SSH Voodoo to Connect to a Sealed Off IBM Connections Instance
Martin Leyrer 2014 November 22 13:01:03
I had the pleasure to install an IBM Connections pilot for a customer together with Etienne Döhler a few weeks back.
One of the obstacles we faced during the install was a rather sealed off RedHat GNU/Linux box, that had only port 22 (ssh) open to the PCs we were using for the install (fortunately with X11 installed and X11 forwarding allowed). As the customer wanted the IBM HTTP Server (IHS) to listen on 8080/8443 for the communication with the already existing Reverse Proxy (RP, managed by Lufthansa) they also opened that port, but only for connections with the RP.
One of the "best practices" I try to convey at Social Connections et.al. is that you should always test your install without a Reverse Proxy, Load Balancer, ... and make sure everything works before you introduce the additional complexity of a Reverse Proxy or similar.
So how to connect to the IBM Solutions Console and the IHS when the only open port to that machine is SSH (22)? Well, SSH and its config file to the rescue!
SSH has a nifty feature called port forwarding. This allows you to forward local ports to a remote machine. Together with some creative hosts file editing, you can use your local browser to access the remote machine as if the necessary ports were open on the remote machine.
We needed the following URLs to work:
So the first thing to do was to modify the hosts file to point machinename.example.com to 127.0.0.1:
127.0.0.1 localhost machinename.example.com
And then create an entry in ~/.ssh/config with the local port forwarding and further settings to spare us some typing:
# Specify destination host by IP, as we have an hosts entry for the name
LocalForward 9043 10.42.42.42:9043
LocalForward 8080 10.42.42.42:8080
LocalForward 8443 10.42.42.42:8443
So with a simple "ssh customername" I can now connect to the GNU/Linux machine with the key I created to that purpose and have X11 forwarding as well as local port forwarding activated. And as long as that ssh session is open, I can now access the ISC and the IHS in my local browser as if 9043, 8080 and 8443 were open network ports on the remote box.
And it was a good thing that we were able to test directly with the IHS and verify that everything was working as expected, as the RP had disabled SSLv3, which broke the IBM Connections Widgets at that time. But that is a story for another blog entry.
For more SSH voodoo, see my "Was, SSH kann auch das?" talk at the Grazer Linuxwochen 2013 (in german).