Open Microscopy Environment

Hi guys,

I'm trying to import some images using the CLI to a remote server (VM on Amazon AWS). Due to the University's security requirements only port 4064 is open and 4063 is blocked.

The steps in my little script are very simple:

Code: Select all

omero login -s <remote_host> -u <remote_user> --sudo <remote_su> -w <su_password>
omero import <file_name>
omero logout

The original login connection is made over 4064:

Code: Select all

Created session 2a7e6b03-506c-4576-89cc-c3c9092174d8 (xxxxxx@xx.xx.xx.xx:4064). Idle timeout: 10 min. Current group: Public

But then the import falls back to a non-SSL connection which fails because it's blocked:

Code: Select all

2017-03-24 15:03:58,456 17452      [      main] INFO      ome.formats.importer.ImportCandidates - 1 file(s) parsed into 1 group(s) with 1 call(s) to setId in 16690ms. (16694ms total) [0 unknowns]
2017-03-24 15:03:59,623 18619      [      main] INFO       ome.formats.OMEROMetadataStoreClient - Attempting initial SSL connection to 10.85.254.151:4064
2017-03-24 15:04:00,420 19416      [      main] INFO       ome.formats.OMEROMetadataStoreClient - Insecure connection requested, falling back
-! 3/24/17 15:04:05:576 warning: main: null - createSession retry: 1
-! 3/24/17 15:04:10:578 warning: main: null - createSession retry: 2
2017-03-24 15:04:15,585 34581      [      main] ERROR  formats.importer.cli.CommandLineImporter - Error during import process.
omero.ClientError: Obtained null object proxy
......


Is there a way to force the import process to stay in SSL mode?

Thanks,
- Damir

Hi Damir,

This is probably best answered by Josh or Ola (both in IDR meeting just now) but I've been looking through code and found this from Ola, which appears to address an issue similar to yours (see last comment, which seems to be specifying port 4064 for 'insecure' connection).

https://gist.github.com/aleksandra-tark ... b91b44e885

Also see https://trello.com/c/cJCScHOl/125-begin ... references where this gist is discussed,
and https://trello.com/c/sc79fkLw/158-drop-lock-icon-in-web.

However, I don't see any option for specifying whether the CLI switches to using an insecure connection after login.
I'll add this discussion to the cards above, and see if Josh or Ola has anything to add to this answer.

Regards,

Will.

Can confirm, setting the

Code: Select all

./omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h [HOSTNAME]"

property is a possible workaround; just tested that with a VM.

Regards,
Dominik

Hi Dominik,
Thanks for the follow-up. I'll give that a try. Do I understand correctly that this work-around simply re-directs the non-secure traffic through the 4064 port?
Cheers,
- Damir

Hi Damir,

Yes. Logins to OMERO are always over SSL. After that, a client(-application) can choose to drop SSL. If a server does not support non-SSL connections, it can tell the client by returning a secure "omero.router.insecure" value.

All the best,
~Josh

Thanks Josh. That should satisfy our computer security folks.I believe they were mostly concerned about unencrypted passwords flying around. I'll now try to convince them that having port 4063 open poses no such danger.
Cheers,
- Damir

Hi All,

I was wondering if this works in 5.3.3 ? Have been trying to set this up so all of unsecure connections redirect to 4064.
Since HOSTNAME for me is not localhost I set up my client's IP address

Code: Select all

#> OMERO.server/bin/omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h HOSTNAME"


Thanks!
Moises

moisbo wrote:Hi All,

Hi Moises,

I was wondering if this works in 5.3.3 ?

As far as we know.

Since HOSTNAME for me is not localhost I set up my client's IP address

Code: Select all

#> OMERO.server/bin/omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h HOSTNAME"


Do you me the IP address of your server? The default value for omero.router.insecure is:

Code: Select all

    OMERO.Glacier2/router:tcp -p @omero.ports.prefix@@omero.ports.tcp@ -h @omero.host@


so I'd suspect:

Code: Select all

    OMERO.Glacier2/router:ssl -p 4064 -h @omero.host@


would work for you. Alternatively, you can replace `@omero.host@` with the hostname that you use with `bin/omero login`

Thanks!
Moises

Cheers,
~Josh

Hi Josh,

Thanks for your reply. Yes, that worked. I was not understanding where this setting was supposed to go. Since my configuration is split by 2 servers 1 omero.server and 1 omero.web. So I config omero.router.insecure on the web and worked.

Is there a way to config (somehow) omero.router.insecure on the server? So that all communications even if insecure ones go to that same port?

Cheers,
Moises

Hi Moises,

Thanks for your reply. Yes, that worked. I was not understanding where this setting was supposed to go. Since my configuration is split by 2 servers 1 omero.server and 1 omero.web. So I config omero.router.insecure on the web and worked.

I find that surprising. The omero.router.insecure property should only affect processes started by `bin/omero admin start`, i.e. the server.

Is there a way to config (somehow) omero.router.insecure on the server? So that all communications even if insecure ones go to that same port?

That's exactly how I'd expect it to work:

Code: Select all

cd OMERO.server
bin/omero config set omero.router.insecure "OMERO.Glacier2/router:ssl -p 4064 -h @omero.host@"
bin/omero admin restart


And with no changes to OMERO.web or other clients, you should be using SSL everywhere.
~Josh