.browser.model.tree.ContextTreeNode.<init>(ContextTreeNode.java:70)
   at hermes.browser.components.ContextTreeModelFactory.create(ContextTreeModelFactory.java:60)
   at hermes.browser.tasks.JNDIBrowseTask.invoke(JNDIBrowseTask.java:59)
   at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:167)
   at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:182)
   at java.lang.Thread.run(Thread.java:595)
Caused by: java.rmi.ConnectException: Connection refused to host: 216.122.110.134; nested exception is:
   java.net.ConnectException: Connection refused: connect

and on a side note, there seems to possibly be a bug/enhancement on my machine in which if you d-click a queue, the first time it errors, but subsequent d-clicks of it, i.e. in attempt to browse, works with no error, it may be just a timing issue, I might be d-clicking in an attempt to browse, before the queue pertinent info is loaded, not sure, but seems to happen frequently...

oops, do I also need to unblock a queue port, as it seems I saw someone posted about a topic specific port?

[jay glass]

anyone have any insights?

[Colin]

Hi,

I've never attempted JBoss behind a firewall so sorry cannot help - have you tried the JBoss forums? There are also several companies out there that can give you professional services for a couple of days .

There are security ramifications for sure - some kind of IPSEC would make sense to give authentication and encrytion for you however again I'm no expert here.

I've never heard of any queue specific port btw.

Finally, can you send/post any exception you saw when "clicking/de-clicking" a queue in Hermes? I'm not sure what you mean...

Regards,

Colin.

[jay glass]

I've never attempted JBoss behind a firewall so sorry cannot help - have you tried the JBoss forums? There are also several companies out there that can give you professional services for a couple of days .

Thanks aslot for your response, I appreciate it. I got it working yesterday, by unblocking ports 1099, 1098, 4444, and I think 1093, which I believe is the UIL2 port, the message queue could be searched, and iterated, with the first three ports opened, but the queue could not be browsed, or messages could not be retireved, queue details could be discovered though.

I could only read messages, after I opened the UIL2 port. I figured this out by seeing what the local jboss had open when it was connected locally to the MQ.

Thus everything seems to be working...though I cant stand the idea of opening so many ports, have you ever heard of any exploits revolving around those ports and services, on windows?

There are security ramifications for sure - some kind of IPSEC would make sense to give authentication and encrytion for you however again I'm no expert here.

Yes, as were not using a firewall, per se, I used IPSEC to unblock the ports, as it is blocking most other ports, what bites, is that from jboss you get auth failed, connection refused or whatever, but the real underlying issue is ports being opened, JBoss is giving horrid error messages...

when 1099 was opened, and nothing else, I would get the above listed exception, when I opened 1098, and 4444, I still got the error message when browsing the queue, but I could finally browse the namesapce, only after 1093 was opened, did I get rid of the above exception with regards to browseing the actual queue. Live and learn...

I've never heard of any queue specific port btw.

Seems true, though I guess there are different ports for the different ?protocols? used when communicating with the MQ, i.e. i had to unblock 1093 for UIL2, and JBoss wiki on firewall, listed a couple others with regards to the other ?protocols?

BTW: what the hell is UIL2?

Finally, can you send/post any exception you saw when "clicking/de-clicking" a queue in Hermes? I'm not sure what you mean...

It just seems to be caused by the queue, not fully being connected in some way. cant reproduce at moment, but when I can, I will get a sshot, and log details for you...

Thanks again for insight...oh, and how do I go about locing down a queue generally? I.e. change default user and password, or make it onlly readable?