Wednesday, 12 September 2012

IBM Lotus Domino 8.5.3 - Firing the Firewall

In this article, I describe how I hit a problem connecting to an IBM Lotus Domino 8.5.3 server, via web browser, and, more importantly, how I was able to diagnose and then resolve the problem. 

For the umpty-leventh time, I hit: -

when I attempt to access my Domino server's web administration interface: -

Domino is running on a Red Hat Enterprise Linux (RHEL) VM running on VMware Fusion 5.0.1 on my MacBook Pro, and I'm attempting to access it via my Mac's Firefox browser.

I proved that the problem was NOT with Domino, as I was able to access it locally ( using Firefox on the VM ): -

However, I wanted to use my host OS' browser for two reasons: -

(a) Firefox on the Mac has Java enabled, and the Domino WebAdmin tool uses a Java applet
(b) It's easier to take screenshots

The next acid test was to ensure that the networking between the host and guest OS was working: -

Therefore, I knew that the problem was on the Linux VM, so thought: -

(a) Security-Enhanced Linux ( selinux )
(b) Firewall ( iptables )

I checked selinux first of all: -

$ cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.

I then checked the firewall: -

chkconfig --list | grep iptables

iptables        0:off 1:off 2:on 3:on 4:on 5:on 6:off

Ah-ha, so that was the problem :-)

I stopped the firewall ( this is my own development VM so I do not need a firewall - YOUR mileage WILL vary ): -

service iptables stop

iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[  OK  ]
iptables: Unloading modules:                               [  OK  ]

and then validated that it was stopped: -

Finally, I then went ahead and disabled the firewall permanently, as the service iptables stop command will not survive a reboot: -

chkconfig iptables off

and validated that it's now disabled: -

$ chkconfig --list | grep iptables

iptables        0:off 1:off 2:off 3:off 4:off 5:off 6:off

Job done.


Sam Sawatzky said...

Hey Dave

Enjoy gleaning stuff off of your blog. Thanks.

Do you generally install a desktop environment on a server? What are your thoughts around this?

Also - you could accomplish a "local" connection by tunneling through an ssh connection. I generally do this I have ssh access more readily available then access to the KVM (physical or virtual)



Dave Hay said...

Hi Sam

Typically I install the stock OS build, which includes the desktop elements ( X11, Gnome, KDE etc. ).

However, this reflects the fact that, in the main, my installations are for my own personal use, rather than for production-grade servers.

I do take advantage of X11 tunneling via SSH, especially as my host OS ( Mac OS X ) supports SSH and X11 out-of-the-box.

As you say, this also makes "desktop switching" much more simple.

Thanks for the feedback.