IDE wont connect to linux host

[herm ernst]

Getting below error when trying to connect with IDE on XP laptop to remote host. Any ideas?

An unexpected exception occurred during the login process.

The exception shown below was caught.

Unable to establish a connection to the host server: 10.129.176.32; nested exception is:

com.hie.cloverleaf.securityserver.NoCloverleafSrvException: Unable to contact Server on server: 10.129.176.32; nested exception is:

java.rmi.ConnectIOException: Cannot connect to host: //10.129.176.32:13015/

Topic

[Keith McLeod]

Is this address in your /etc/hosts file?  It may be how you have your name resolution configured.

[Troy Morton]

Also, verify the Cloverleaf host-server is running on the server to which you are trying to connect.

Type…

Code:

>hciss

Host Server is running
>

…from the command prompt on the server.

[herm ernst]

I double checked.  10.129.176.32 is in the /etc/hosts file on the remote server and hciss shows that the host server is running but that the security server is not running.  Did try to start the security server with hciss -s s, it indicates that it starts but a follow up hciss shows that its not running.

This is a new site installed by the vendor that I’m trying to connect to on the remote server. Any ideas on something they may have overlooked?

[herm ernst]

Checked /etc/services and noticed there was no entry for port 13015. Could this be the problem? What should the entry look like?

[Troy Morton]

Can you PING and TELNET to the server from your client?

If not, its definitely not a Cloverleaf related issue.

Also, verify that your site license certificates exist in $HCIROOT/server/certs.  There should be a key, cert, info and req file for your organization in this directory.  The name or acronym of your oganization is usually part of the file names.  These must exist before you can connect to the server with the JAVA GUI Client.  However, I’m not sure your error indicates a problem with the Security or License certificates.

My suggestion is to contact QDX support for further assistance.  If none of this works.

[Troy Morton]

We don’t have our Port defined in /etc/services either.

[herm ernst]

I can ping but not telnet to the Linus host server.

but can connect with Putty tool using SSH.

Below are the contents of my laptop client.ini file and various server .ini files and directories.

#### xp laptop client.ini

$type client.ini

general]

doc_base_dir=C:quovadxqdx5.6integrator

debug=false

[logs]

### certs directory on Linux host is empty.

$cd /quovadx/qdx5.6/integrator/client/certs

$ls -la

$

### contents of client.ini on Linux host server

$cd /quovadx/qdx5.6/integrator/client

$ cat client.ini

[general]

doc_base_dir=/quovadx/qdx5.6/integrator

debug=false

[logs]

### contents of linux host server.ini file

$cd /quovadx/qdx5.6/integrator/server

$ cat server.ini

[general]

[exports]

environs=/quovadx/qdx5.6/integrator/mgh00sv0p0lwe

[logging]

cloverleaf_server_category=info

cloverleaf_server_level=brief

host_server_category=info

host_server_level=brief

ticket_server_category=info

ticket_server_level=brief

log_rmi_calls=false

debug_ssl=false

[security]

audit_server_used=false

ticket_life=16

customer_ca_file_name=CUSTOMER_NAME-cert.der

customer_ca_key_name=enc-CUSTOMER_NAME-key.der

host_cert_chain=HOSTNAME-clserver-cert.der;CUSTOMER_NAME-cert.der;hie-cert.der

host_private_key=enc-HOSTNAME-clserver-key.der

password=PASSWORD

security_server_host=FULLLY.QUALIFIED.HOSTNAME

security_server_used=false

security_anonymous=false

basic_security_enabled=false

[audit]

auto_trim=true

auto_trim_count=16000

[ihb]

ihb_sync_url=http://localhost:20210/IB/servlet/runHXML?action=IBgetNetConfig.xsp

ihb_soap_port=20217

ihb_email_port=20218

### license file exists on Linux host server

$ pwd /quovadx/qdx5.6/integrator/vers

$ ls

db  license.dat

Would firewalls need to be adjusted to allow traffice on 13015?

[Troy Morton]

Looks like you have Security disabled, so that shouldn’t be the problem.

If you are trying to connect to the Linux server from outside your network, you might need a firewall hole.  However, if you are using VPN, then I don’t think a firewall change should be necessary.

I’ve pretty much exhausted my knowledge on what could be wrong.  I suggest contacting QDX support.  Jimmy has helped us with Certificate and Security issues in the past.

Good luck

[herm ernst]

Enabling port 13015 on the firewall fixed earlier problem. Now I’m getting following error when trying to connect to the Linux host server from my laptop:

An unexpected exception occurred during the login process.

The exception shown below was caught.

Connection refused to host: 10.129.176.32; nested exception is:

java.net.ConnectException: Connection timed out: connect

[Sam Craig]

If you only opened one “hole” or port in firewall, then that is probably the issue.

IDE uses two ports for communication.  Here is a netstat listing for my IDE connection from my workstation.  It is communicating on two ports.  Also, not sure if it uses the same two ports each time you try to connect.

tcp4       0      0  uh2.org.46866    d79b1.org.4937    ESTABLISHED

tcp4       0      0  uh2.org.53062    d79b1.org.1143    ESTABLISHED

My workstation is d79b1 in this example.

For AIX, command is…. netstat | grep workstationID

[David Teh]

Sorry about digging up an old thread.

But this is the only one with the similar error message.

Cloverleaf 5.8.7 on Solaris 10.

Getting this when using the client to access the server which is behind a firewall:

~~~~START ERROR~~~~

An unexpected exception occurred during the login process.

The exception shown below was caught.

Connection refused to host: sgclvpr0; nested exception is:

java.net.ConnectException: Connection timed out: connect

~~~~END ERROR~~~~

Have already included these lines in server.ini:

[firewall]

rmi_exported_server_port=sgclvpr0

Firewall rule has already been added to allow “all” to access the server on port 13019. And it is also allowing bi-directional traffic.

Host server and daemons and other processes are running.

Any ideas? Any other ports need to be opened?

Thanks!

herm ernst wrote:

Enabling port 13015 on the firewall fixed earlier problem. Now I’m getting following error when trying to connect to the Linux host server from my laptop:

An unexpected exception occurred during the login process.

The exception shown below was caught.

Connection refused to host: 10.129.176.32; nested exception is:

java.net.ConnectException: Connection timed out: connect

[David Barr]

This post has information about the port numbers used by the client:

https://usspvlclovertch2.infor.com/viewtopic.php?p=17485#17500

[David Teh]

More infor:

Machine IPs:

Server 1: sgclvpr1 (10.168.22.21)

Server 2: sgclvpr2 (10.168.22.22)

Server 3: sgclvpr3 (10.216.46.41) <—behind firewall

Service Hostname: sgclvpr0

Client works fine on Server 1 and 2, but not 3.

Tried the steps given:

hcitest@sgclvpr3:/home/hcitest>showroot

HCI root is /quovadx/cis5.8/integrator

HCI master site is helloworld

HCI site is hcitest

hcitest@sgclvpr3:/home/hcitest>hostname

sgclvpr3

hcitest@sgclvpr3:/home/hcitest>uname -a

SunOS sgclvpr3 5.10 Generic_148888-05 sun4v sparc sun4v

hcitest@sgclvpr3:/home/hcitest>ping -s sgclvpr0

PING sgclvpr0: 56 data bytes

64 bytes from sgclvpr0.shses.shs.com.sg (10.216.46.40): icmp_seq=0. time=0.213 ms

64 bytes from sgclvpr0.shses.shs.com.sg (10.216.46.40): icmp_seq=1. time=0.184 ms

64 bytes from sgclvpr0.shses.shs.com.sg (10.216.46.40): icmp_seq=2. time=0.151 ms

64 bytes from sgclvpr0.shses.shs.com.sg (10.216.46.40): icmp_seq=3. time=0.155 ms

^C

—-sgclvpr0 PING Statistics—-

4 packets transmitted, 4 packets received, 0% packet loss

round-trip (ms)  min/avg/max/stddev = 0.151/0.176/0.213/0.029

hcitest@sgclvpr3:/home/hcitest>hcireglist 10.216.46.40 13019

Trying anonymous registry on host 10.216.46.40 at port 13019

Trying registry on host 10.216.46.40 at port 13019

Registry=RegistryImpl_Stub[UnicastRef [liveRef: [endpoint:[10.216.46.40:13019](remote),objID:[0:0:0, 0]]]]

RMI_CloverleafServer_1.0

RMI_CloverleafServer_1.0

RemoteCloverleafServer_Stub[UnicastRef [liveRef: [endpoint:[10.216.46.40:34502](remote),objID:[-66b0f17e:142e1efe086:-7fff, -6125884924126111243]]]]

Host “10.216.46.40” a.k.a:

       10.216.46.40

       sgclvpr0.shses.shs.com.sg

Other than port 13019, any other ports needs to be opened?

[David Barr]

David Teh wrote:

Other than port 13019, any other ports needs to be opened?

Yes, you will need to be able to access every port in the local port range of your server. On Linux this is set in /etc/sysctl.conf under the net.ipv4.ip_local_port_range setting.

The Cloverleaf server starts accepting connections on port 13019, but then it tells the clients to open additional connections to ports that are assigned dynamically. They are assigned from the local port range.

[David Teh]

Thanks David!!!!!

Now my firewall admin will faint…..(again)

[David Teh]

Solved!

Support came back with these settings in the server.ini:

[firewall]

monitord_server_use=true

host_server_default_port=34510 (as an example)

rmi_exported_server_port=’clustered hostname’

[Max Drown (Infor)]

David Barr wrote:

The Cloverleaf server starts accepting connections on port 13019, but then it tells the clients to open additional connections to ports that are assigned dynamically. They are assigned from the local port range.

I’m not sure this is 100% accurate. I believe that the Cloverlreaf hostserver itself actually establishes the connection back out to the client on a new, randomly assigned port. This is often a problem for firewalls that block connections initialized from the server-side instead of from the client-side.

I have actually asked R&D to look into doing it the way you stated, send the port number to the client, but have the client establish the connection on that port.

You can force the hostserver to use port 13019 (or the assigned port) by setting this line in the server.ini or by checking the “Host Server routes traffic” box in the Server Administrator tool.

Code:

[firewall]
monitord_server_use=true

Here is a complete set of firewall settings I’ve used in successfully in the past. Your mileage may vary so be prepared to make tweaks.

[general]
jvm_args=-Xmx512m [code][general]
jvm_args=-Xmx512m

-- Max Drown (Infor)

[David Barr]

Max Drown wrote:

[general]
jvm_args=-Xmx512m [code][general]
jvm_args=-Xmx512m

[Max Drown (Infor)]

No. You don’t. This forces ALL traffic to one port, the port used by the hostserver.

-- Max Drown (Infor)

[Bob Richardson]

One and All,

We are running 5.8.6.0 on AIX 6.1 TL 7 virtualized.

Just a note on our experience with these settings.

We use Net Motion from our Windows 7 clients to establish secure VPN connections with our LAN.

In order for us to get back displayed test results in the IDE testing tool

functions (hciroutetest, hcitpstest, etc.) when working remotely and connected by VPN tunnel,  INFOR support supplied us the following setting:

[firewall]

tunnel_port=14019

Apparently this port is hard-wired into the software – deep secrets not revealed.  Anyway this is working for us.  We do get back our test results

in the IDE.

[Max Drown (Infor)]

The default port numbers change from version to version so that running two versions of Cloverleaf on the same server do not conflict.

-- Max Drown (Infor)

[Max Drown (Infor)]

Here is some more info.

There are three ports used by the hostserver:

   RMI Registry Port: Defaults to 13019 in 5.8 and 13020 in 6.0 and can be changed to any number in server.ini.

   RMI Object Port: Random port. If host server runs behind firewall, the port should be explicitly specified in server.ini.

   RMI Callback Port: Introduced in 5.8.5 to make the callback behavior work in firewall environment. If the port is not specified, host server will choose a random port and create a connection from server to the client when callback is executed. If the port is specified, the connection is established from client to server. Just as you said, the connection from server to client will be blocked by firewall always. Therefore, the RMI callback port should be also specified in server.ini in firewall environment.

The hcimonitord traffic is using random ports and cannot be forced to use a specified port or range. If a firewall exists, choose

-- Max Drown (Infor)

[Max Drown (Infor)]

Here are my notes in .pdf format.

-- Max Drown (Infor)

[Author]

Replies