Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 10 Network Communication : Using the TIBCO iProcess Engine in a Firewalled Environment

Using the TIBCO iProcess Engine in a Firewalled Environment
In many enterprise network models, a firewall is used to link logical networks together to provide access security into the protected network. The following section describes how the iProcess Engine can be configured to work in a firewall environment.
What is a Firewall?
A firewall is a computer that links two logical networks together and re-routes data between the two networks as required. The firewall computer also contains a filter. This filter only allows data to pass through it that is requesting a particular service (using a variety of filtering methods defined by the firewall administrator).
A typical use of a firewall is for Web servers. A Web server needs to be accessed by remote computers outside of the logical network so they can access the web service. However, these computers should not be able to access other services on that server that are more likely to be a security risk.
A firewall can vary in the way that they restrict access to the network, they can:
Within the data being sent (known as packets), many firewalls can obtain the RPC number requested for RPC calls and only allow data through if it is requesting a particular RPC number and therefore a particular RPC service.
iProcess RPC and Firewall Access
When an iProcess Workspace and the iProcess Engine are separated by a firewall, the iProcess Suite can fail because its communication method (remote procedure calls - RPC) is stopped by the firewall filter. Because iProcess Engine RPC services are allocated dynamically, the firewall filter is not set up to open all ports that the iProcess Engine is using. Not all the ports will be open because the firewall administrator has set up certain restrictions to enable security on the network.
The RPC numbers are allocated dynamically so there is no fixed set of RPC numbers for a firewall administrator to add to the filter. If the ports used are not opened up on the firewall, the iProcess Workspace and iProcess Engine cannot communicate because data requests are denied by the firewall. In order for the iProcess Engine to operate in this environment, the firewall administrator needs to know what ports the iProcess Engine is using so that iProcess RPC calls can be filtered through.
You can set up the iProcess Engine to use a specific range of ports and/or RPC numbers so that the firewall administrator has a range of port numbers to add to the firewall filter. You can use one or both of the following methods to do this:
You use the SWDIR\util\swadm utility to configure port range and/or RPC number filtering. Refer to “Administering Firewalls” in the TIBCO iProcess Engine: Administrator's Guide for more information.
Port/RPC Number Resource Logging
When Port/RPC numbering is enabled, a log file containing resource allocation and release operations is stored in SWDIR\logs\rpcport.log. This is a text file containing entries for the following events:
Using Oracle Events Through a Firewall
You can specify a range of AQ port numbers to be used in iProcess for communication through the firewall with Oracle Events.
You must ensure that you specify enough AQ ports for iProcess system processes. On a typical system, you should specify a minimum of 7 ports for iProcess (sentinel and utility processes), plus an additional port for each process defined in the process_config database table.
In addition to configuring the AQ port range in iProcess, you must also ensure that your firewall is configured to allow access for the iProcess AQ port range as well as the iProcess RPC port range, and any required Oracle ports (such as the default port 1521).
The following two tables are provided:
aq_port_range_conf: this records port ranges including the start port number and the count of the ports.
aq_port_range: this records the state of every port in every range.
You use the SWDIR\util\swadm utility to configure the aq port range. Refer to “Administering Firewalls” in the TIBCO iProcess Engine Administrator's Guide for more information.
Using JMX Through a Firewall
JMX relies on a JAVA technology called RMI. which uses dynamic ports to be able to communicate between a client and a server. Firewalls cannot handle dynamic ports as they need to know the port number. iProcess overcomes this problem by statically assigning a listening port for the RMI server.
Refer to the Post Installation tasks in TIBCO iProcess Installation for more information.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved