4.2.1. Communication Through a Firewall

In order to communicate with the CoreMedia Server or Workflow Server, two open ports are required:

  • The HTTP port to fetch the IOR,

  • the CORBA port for communication.

In the default configuration, the CORBA port changes with every restart of the application server which is inconvenient in case of an intermediate firewall. In this case, the port can be set to a fixed value through the ORB property com.sun.CORBA.ORBServerPort. In the following example, the ORB is configured to listen on port 55555, by setting a system property:

  • -Dcom.sun.CORBA.ORBServerPort=55555

If you want to access the Server from "outside" a firewall and the server IP address is not directly accessible (due to network address translation for example), it is possible to establish an SSH tunnel. The tunnel forwards all traffic from the client to the server. Of course, the endpoint of the tunnel must be able to reach the server. Figure 4.2, “Schema of the SSH tunnel” shows the scenario:

Schema of the SSH tunnel

Figure 4.2. Schema of the SSH tunnel


Four parties are involved in the tunneling:

  • A client <CMSClient> which cannot access the server directly.

  • The client-side SSH client <SSHClient> which cannot access the Content Server.

  • The server-side SSH server <SSHServer> which can access the Content Server.

  • The CoreMedia Server <CMSServer>.

<CMSClient>/<SSHClient> and <CMSServer>/<SSHServer> can reside on the same machine respectively.

Two ports must be configured:

  • <HTTPPort> is the HTTP port for the IOR.

  • <CORBAPort> is the port for CORBA communication.

For this scenario you must,

  • establish the tunnel,

  • redirect client requests to the tunnel endpoint SSHClient instead of CMSServer.

Proceed as follows:

  1. Configure the HTTP port of the server as usual in the contentserver.properties files.

  2. Configure the HTTP address where to fetch the IOR of the server in the capclient.properties file as follows:

  • cap.client.server.ior.url=http://<SSHClient>:<HTTPPort>/coremedia/ior

  1. Start a SSH server on <SSHServer>. No particular configuration is necessary.

  2. Start the SSH client on <SSHClient>.

  3. On a UNIX system, open the tunnel on the SSHClient with ssh -g -L<CORBAPort>:<CMSServer>:<CORBAPort> -L<HTTPPort>:<CMSServer>:<HTTPPort> <SSHServer>. Replace the values in angle brackets with the appropriate settings.

  • For the Windows SSH client SSH Secure Shell choose Edit|Settings|Profile Settings|Tunneling|Incoming. You need to make two entries. Insert as follows:

  • Type: TCP

  • Listen Port: <HTTPPort>

  • Destination Host: <CMSServer>

  • Destination Port: <HTTPPort>

  • and

  • Type: TCP

  • Listen Port: <CORBAPort>

  • Destination Host: <CMSServer>

  • Destination Port: <CORBAPort>

  • This will instruct ssh to forward all requests on <SSHClient>:<Port> via <SSHServer> to <CMSServer>:<Port>.

  1. In order to instruct a client to contact <SSHClient> instead of <CMSServer>, you need to configure its client-side ORB with ORB properties and system properties.

    Depending on the type of client, system properties are set either in the JPIF file (for command line tools), in the JNLP file (for Web Start) or in setenv.sh/setenv.bat (for web applications deployed in Tomcat). ORB properties are also set as system properties, except for command line tools, described below.

    You need to set the following properties, replacing <CMSServer> and <SSHClient> with the names of the appropriate computers and <CorbaPort> with the port number of the ends of the SSH tunnel:

Property Type Property Name Property Value
ORB com.sun.CORBA.legacy.connection.ORBSocketFactoryClass com.coremedia.corba.ORBRedirector50
System com.coremedia.corba.ORBRedirector.original.host <CMSServer>
System com.coremedia.corba.ORBRedirector.redirect.host <SSHClient>
System com.coremedia.corba.ORBRedirector.original.port <CorbaPort>
System com.coremedia.corba.ORBRedirector.redirect.port <CorbaPort>

Table 4.1. Properties for SSH configuration


  1. In order to instruct stand-alone Unified API clients like the command line tools to contact <SSHClient> instead of <CMSServer>, you must configure the ORB property for the socket factory in the connection parameters for the Unified API.

  • If you are setting up the Unified API connection programmatically, consider using the connect(Map) method of the class Cap.

Map parameters = new HashMap();
...
parameters.put
("com.sun.CORBA.legacy.connection.ORBSocketFactoryClass",   
  "com.coremedia.corba.ORBRedirector50");
connection = Cap.connect(parameters);
  • In any case, you may inject the parameter through the IOR URL passed to the Unified API. For command line tools, you can pass the URL on the command line:

cm systeminfo -url http://<SSHCLIENT>:<HTTPPort>/coremedia/ior?
  com.sun.CORBA.legacy.connection.ORBSocketFactoryClass=
  com.coremedia.corba.ORBRedirector50 -u admin -p admin 
  • You can also set the extended URL in the file capclient.properties:

cap.client.server.ior.url=\
  http://<SSHCLIENT>:<HTTPPort>/coremedia/ior?\
  com.sun.CORBA.legacy.connection.ORBSocketFactoryClass=\
  com.coremedia.corba.ORBRedirector50
  • It is also possible to pass an extended URL when opening a connection programmatically.

An alternative to setting up a SSH tunnel might be the use of a VPN, or SSL.

[Note]Note

The ORBRedirector only works if the client uses the ORB from the Oracle J2RE. It may not work if you are not using an Oracle J2RE or an application runs in a third-party web container that provides its own ORB.