Wednesday, April 1, 2015

Oracle Java Cloud Services – On-Premise (Intranet) Integration

 

Introduction

Scenario: You need to migrate you Java EE application to the Oracle Java cloud Services – PaaS. Your Java EE application has some dependencies on services that run in a restricted network (company, hotel, hospital)  on a "server" which you want to access from outside that network. You cannot forward ports to that machine, but you can ssh outside (to your own server) from that “server” or from another machine under the same intranet/firewall with your “server”.

You need another server or even the same “server” to which you setup a persistent ssh connection with a reverse tunnel. You will ssh from one of the machine inside your intranet to the JCS virtual machine. On that ssh session you’ll configure a reverse tunnel that will tunnel your traffic on the port X from your sever to port Y on your JCS VM.

Make sure you have permission to do this from the administrators. They generally don't like holes in the firewall/security. They don't block it for no reason.

We need to make sure this kind of tunnel is highly available and this is why we will configure it as a service with the following properties:

  • Auto-recreation after failure
  • Auto-start during OS boot

As an example we will configure a VirtualBox VM running the VPN client, so being inside the organization intranet. This VBox VM will run 2 services: OpenLdap (port 389) and Oracle 11g XE Database(port 1521).

We’ll configure highly available reverse tunneling from the VBox VM to the Oracle Java Cloud Service Weblogic Admin Server vm for the upper mentioned traffic.

Then we will configure JCS Weblogic Admin Server to consume the upper mentioned LDAP and Database services that are running inside the Oracle Intranet.

 

VirtualBox VM

 

Step 1: Make sure your VirtualBox VM is inside the Intranet

  • Make sure your VPN connection is up:

image

  • Double check an Intranet IP has been allocated to your VirtualBox VM:

image

 

  • Set up your system proxy configurations:

image

Step 2: Check that OpenLDAP and Oracle Database are up and running on your VBox VM

  • Check that your local VBox VM database is up and running and listening on port 1521:

image

  • Check that your local VBox VM OpenLDAP is up and running and listening on port 389:

image

 

JCS WLS Admin Server VM – set up ssh reverse tunneling

 

Step 3: Get the IP of the JCS Admin Server VM

  • Go to the Java cloud Service console and copy the JCS Admin VM IP:

image

  • Add this ip to the VBox VM /etc/hosts file:

image

  • Using the provided key ssh from the VirtualBox VM to the JCS WLS Admin Server VM:

image

Step 4: Configure paswordless root SSH by using public key authentication on JCS WLS AdminServer VM

  • Generate a new ssh key for root user on the JCS Admin WLS VM:
    • Switch to root on the JCS Admin Server WLS VM

    • Generate a new ssh key:

    • Set the file for the key to /home/opc/rootsshkey
    • Set empty passphrase

image

    • Create a new file called authorized_keys under /root/.ssh/

    • Paste inside the /root/.ssh/authorized_keys the entire content of the public key created above: /home/opc/rootsshkey.pub

image

    • Set the proper permissions:

    • To enable the key copy process change the ownership of the previously generated public keys:

    • Copy the ssh key from the remote host(JCS VM) to the local host(VirtualBox VM)

    • Set the right permissions for the root ssh key on the VBox VM:

  • Enable root passwordless ssh key login on the JCS WLS Admin VM:
    • As root on the JCS WLS Admin VM edit /etc/ssh/sshd_config

    • Set the following configuration:

image

    • Restart sshd service on the JCS WLS Admin VM:

image

    • SSH without using the password and by using the generated key from the VBox VM to the JCS WLS Admin VM:

image

Step 5: Create the reverse ssh tunnel

Note: SSH –R: Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.

By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a bind_address. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote bind_address will only succeed if the server's GatewayPorts option is enabled.

  • Check that there is nothing listening on the JCS WLS Admin VM on ports 1522, respectively 389.

  • Let’s reverse tunnel (forward) traffic on ports 1521 and 389 from the intranet VBox VM to the JCS WLS Admin VM ports: 1522 and, respectively 389. We’ll do this in a SSH session started on the VBox VM against the JCS WLS Admin VM:

  • Check if the JCS WLS Admin VM is listening now on ports 1522 and 389:

image

Create a highly available ssh reverse tunnel

High availability is the most important concern of this approach.

In the next section will transform the ssh tunnel configured above in a linux service that will also auto restart the tunnel in case of failure. This linux service should run the ssh tunneling process as a background process.

We will also make this service start at OS boot.

 

STEP 6: Creating an SSH tunnel high available linux service

  • For creating a high available ssh tunnel linux service we can create our own /etc/ini.d/ script or we can use an already existing tool. In this document we will use an already existing tool called autossh.

Note: Autossh is a program to start an instance of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The idea is from rstunnel (Reliable SSH Tunnel), but implemented in C. Connection monitoring is done using a loop of port forwardings. It backs off on the rate of connection attempts when experiencing rapid failures such as connection refused.

Download the autossh rpm for Red Hat/Oracle Enterprise Linux from here.

  • Create the autossh ssh tunneling session from the VBox VM to the JCS WLS Admin VM. First make sure you have killed your previous tunneling sessions.

  • Now you have a highly available service like background process that creates to reverse tunnels.

STEP 7: Make this service start at OS boot

  • For making this service start at boot we can either create a /etc/rc.d/ script or use a simple Oracle Linux UI menu feature called: Startup Applications.
  • Navigate to System -> Preferences -> Startup Applications

image

  • Create a new entry there that will contain the autossh command above:

image

 

Connect from JCS WLS Server to the on premise (intranet) Database and OpenLDAP servers

 

  • Check that your JCS WLS Admin VM is listening on ports: localhost:1522 for database and locahost:389 for OpenLDAP

image

STEP 8: Create a JCS WLS datasource connection against the Oracle 11g XE Database that runs inside Oracle intranet

  • Access the JCS Weblogic admin console and configure a new datasource with the following details:

image

STEP 9: Create a JCS WLS OpenLDAP authentication provider against the OpenLDAP server that runs inside Oracle intranet

  • We have already created an OpenLDAP provider called OpenLDAPIntranet that can be found under: JCS WLS Admin Console -> security Realms -> myrealm -> Providers:

image

  • The OpenLDAP provider relevant configuration is:

image

  • In order to test the OpenLDAPIntranet provider navigate to JCS WLS Admin Console -> security Realms -> myrealm -> Users and Groups and identify the OpenLDAPIntranet users:

image