We're Hiring!

CLI import - without port 4063 open

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

CLI import - without port 4063 open

Postby dsudar » Fri Mar 24, 2017 10:40 pm

Hi guys,

I'm trying to import some images using the CLI to a remote server (VM on Amazon AWS). Due to the University's security requirements only port 4064 is open and 4063 is blocked.

The steps in my little script are very simple:
Code: Select all
omero login -s <remote_host> -u <remote_user> --sudo <remote_su> -w <su_password>
omero import <file_name>
omero logout

The original login connection is made over 4064:
Code: Select all
Created session 2a7e6b03-506c-4576-89cc-c3c9092174d8 (xxxxxx@xx.xx.xx.xx:4064). Idle timeout: 10 min. Current group: Public

But then the import falls back to a non-SSL connection which fails because it's blocked:
Code: Select all
2017-03-24 15:03:58,456 17452      [      main] INFO      ome.formats.importer.ImportCandidates - 1 file(s) parsed into 1 group(s) with 1 call(s) to setId in 16690ms. (16694ms total) [0 unknowns]
2017-03-24 15:03:59,623 18619      [      main] INFO       ome.formats.OMEROMetadataStoreClient - Attempting initial SSL connection to 10.85.254.151:4064
2017-03-24 15:04:00,420 19416      [      main] INFO       ome.formats.OMEROMetadataStoreClient - Insecure connection requested, falling back
-! 3/24/17 15:04:05:576 warning: main: null - createSession retry: 1
-! 3/24/17 15:04:10:578 warning: main: null - createSession retry: 2
2017-03-24 15:04:15,585 34581      [      main] ERROR  formats.importer.cli.CommandLineImporter - Error during import process.
omero.ClientError: Obtained null object proxy
......


Is there a way to force the import process to stay in SSL mode?

Thanks,
- Damir
dsudar
 
Posts: 235
Joined: Mon May 14, 2012 8:43 pm
Location: Berkeley, CA, USA

Re: CLI import - without port 4063 open

Postby wmoore » Mon Mar 27, 2017 10:12 am

Hi Damir,

This is probably best answered by Josh or Ola (both in IDR meeting just now) but I've been looking through code and found this from Ola, which appears to address an issue similar to yours (see last comment, which seems to be specifying port 4064 for 'insecure' connection).

https://gist.github.com/aleksandra-tark ... b91b44e885

Also see https://trello.com/c/cJCScHOl/125-begin ... references where this gist is discussed,
and https://trello.com/c/sc79fkLw/158-drop-lock-icon-in-web.

However, I don't see any option for specifying whether the CLI switches to using an insecure connection after login.
I'll add this discussion to the cards above, and see if Josh or Ola has anything to add to this answer.

Regards,

Will.
User avatar
wmoore
Team Member
 
Posts: 674
Joined: Mon May 18, 2009 12:46 pm

Re: CLI import - without port 4063 open

Postby Dominik » Wed Mar 29, 2017 8:13 am

Can confirm, setting the
Code: Select all
./omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h [HOSTNAME]"
property is a possible workaround; just tested that with a VM.

Regards,
Dominik
User avatar
Dominik
Team Member
 
Posts: 149
Joined: Mon Feb 10, 2014 11:26 am

Re: CLI import - without port 4063 open

Postby dsudar » Wed Mar 29, 2017 8:32 pm

Hi Dominik,
Thanks for the follow-up. I'll give that a try. Do I understand correctly that this work-around simply re-directs the non-secure traffic through the 4064 port?
Cheers,
- Damir
dsudar
 
Posts: 235
Joined: Mon May 14, 2012 8:43 pm
Location: Berkeley, CA, USA

Re: CLI import - without port 4063 open

Postby jmoore » Wed Mar 29, 2017 10:29 pm

Hi Damir,

Yes. Logins to OMERO are always over SSL. After that, a client(-application) can choose to drop SSL. If a server does not support non-SSL connections, it can tell the client by returning a secure "omero.router.insecure" value.

All the best,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: CLI import - without port 4063 open

Postby dsudar » Thu Mar 30, 2017 4:21 pm

Thanks Josh. That should satisfy our computer security folks.I believe they were mostly concerned about unencrypted passwords flying around. I'll now try to convince them that having port 4063 open poses no such danger.
Cheers,
- Damir
dsudar
 
Posts: 235
Joined: Mon May 14, 2012 8:43 pm
Location: Berkeley, CA, USA

Re: CLI import - without port 4063 open

Postby moisbo » Mon Sep 04, 2017 3:52 am

Hi All,

I was wondering if this works in 5.3.3 ? Have been trying to set this up so all of unsecure connections redirect to 4064.
Since HOSTNAME for me is not localhost I set up my client's IP address
Code: Select all
#> OMERO.server/bin/omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h HOSTNAME"


Thanks!
Moises
moisbo
 
Posts: 8
Joined: Thu Aug 03, 2017 7:18 am
Location: Australia

Re: CLI import - without port 4063 open

Postby jmoore » Mon Sep 04, 2017 9:17 am

moisbo wrote:Hi All,


Hi Moises,

I was wondering if this works in 5.3.3 ?


As far as we know.

Since HOSTNAME for me is not localhost I set up my client's IP address
Code: Select all
#> OMERO.server/bin/omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h HOSTNAME"



Do you me the IP address of your server? The default value for omero.router.insecure is:

Code: Select all
    OMERO.Glacier2/router:tcp -p @omero.ports.prefix@@omero.ports.tcp@ -h @omero.host@


so I'd suspect:

Code: Select all
    OMERO.Glacier2/router:ssl -p 4064 -h @omero.host@


would work for you. Alternatively, you can replace `@omero.host@` with the hostname that you use with `bin/omero login`

Thanks!
Moises


Cheers,
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Re: CLI import - without port 4063 open

Postby moisbo » Tue Sep 05, 2017 2:28 am

Hi Josh,

Thanks for your reply. Yes, that worked. I was not understanding where this setting was supposed to go. Since my configuration is split by 2 servers 1 omero.server and 1 omero.web. So I config omero.router.insecure on the web and worked.

Is there a way to config (somehow) omero.router.insecure on the server? So that all communications even if insecure ones go to that same port?

Cheers,
Moises
moisbo
 
Posts: 8
Joined: Thu Aug 03, 2017 7:18 am
Location: Australia

Re: CLI import - without port 4063 open

Postby jmoore » Tue Sep 05, 2017 5:51 am

Hi Moises,

Thanks for your reply. Yes, that worked. I was not understanding where this setting was supposed to go. Since my configuration is split by 2 servers 1 omero.server and 1 omero.web. So I config omero.router.insecure on the web and worked.


I find that surprising. The omero.router.insecure property should only affect processes started by `bin/omero admin start`, i.e. the server.

Is there a way to config (somehow) omero.router.insecure on the server? So that all communications even if insecure ones go to that same port?


That's exactly how I'd expect it to work:

Code: Select all
cd OMERO.server
bin/omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h @omero.host@"
bin/omero admin restart


And with no changes to OMERO.web or other clients, you should be using SSL everywhere.
~Josh
User avatar
jmoore
Site Admin
 
Posts: 1591
Joined: Fri May 22, 2009 1:29 pm
Location: Germany

Next

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest