Hi all, I have a weird issues with the id-provider. We want to use it to create unique numbers for the userapp. Everything works nicely in the dev environment but in acceptation we are running into network issues because the uapp is running in a seperate LAN. I used wireshark on both ends to see what is happening and this is it:
1. UAPP requests on tcp 1199 from random port - Firewall OK 2. IDV replies from tcp 1199 to that port - Firewall OK 3. A new stream is opened from the IDV to Uapp on port 56995 - Firewall Blocks 4. I get -1:(
I see nothing about this in the documentation but I did find some people with the same problem so I thought I'd try and get to the bottom of it.
I have some questions: 1. What is the best way to solve this. 2. Is there a set range of ports for the RMI traffic? 3. Can you lock it down to a certain range?
The RMI stuff is documented on Java's site if you want details, but basically RMI, like RPC and FTP data and other protocols, arranges for an alternate port to be used for the real work, and that is now an option as well using the latest shim and packages, documented as shown below:
RMI Service port: The TCP port for the RMI ID Provider service. The server uses an ephemeral port if the value of this parameter is zero.
By default you get ephemeral (high, dynamic) ports for things as you witnessed, so the workaround there is either to have a really smart firewall, or just to open those really high ports (usually 32768 to 65535 or so) so that, when listening, things work. Thankfully NetIQ provided an option here, so as long as you only have the one request at a time (usually a safe-enough assumption considering how quickly these transactions happen) you're just fine.
-- Good luck.
If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...