Using VisiBroker for .NET with GateKeeper

VisiBroker for .NET Developer’s Guide : Using VisiBroker for .NET with GateKeeper

Using VisiBroker for .NET with GateKeeper

This chapter explains how to configure properties to use the VisiBroker GateKeeper service with VisiBroker for .NET applications. Refer to the VisiBroker GateKeeper Guide for information on using GateKeeper.

What is GateKeeper?

The VisiBroker GateKeeper is a CORBA General Inter-ORB Protocol (GIOP) compliant GIOP Proxy Server that enables CORBA clients and servers to communicate across networks while conforming to security restrictions imposed by Internet browsers, firewalls, and Java sandbox security. In effect, GateKeeper serves as a gateway or proxy for clients and servers when security restrictions prevent clients from communicating with the servers directly.

GateKeeper is often used when you do not want to expose the server directly to clients or when a client's access to the server is restricted. In the latter case, either the client is an unsigned applet or there is an intervening firewall.

Enabling the VisiBroker for .NET Firewall feature

VisiBroker for .NET supports a firewall that is compliant with CORBA 2.6. By default, the firewall feature is turned off in VisiBroker for .NET. If you are developing a VisiBroker for .NET application to work with the VisiBroker GateKeeper service, you will need to turn the firewall feature on explicitly with the janeva.firewall property.

VisiBroker for .NET server-side configuration

In order to enable the client to communicate with the server through the GateKeeper, the server has to export the firewall path to the client by setting certain properties. The following table describes the properties specific to server side configuration.

Property

Valid values

Description

vbroker.orb.exportFirewallPath

true

false (default)

When this property is set to true the firewall path is embedded in the server’s IOR profile component.

vbroker.orb.exportFirewallPath=true

vbroker.se.iiop_tp.firewallPaths

<empty> (default)

<paths>

Use this property to declare all firewall paths. <paths> is a set of user defined names for the communication paths from the clients to the servers, separated with commas.

vbroker.se.iiop_tp.firewallPaths=x,y

vbroker.firewall-path.<pathname>

<empty> (default)

<components>

Specifies the list of components in the firewall path <pathname>.

vbroker.firewall-path.x=a,b vbroker.firewall-path.y=c

vbroker.firewall.<component>.type

<empty>

PROXY

TCP

Specifies the type of the components.

vbroker.firewall.a.type = PROXY vbroker.firewall.b.type = TCP

vbroker.firewall.<component>.ior

<empty>

<ior_filename>

<ior_URL>

IOR:<stringified_ior>

Specifies the IOR of the component. This is specified together with vbroker.firewall.
<component.type>=PROXY.

1. file:C:/GateKeeper/GateKeeper.ior

2. http://www.inprise.com/GK GateKeeper.ior

3. IOR:2398402841729073423497234234234

vbroker.firewall.<component>.host

<empty>

<fake host name>

Specifies a fake host name for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.

vbroker.firewall.<component>.iiop_port

<empty>

<fake IIOP Port>

Specifies a fake IIOP port for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.

vbroker.firewall.<component>.ssl_port

<empty> (default)

<fake SSL Port>

Specifies a fake SSL port for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.

vbroker.firewall.<component>.hiop_port

<empty> (default)

<fake HIOP Port>

Specifies a fake HIOP port for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.

vbroker.orb.enableBiDir

client

server

both

none (default)

If the client defines vbroker.orb.enableBiDir=client, and the server defines vbroker.orb.enableBiDir=server, the value of vbroker.orb.enableBiDir in GateKeeper determines the state of the connection.

If you set the vbroker.se.exterior.scm.
ex--iiop.manager.importBiDir property to true, GateKeeper will accept bidirectional connections from the client. Setting the vbroker.se.exterior.scm.ex--iiop.manager.
exportBiDir property to true causes GateKeeper to request bidirectional connections with the server.

VisiBroker for .NET client-side configuration

The following table describes the properties specific to client side configuration.

Property

Valid values

Description

vbroker.orb.gatekeeper.ior

<empty> (default)

<ior_filename>

Specifies the URL of the GateKeeper IOR file.

vbroker.orb.alwaysProxy

false (default)

true

Specifies whether the client must always connect to the server via GateKeeper.

vbroker.locator.ior.ior

<empty> (default)

<ior_filename>

Specifies the URL of the GateKeeper Locator IOR file. GateKeeper provides limited location services. It cannot forward location requests to another GateKeeper.

vbroker.orb.alwaysTunnel

false (default)

true

Specifies whether the client must always make HTTP tunnel (IIOP wrapper) connections to the server.

vbroker.orb.enableBiDir

client

server

both

none (default)

You can selectively make bidirectional connections. If the client defines vbroker.orb.enableBiDir=client, and the server defines vbroker.orb.enableBiDir=server, the value of vbroker.orb.enableBiDir in GateKeeper determines the state of the connection.

For example, if you set the vbroker.se.exterior.scm.
ex--iiop.manager.importBiDir property to true, GateKeeper will accept bidirectional connections from the client. Setting the vbroker.se.exterior.scm.
ex--iiop.manager.exportBiDir property to true causes GateKeeper to request bidirectional connections with the server.

Callbacks with GateKeeper's bidirectional support

With bidirectional IIOP, servers use the client-initiated connections to transmit asynchronous information back to the clients. Servers need not initiate any connections to the client.

Figure 4

Callback with GateKeeper's bidirectional support

In the figure above, GateKeeper sits between the client and server and therefore it acts as a server for the client and as a client for the server. The Client/GateKeeper and the GateKeeper/Server communication channels can be set to unidirectional or bidirectional connections.

You can also selectively set the channels to unidirectional or bidirectional. If the client defines vbroker.orb.enableBiDir=client and the server defines vbroker.orb.enableBiDir=server, the following table describes the type of channels for the different values of vbroker.orb.enableBiDir for GateKeeper.

vbroker.orb.enableBiDir=

Client GateKeeper

GateKeeper Server

client

unidirectional

bidirectional

server

bidirectional

unidirectional

both

bidirectional

bidirectional

none

unidirectional

unidirectional

Security considerations

Use of bidirectional IIOP may raise significant security issues. In the absence of other security mechanisms, a malicious client may claim that its connection is bidirectional for use with any host and port it chooses. In particular, a client may specify the host and port of security-sensitive objects not even resident on its host. In the absence of other security mechanisms, a server that has accepted an incoming connection has no way to discover the identity or verify the integrity of the client that initiated the connection. Further, the server might gain access to other objects accessible through the bidirectional connection. If there are any doubts as to the integrity of the client, it is recommended that bidirectional IIOP not be used. For security reasons, a server running VisiBroker for .NET will not use bidirectional IIOP unless explicitly configured to do so.

Examples

The following example shows a client side configuration. The client always communicates with the server via GateKeeper as a proxy.

<configuration>

<configSections>

<section name="visinet" type="Janeva.Settings, Borland.Janeva.Runtime"/>

</configSections>

<visinet>

...

<firewall enabled="true"/>

<vbroker vbroker.orb.alwaysProxy="true"/>

</visinet>

</configuration>

The following example shows a server side configuration. It defines a firewall path called “internet” with one node named “proxy”. This node is of the PROXY type.

<configuration>

<configSections>

<section name="visinet" type="Janeva.Settings, Borland.Janeva.Runtime"/>

</configSections>

<visinet>

...

<firewall enabled="true"/>

<server defaultPort="10000">

<remoting enabled="false"/>

</server>

<vbroker vbroker.orb.exportFirewallPath="true"

vbroker.se.iiop_tp.firewallPaths=”internet”

vbroker.firewall-path.internet=”proxy”

vbroker.firewall.proxy.type=”PROXY”

vbroker.firewall.proxy.ior=”http://localhost:9091/gatekeeper.ior”/>

</visinet>

</configuration>

Property	Valid values	Description
vbroker.orb.exportFirewallPath	true false (default)	When this property is set to true the firewall path is embedded in the server’s IOR profile component. vbroker.orb.exportFirewallPath=true
vbroker.se.iiop_tp.firewallPaths	<empty> (default) <paths>	Use this property to declare all firewall paths. <paths> is a set of user defined names for the communication paths from the clients to the servers, separated with commas. vbroker.se.iiop_tp.firewallPaths=x,y
vbroker.firewall-path.<pathname>	<empty> (default) <components>	Specifies the list of components in the firewall path <pathname>. vbroker.firewall-path.x=a,b vbroker.firewall-path.y=c
vbroker.firewall.<component>.type	<empty> PROXY TCP	Specifies the type of the components. vbroker.firewall.a.type = PROXY vbroker.firewall.b.type = TCP
vbroker.firewall.<component>.ior	<empty> <ior_filename> <ior_URL> IOR:<stringified_ior>	Specifies the IOR of the component. This is specified together with vbroker.firewall. <component.type>=PROXY. 1. file:C:/GateKeeper/GateKeeper.ior 2. http://www.inprise.com/GK GateKeeper.ior 3. IOR:2398402841729073423497234234234
vbroker.firewall.<component>.host	<empty> <fake host name>	Specifies a fake host name for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.
vbroker.firewall.<component>.iiop_port	<empty> <fake IIOP Port>	Specifies a fake IIOP port for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.
vbroker.firewall.<component>.ssl_port	<empty> (default) <fake SSL Port>	Specifies a fake SSL port for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.
vbroker.firewall.<component>.hiop_port	<empty> (default) <fake HIOP Port>	Specifies a fake HIOP port for the component server. This is specified together with vbroker.firewall.<component>.type=TCP and the component is a TCP Firewall with NAT.
vbroker.orb.enableBiDir	client server both none (default)	If the client defines vbroker.orb.enableBiDir=client, and the server defines vbroker.orb.enableBiDir=server, the value of vbroker.orb.enableBiDir in GateKeeper determines the state of the connection. If you set the vbroker.se.exterior.scm. ex--iiop.manager.importBiDir property to true, GateKeeper will accept bidirectional connections from the client. Setting the vbroker.se.exterior.scm.ex--iiop.manager. exportBiDir property to true causes GateKeeper to request bidirectional connections with the server.

vbroker.orb.enableBiDir=	Client GateKeeper	GateKeeper Server
client	unidirectional	bidirectional
server	bidirectional	unidirectional
both	bidirectional	bidirectional
none	unidirectional	unidirectional