|
| Problem | This technote will describe how to get the admin console to connect remotely across a firewall that has Network Address Translation (NAT) enabled.
Environment: WebSphere Application Server 3.x Standard Edition (SE) & Advanced Edition (AE) or 4.0.x AE
Firewall with Network Address Translation (NAT) enabled and WebSphere Application Server | | | | Solution | The admin console uses RMI/IIOP to communicate with the WebSphere Application Server admin server. When a firewall using NAT is placed in between, communication fails because the IOR packets contain the IP address of the WebSphere Application Server box in the body of the packet, which NAT doesn't translate. NAT only translates IP addresses in the packet header. As a result, the admin console JNDI interface tries to resolve the IP address of the WebSphere Application Server box as it is known on the other side of the firewall rather than the translated IP address.Solution:
To solve this problem, we need to replace the IP address embedded in the IOR packets with a hostname of the Application Server box, specifically the shortname of the hostname. Having this same shortname be resolved to the translated IP addresses of the Application Server box will allow the admin console to communicate with the WebSphere Application Server admin server. Here are the instructions:- First follow the instructions in the DCF technote titled "Ports required for Remote Admin Client through a firewall" (Hint & Tip #1000281) to open the needed ports through the firewall. If the Application Server security is enabled, com.ibm.CORBA.SSLPort and com.ibm.CORBA.LSDSSLPort need to be defined for the admin server and com.ibm.CORBA.SSLPort needs to be defined for the application server and opened in the firewall. This is specified in the WebSphere Application Server 3.5.x release notes.
- On the Application Server box, make sure the shortname of the Application Server box resolves to the IP address of the Application Server box (either through the DNS server or through the hosts file on the WebSphere Application Server box).
- On the box running the remote admin console on the other side of the firewall, make sure the same shortname of the WebSphere Application Server box resolves to the translated IP address of the Application Server box, (either through the DNS server or through the hosts file on the WebSphere Application Server box).
- Make sure that the firewall also translates the address of the box running the remote admin console, so that the Application Server box can see it.
- Stop the Application Server, and add the following line to the <WAS root>/bin/admin.config file of the Application Server box (the shortname may be case sensitive depending on the method of name resolution):
com.ibm.CORBA.LocalHost=<shortname>
- Start the Application Server and try to connect from the box running the remote admin console:
adminclient(.bat or .sh) <shortname> [port # optionally depending on if you changed it from the default 900 on the Application Server box] NOTE: For WebSphere Application Server 3.5.3 to 4.0.2, interim fix PQ56074 is required | |
| |
| |
|
Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security Operating system(s): Multi-Platform Software version: 3.0, 3.0.1, 3.0.2.x, 3.5, 4.0.1, 4.0.2 Software edition: Advanced Edition, Standard & Advanced Editions Reference #: 1006499 IBM Group: Software Group Modified date: 2003-05-01
(C) Copyright IBM Corporation 2000, 2004. All Rights Reserved.
|