Troubleshooting Secure Redirect from MMS 5.5 to IME 5.05
This article was previously published as ID#29114

Summary:
After upgrading MMS 5.0 to MMS 5.5, Secure Redirect fails.

Symptom:
In the MMS Event Log, there will be a Secure Redirect error message.

ID : 7238
IDL:omg.org/CORBA/NO_RESOURCES:1.0
The connection to the IME Naming Service failed for Server
o Name : 'imebackend.company.com'
o IP Address : '10.1.2.3'
o Port Number : '2500'
o Corba IP Filter : '*'

Detailed Information:
Previously, in MMS 5.0, the Secure Redirect components communicated to IME through the Remote API, which is a CORBA call tunneled over HTTPS. In MMS 5.5, this communication changed to a native CORBA call no longer to the Remote Gateway (iPlanet or IIS web server), but to the IME Backend directly.

This change may affect firewall rules and routing. Many installations of Secure Redirect have MMS and the IME Remote Gateway in the same network, but after the upgrade to MMS 5.5, a few firewall ports must be opened in order for Secure Redirect to access the IME Backend server.

Resolution:
Open firewall ports from MMS to IME Backend server: The default ports used by MMS Secure Redirect to IME are listed in the document "Tumbleweed Secure Redirect 5.5 Administrator's Guide" (Redirect55Admin.pdf) in section 2.4.1.

Confirm the IME Server's "hosts.allow" file allows communication from MMS.

Confirm the MMS Setup -> Redirect section has the IME Backend server, not the web server (if the IME Server is distributed) and that the "IME Server Name" configuration matches this configuration.

Additional Info:
In the examples below, "imebackend" is the machine running the IME Naming Service.

Testing routing access through firewall
---------------------------------------

1. Use "telnet imebackend.company.com 2500" to see if you can get a connection to the IME Naming Service.

If a firewall is blocking the response and/or the IME Naming Service is not up, you will get a response like:

Connecting To imebackend.company.com...Could not open a connection to host on port 2500 : Connect
failed

If the firewall is configured properly and the IME Naming Service is up, your telnet window will clear and give a response similar to the text below. On Solaris IME Servers, it may be necessary to hit the return key 4 or 5 times.

GIOP{smiley face}{spade symbol}

Connection to host lost.

You should repeat this test on the ports that IME uses for ime-control (2506 by default) and ime-session (2513 by default). Please verify these ports by looking at the /etc/services (or WINNT\System32\drivers\etc\services on Windows 2000) file on the IME Server.

NOTE: This test does not confirm that a CORBA connection is allowed. It only verifies network connectivity.

Verify your IME Server allows the MMS Server as an allowable client
-------------------------------------------------------------------

The IME Server uses an IP address filter to control CORBA communication access through a text file, "hosts.allow" found in the IME Server's "config" directory. Confirm that the "hosts.allow" file contains the IP address of the MMS 5.5 server.

Example:

If your MMS 5.5 server's IP is 10.5.6.5, then add it to the "hosts.allow" file:

ALL: [IP of IME Server1]
ALL: [IP of IME Server2]
ALL: 10.5.6.5

Verify the MMS Server is able to find the IME Components through the IME Naming Service
---------------------------------------------------------------------------------------

Use the "nameclt.exe" (Name Client) tool that comes with MMS 5.5 found in the MMS install directory. The syntax is:

nameclt -ORBbootstrapAgentHostname "imebackend.company.com" -ORBbootstrapAgentPort "2500" -ORBclientTransportRule "[IP Address of IME Backend machine] tcp" list

(Replace "imebackend.company.com" with the resolvable FQDN of the server running the IME Naming Service.)

This command should return the value:

TumbleweedCommunications.Domain/

If you do not get a response, then the IME Naming Service is somehow blocking your request. Verify that your "hosts.allow" file is correct. Also, a NAT (Network Address Translation) at the firewall may be masking the real IP address of the MMS Server. You may be required to add the NAT'ed address to this file instead.

To work-around this, you may use "ALL: ALL" to allow all IP addresses to connect. The "hosts.allow" file allows comments by prefixing each line with the "#" symbol. Going back to our previous example:

#ALL: [IP of IME Server1]
#ALL: [IP of IME Server2]
#ALL: 10.5.6.5
ALL: ALL

NOTE: This is a potential security hole and should be revisited once the NAT'ed address can be found.

Traverse the Naming Service Tree
--------------------------------

If you did get a valid response, then use the "nameclt.exe" application to traverse down the tree.

To traverse down the IME Naming Service tree, start adding the return values to the end of the command. For example, the next command to try is:

nameclt -ORBbootstrapAgentHostname "imebackend.company.com" -ORBbootstrapAgentPort "2500" -ORBclientTransportRule "[IP Address of IME Backend machine] tcp" list TumbleweedCommunications.Domain

which should return:

TumbleweedServer5.Domain/

Continue to add the return values, separated by a forward slash, but WITHOUT the trailing forward slash, like:

nameclt -ORBbootstrapAgentHostname "imebackend.company.com" -ORBbootstrapAgentPort "2500" -ORBclientTransportRule "[IP Address of IME Backend machine] tcp" list TumbleweedCommunications.Domain/TumbleweedServer5.Domain

The next value should match the IME Backend server's fully-qualified domain name. In some cases, this value is incorrectly truncated to only show the machine name (without the domain). If the domain is missing, IME must be modified so that it is present (steps listed below).

imebackend\.company\.com.Server/

This string MUST be consistent on the MMS Server's Redirect Setup page AND the IME Server's configuration [Naming Service] "IME Server Name".

Note there is a bug in the MMS Redirect Setup page which does not correctly update all necessary values in the SQL 2000 Database when modifying this value. Please reference a separate article on a work-around: Redirect fails after pointing to a different IME Server or after upgrade to MMS 5.5

If the IME Server's "IME Server Name" configuration does not match (i.e. is truncated), then we need to recreate the Naming Service tree with the correct node value:

1. Stop IME completely, including the IME Booter and IME Naming Service (omniNames on Solaris).
2. Modify the configuration to the fully-qualified domain name.
3. Reset the naming service. On Solaris, use the reset-naming-service script in the IME Server's "scripts" directory. On Windows 2000, run the "Update Admin" utility (on IME 5.5 for Windows 2000, run the "Configure IME Server" utility) in the Start Menu and select "Reset Naming Service".
4. Start IME.
5. On MMS, restart the MMS Secure Redirect service. This forces MMS Secure Redirect to flush it's cache of IME sessions that would have expired on IME's restart.

Original Author: JCHOI
Original Submitter: ACUNY
Keywords: redirect CORBA IDL:omg.org/CORBA/NO_RESOURCES:1.0 The connection to the IME Naming Service failed for Server; redirect MMS ID#29114