Gatekeeper Guide : Introduction to GateKeeper
Introduction to GateKeeper
This section provides an overview of GateKeeper and describes different ways to start it.
What is GateKeeper?
GateKeeper is an OMG-CORBA compliant General Inter-ORB Protocol (GIOP) Proxy Server developed by Micro Focus which enables CORBA clients and servers to communicate across networks while conforming to security restrictions imposed by Internet browsers, firewalls, and Java sandbox security. In effect, GateKeeper serves as a gateway or proxy for clients and servers when security restrictions prevent clients from communicating with the servers directly.
GateKeeper is often used when you do not want to expose the server directly to clients or when a client's access to the server is restricted. In the latter case, either the client is an unsigned applet or there is an intervening firewall.
GateKeeper as a Gateway or Proxy
When a distributed system based on the VisiBroker ORB is deployed over the Internet or an intranet, there are many security restrictions that can apply to the system, including:
server-side firewalls preventing clients from accessing certain server hosts.
client-side firewalls preventing outgoing connections.
client-side firewalls prohibiting protocols other than HTTP.
GateKeeper, along with the VisiBroker ORB, provides mechanisms to work with these restrictions based on the OMG CORBA Firewall specification by acting as a gateway or proxy between the client and the server. When certain restrictions prevent the client from connecting directly to the server, the client can choose to connect to GateKeeper. The client can send messages to GateKeeper which will forward the messages to the server.
When certain restrictions prevent the server from connecting back to the client to do callbacks, the server can choose to connect to GateKeeper. The server can send callback messages to GateKeeper which will forward the messages to the client.
In short, GateKeeper provides the following features:
Proxy to overcome firewalls
Callback enabling
Location transparency
Java
HTTP tunneling
Additional capabilities of GateKeeper
In brief, the additional capabilities of GateKeeper are:
Java: Acts as a simple Web Server to load Java classes. Java sandbox security prevents unsigned Java applets from communicating with servers other than the ones running on the host machine from which the applets were downloaded. GateKeeper can be configured to overcome this problem.
Java: BootStrapping. GateKeeper can run as a servlet inside any Web Server that supports servlets. This configuration enables IIOP over HTTP (HIOP) and is useful for Java clients.
Load Balancing and Fault Tolerance. A master GateKeeper and one or more slave GateKeepers can be clustered together and viewed as a single GateKeeper by the clients. This configuration provides the flexibility to balance the load and allows some degree of fault tolerance.
Customizable IP-based access control. GateKeeper can be configured to deny or grant accessibility based on criteria such as operations, signed by, and so forth.
Note
For more details on GateKeeper configurations, see “Advanced features”
Primary Use of GateKeeper
GateKeeper is primarily used as a proxy to overcome firewall and transport restrictions. In addition, GateKeeper acts as a Web Server and also incorporates load balancing and access control. GateKeeper, however, should never be used like a full-fledged Web Server, a full-fledged load balancing system, nor a full-fledged access control system. GateKeeper should instead complement its full-fledged counterparts.
Installing GateKeeper
GateKeeper is shipped as a component of VisiBroker. GateKeeper requires the following components:
VisiBroker Smart Agent
VisiBroker ORB Libraries
VisiBroker GateKeeper properties file
VisiBroker Console, for managing GateKeeper
Note
GateKeeper is a stand-alone process. It does not require any of the CORBA IDL compilers.
Starting GateKeeper
The choice of the directory in which to start GateKeeper is determined by how it is being used.
As an IIOP proxy server for a firewall
As a Web Server to support HIOP
In combination with a separate Web Server to support HIOP for VisiBroker for Java
If you use GateKeeper as an IIOP proxy, consult your firewall administrator because the firewall administrator typically is in charge of proxies.
If you use GateKeeper as a complementary Web Server, Micro Focus recommends that you start GateKeeper in the same directory as the Java applets' code base. You can either start GateKeeper at the command line or as a Windows/NT service with the first two features listed above.
If you use GateKeeper in combination with a separate Web Server, you can start GateKeeper as a servlet in the Web Server.
Starting GateKeeper from the command line
Use the following command to start GateKeeper:
prompt> gatekeeper <options>
Note
Before you can start GateKeeper from the command line, you must first ensure that your CLASSPATH setting includes servlet.jar in its path. You can locate servlet.jar under the VisiBroker installation directory:
<install_dir>/lib/
where <install_dir> represents the root directory location in which VisiBroker is installed, such as: C:\MicroFocus\VisiBroker on Windows.
On Windows, for example, specify CLASSPATH as an environment variable and include servlet.jar in the search path.
When you start GateKeeper, you will see a start up message followed by a series of messages indicating which services are being started. An example of this series of messages follows.
Sun Feb 16 23:43:28 2014: Starting GateKeeper for VisiBroker ...
Sun Feb 16 23:43:31 2014: Request Forwarding Service is started.
Sun Feb 16 23:43:31 2014: Administrative Service is started.
Sun Feb 16 23:43:31 2014: IOR is stored in GateKeeper.ior.
Sun Feb 16 23:43:31 2014: GateKeeper for VisiBroker is started.
Command line options
When using the gatekeeper command, the following command line options are allowed:
Option
Description
-props file_name
Indicates the name of the GateKeeper’s properties file. You can include the entire path when you specify the file name. The default location for this file is the directory where you installed GateKeeper. The default name for this file is gatekeeper.properties.
-J-D<Property-name>=<value>
Specifies a property of GateKeeper at startup.
-h, -help, -usage, -?
Displays usage information.
-quiet
Specifies for GateKeeper to not generate output.
Running GateKeeper as an NT service
You can install GateKeeper as an NT service. Before you do so, make sure that you can run GateKeeper from a DOS prompt on your target NT platform.
To install GateKeeper as an NT service, type the following command at a command line, where servicename is the name of the GateKeeper you are installing.
gatekeeper -install ”servicename
If you use the -props option to specify a properties file, make sure you include the full path name of the properties file you specify.
After you've installed GateKeeper as an NT service, you can start it using the standard Services control panel.
Removing GateKeeper as an NT service
To remove a GateKeeper NT service, use the following syntax at a command prompt:
gatekeeper -remove ”servicename
Running GateKeeper as a servlet in a Web Server
GateKeeper can run as a servlet inside any Web server that supports servlets. GateKeeper is started with a special HIOP listener whose purpose is to generate the right HIOP component in the GateKeeper’s IOR. The HIOP component should contain the Web server's host, port and the path to the GateKeeper servlet. The client will send HIOP requests to the GateKeeper as specified in the HIOP component. The benefit of this feature is in deployment and packaging to allow tighter integration with other components of the system such as a Web server and Partitions.
Generally, there is no significant performance benefit in running GateKeeper as a servlet under the Web Server because all tunnelled requests still go through GateKeeper in the same way they do when GateKeeper is run as a stand-alone process.
Note
If you run GateKeeper as a servlet instead of from the command line, you will lose some administrative capabilities as well as GateKeeper output capabilities.
Managing GateKeeper
The VisiBroker Console enables you to set GateKeeper’s properties to meet the requirements of your networked system. GateKeeper's properties are kept in a properties file that GateKeeper references at startup.