Implementing the Security Wrapper on RMI Gateway

The RMI security wrapper is a wrapper class for the ENOVIA Live Collaboration Server that provides the ability to restrict which IP addresses are allowed to connect to the ENOVIA Live Collaboration Server. The RMI gateway can be configured to allow only trusted hosts to connect. A file contains a list of the host IP addresses that are either accepted or denied.

The Java classes that implement the security wrapper are built into the eMatrixServletRMI.jar file, which is part of the ENOVIA Live Collaboration installation.

To enable the security wrapper, follow these steps:

Related Topics
Configuring the ENOVIA Live Collaboration Server
ENOVIA Live Collaboration Server Configuration on UNIX/Linux
ENOVIA Live Collaboration Server Windows Service Configuration

  1. Create a trusted host list file.The host list file contains a list of the host IP addresses that are either trusted or denied by the RMI gateway. A typical way is to define a list of trusted host addresses and let all others be denied access.

    The host file name and location are user-created, but it is recommended you create the file in the SERVER_INSTALL\java\properties\ directory. You can create the file using any ASCII text editor.

    Note: The following rules apply:

    1. The list contains either trusted or denied host IP addresses, but not both. A list of trusted hosts will deny access to any host not listed. A list of denied hosts will allow access to any host not in the denied list.
    2. There should be a line break after each line.
    3. The # character can be used to indicate a comment.
    4. The * character can be used to indicate all trusted hosts, but cannot be used to indicate denied hosts.
    5. For a list of denied IP addresses, the word deny must be in lowercase.
    6. Only numerical IP addresses are accepted.

    For example, a file containing trusted machines named 10.1.5.60, 10.1.5.61, and 10.1.5.62 would look like this: 

    # Trusted hosts
10.1.5.60
10.1.5.61
10.1.5.62

    Conversely, to deny access from hosts, the file would contain the keyword deny and then list the denied IP addresses. Below is an example where the hosts 10.1.5.60 and 10.1.5.61 are denied:

    # Deny hosts
deny
10.1.5.60
10.1.5.61

    In the example above, any host except 10.1.5.60 and 10.1.5.61 would be granted access.

    Note: Whenever you make a change to the host list file, you must restart the ENOVIA Live Collaboration Server.

  2. Specify the path to the host list file, by adding the system property com.matrixone.rmi.hostList, which defines the full path to the host list file.

    UNIX/Linux:

    This setting is preferably set in JAVA_OPTIONS in the rmireg.sh file. For example:

    JAVA_OPTIONS="-C-Xss256k -C-Xms256m -C-Xmx256m 
-C-Dcom.matrixone.rmi.hostList=/usr/rmi/java/properties/
hosts.txt"

    Be sure to change the JAVA_OPTIONS for the appropriate operating system in the rmireg.sh file.
    Windows:

    The command would look something like:

    rmiservice -config "eMatrix RMI Server" -JAVAOPTIONS 
"-C-Dcom.matrixone.rmi.hostList=c:/rmi/java/properties/
hosts.txt -C-Dfile.encoding=UTF8"

  3. Verify the configuration by inverting the list of trusted hosts to be a list of denied hosts as follows:

    1. Add the keyword deny in the host list file.
    2. Restart the ENOVIA Live Collaboration Server.
    3. Start ENOVIA Matrix Navigator or the ENOVIA product you use to access the database, and log into the system.

      You should be denied access.

      You can also check that any ENOVIA Studio Customization Toolkit clients are not able to connect.

    4. Open the web server log file and search for a RemoteException.

      The RemoteException will describe the denied access, for example: 

      Mon Jan 10 20:08:25 EST 2011:<I> <ServletContext-General> servlet/login: init
java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
java.rmi.RemoteException: Host 10.1.5.39 is not authorized to connect to the server