> The session key will will be provided by them. They will do this by
> initiating a 0800 message. They will send the 0800 message to us. They
> will send this key from time to time.
I guess this session key will itself be encrypted under another key
shared between you and the server? Unless your network is encrypted and
secure, you might want to check?
You are to use this session key to produce PIN blocks?
>
> They will send the key to our ISO client's IP through the client's
> OUTGOING port.
>
> for example:
>
> client (192.168.0.188, port 1) and server (192.168.0.189, port 2). the
> server will send the 0800 to client's port 1.
How many connections do you have?
I think you have one connection...
The server will listen on 192.168.0.189:2, as a 'client' you will
connect to this port and your operating system will very likely assign
your end of this a randomly picked port number, unless you are
*reserving* and specifying a client port (see below for search help).
>
> The issue here is,
>
> 1. the client was never configured with any outgoing port.
If you have a single network connection, traffic can flow in both
directions over it.
The server will have a connection through which it will periodically
send 0800 request (indicating a session key change) and you will receive
the 0800 and respond (0810) perhaps after you have retrieved the session
key, confirmed it is valid and started using it.
Is there a 'commit' stage when both sides start to use the session key,
how do you avoid problems on the change over with transaction 'in
flight'? Perhaps a session key 'start time' is agreed 8) ?
> 2. the client can not serve the 0800 request.
Your client responds, to the server driving session key changes? In
some systems you might be able to initiate a session key change, but it
will depend on the server.
>
> To solve this, I can think of the following implementation
> issue 1: configure an outgoing port on the ISO client. i.e. port 1
>
> issue 2: run an ISO server and that ISO server will listen to that
> port 1. The ISO server will serve the 0800 message. It will take the
> session key, load the key to HSM and reply with 0810.
I think you are missing the fundamentals of network connectivity and are
confusing your self over ports - in most instances it doesn't matter.
Do you have a firewall set-up that limits and needs you to control the
ports used at both ends?
>
> I'd also like to ask, how do I configure the clien'ts outgoing port?
> any code snippets would be great.
I don't think you need to, but I can't be sure without answers to my
questions above.
I searched this mailing list for the words:- fix client port
The top hit :-
holds the answer and also discussion on uber cautious firewall admins -
is there any other type?
--
Mark
>>> I think you have one connection...
> Yup.
Ok.
>
>>> Is there a 'commit' stage when both sides start to use the session key,
>>> how do you avoid problems on the change over with transaction 'in
>>> flight'? Perhaps a session key 'start time' is agreed 8) ?
> You mean, before my 0200 reach the server, the server already change
> their session key? This is a good question.
> Never thought of it. Hmm,... let's see, the transaction will get
> rejected because the PIN wouldnt match, no charges occur, the account
> holder would just have to transaction one more time. Or perhaps if we
> can agree on session key exchange time as you mentioned, and on that
> particular second, we could pause the transactions... i.e. Thread.sleep
> (5000).
Perhaps the host could check the PIN with the old key and then the new -
for a 'while' at least.
Even with a wait, synchronisation is hard if not impossible.
>
>>> Your client responds, to the server driving session key changes? In
>>> some systems you might be able to initiate a session key change, but it will depend on the server.
> No, it can't. Thats why I thought, to give the same effect, an ISO
> server has to be running on the same port as the clien't outgoing
> port.
>
>
>>> I think you are missing the fundamentals of network connectivity and are
>>> confusing your self over ports - in most instances it doesn't matter.
> Hmm.. well I never thought of having 1 port for 1 application to
> listen while another application to use it as out port. Hmm i sure
> don't know a lot about networking
>
I think one connection is plenty and I will hope you are worrying about
nothing; I don't see what problem you are thinking of addressing.
>>> Do you have a firewall set-up that limits and needs you to control the
>>> ports used at both ends?
> Yup. But assuming I can use that port i need (as outgoing port for
> client and listening port for my server) freely. I can most definitely
> do this right?
Yes, control of the source port on a client connection is perhaps not
always done. When control is needed it is possible.
You just need to arrange that the source port is reserved - on some
systems this might be harder than on others.
--
Mark
> I've looked into org.jpos.iso.BaseChannel.java
Which revision please?
The latest references connectTimeout (instead of timeout). This change
was made in r2567 towards the end of last year...
You need to update?
>
> and that works for the purpose of specifying my ISOClient's outgoing
> port.
Ok.
>
> However, I do need the timeOut value. Any idea on how i can use
> specific outgoing port without having to comment out the timeout part?
I think you could set the timeout later (after connection is active),
but get the latest code first, I think you will be ok without dropping
your required timeout.
--
Mark
>
> P/s: do u know why on version 1.6.0, timeout cannot be > 0 in order to
> set local address?
>
I did not look at it but I think there was a bug in the way we were
handling the configuration.
You need to reserve it from the random selection process of your
operating system. How you do so will depend on your operating system.
You also picked two rather low numbers, you may need to start above
1024, but then it depends on your operating system.
If you have a firewall admin that needs you to control each port, then
he will be able to advise which ports you should be using and hopefully
point you to someone who can set your device up not to use the port you
need to?
I am assuming that you did not have two instances of your code running
at the same time? This will not work of course. Which ports did you
try and use? Did you have a single instance of your client running?
--
Mark
I raised this with you at the start...
I think you need *one* connection to your target system. Over this one
link you will send and receive message and they can send 0800 and you
can respond with 0810.
I actually said in my first response:-
"
If you have a single network connection, traffic can flow in both
directions over it.
The server will have a connection through which it will periodically
send 0800 request (indicating a session key change) and you will receive
the 0800 and respond (0810) perhaps after you have retrieved the session
key, confirmed it is valid and started using it.
"
So you connect to the server, perhaps not caring what your local port
is. You can send requests in and get responses and you will
occasionally get 0800's which you will respond to.
You need to be certain of what you are being asked to do. I think you
are confusing yourself completely.
>
>>From your experience/opinion, how do you think I should proceed?
As above.
--
Mark
x can be the same value but not on a single network address.
If you connect using a localport of 16384 to a server socket running on
a *remote* machine listening on port 16384 all will be well.
As previously stated this connection is two-way.
Perhaps that is your confusion - as it can't work 'locally' as you are
testing?
--
Mark
> How would you do it yourself, if I may asked?
>
> (Clearly, I don't know how to create 1 connection that i can use to do
> the thing)
Perhaps repeat what you have been told you need to achieve by this
system owner?
I still think you are worrying about nothing and confusing yourself with
your test setup - which can't work on one machine as the ports clash.
--
Mark
I think you don't have to care about the client port and when your
provider says "they will send the 0800 to the port where I use as
outgoing port" they are actually trying to say that they are going to
send the 0800 over the same established socket.
I think this probably means the exchanges will take place over a single
connection, not separate ones.
This would have no implication on ports. You would just need to deal
with messages arriving that were not responses! No real problem.
>
> I know for sure now that, this is not feasible.. but still have not
> yet get the confirmation about it from them..
They might want two separate connections one into your system they
connect to and one on their system for you to connect to, but I doubt that.
>
> will update this thread once i got the updates from them...
Ok.
--
Mark
> I think you don't have to care about the client port and when your
> provider says "they will send the 0800 to the port where I use as
> outgoing port" they are actually trying to say that they are going to
> send the 0800 over the same established socket.
+ lots
8)
--
Mark