Remote Method Invocation (RMI) in Java

Remote Method Invocation (RMI) is an API that allows an object to invoke a method
on an object that exists in another address space, which could be on the same machine
or on a remote machine. Through RMI, an object running in a JVM present on a
computer (Client-side) can invoke methods on an object present in another JVM
(Server-side). RMI creates a public remote server object that enables client and
server-side communications through simple method calls on the server object.
Stub Object: The stub object on the client machine builds an information block and
sends this information to the server.
The block consists of
 An identifier of the remote object to be used
 Method name which is to be invoked
 Parameters to the remote JVM
Skeleton Object: The skeleton object passes the request from the stub object to the
remote object. It performs the following tasks
 It calls the desired method on the real object present on the server.
 It forwards the parameters received from the stub object to the method.

Working of RMI
The communication between client and server is handled by using two intermediate
objects: Stub object (on client side) and Skeleton object (on server-side) as also can be
depicted from below media as follows:

These are the steps to be followed sequentially to implement Interface as defined

below as follows:
1. Defining a remote interface
2. Implementing the remote interface
3. Creating Stub and Skeleton objects from the implementation class using rmic
(RMI compiler)
4. Start the rmiregistry
5. Create and execute the server application program
6. Create and execute the client application program.
Step 1: Defining the remote interface
The first thing to do is to create an interface that will provide the description of the
methods that can be invoked by remote clients. This interface should extend the
Remote interface and the method prototype within the interface should throw the
RemoteException.
Step 2: Implementing the remote interface
The next step is to implement the remote interface. To implement the remote
interface, the class should extend to UnicastRemoteObject class of java.rmi package.
Also, a default constructor needs to be created to throw the java.rmi.RemoteException
from its parent constructor in class.
Step 3: Creating Stub and Skeleton objects from the implementation class using
rmic
The rmic tool is used to invoke the rmi compiler that creates the Stub and Skeleton
objects. Its prototype is rmic classname. For above program the following command
need to be executed at the command prompt
rmic SearchQuery.
Step 4: Start the rmiregistry
Start the registry service by issuing the following command at the command prompt
start rmiregistry
Step 5: Create and execute the server application program
The next step is to create the server application program and execute it on a separate
command prompt.
 The server program uses createRegistry method of LocateRegistry class to create
rmiregistry within the server JVM with the port number passed as an argument.
 The rebind method of Naming class is used to bind the remote object to the new
name.
Step 6: Create and execute the client application program
The last step is to create the client application program and execute it on a separate
command prompt . The lookup method of the Naming class is used to get the
reference of the Stub object.
1. RMI is a pure java solution to Remote Procedure Calls (RPC) and is used to create
the distributed applications in java.
2. Stub and Skeleton objects are used for communication between the client and
server-side.
 Remote Procedure Call (RPC) in Operating System

Remote Procedure Call (RPC) is a powerful technique for constructing distributed,
client-server based applications. It is based on extending the conventional local
procedure calling so that the called procedure need not exist in the same address
space as the calling procedure. The two processes may be on the same system, or
they may be on different systems with a network connecting them.
When making a Remote Procedure Call:

1. The calling environment is suspended, procedure parameters are transferred across

the network to the environment where the procedure is to execute, and the procedure
is executed there.
2. When the procedure finishes and produces its results, its results are transferred back
to the calling environment, where execution resumes as if returning from a regular
procedure call.
NOTE: RPC is especially well suited for client-server (e.g. query-
response) interaction in which the flow of control alternates between the caller and
callee. Conceptually, the client and server do not both execute at the same time.
Instead, the thread of execution jumps from the caller to the callee and then back
again.
Working of RPC

The following steps take place during a RPC :

1. A client invokes a client stub procedure, passing parameters in the usual way.
The client stub resides within the client’s own address space.
2. The client stub marshalls(pack) the parameters into a message. Marshalling
includes converting the representation of the parameters into a standard format,
and copying each parameter into the message.
3. The client stub passes the message to the transport layer, which sends it to the
remote server machine.
4. On the server, the transport layer passes the message to a server stub,
which demarshalls(unpack) the parameters and calls the desired server routine
using the regular procedure call mechanism.
5. When the server procedure completes, it returns to the server stub (e.g., via a
normal procedure call return), which marshalls the return values into a message.
The server stub then hands the message to the transport layer.
6. The transport layer sends the result message back to the client transport layer,
which hands the message back to the client stub.
7. The client stub demarshalls the return parameters and execution returns to the
caller.
Key Considerations for Designing and Implementing RPC Systems are:
 Security: Since RPC involves communication over the network, security is a
major concern. Measures such as authentication, encryption, and authorization
must be implemented to prevent unauthorized access and protect sensitive data.
 Scalability: As the number of clients and servers increases, the performance of the
RPC system must not degrade. Load balancing techniques and efficient resource
utilization are important for scalability.
 Fault tolerance: The RPC system should be resilient to network failures, server
crashes, and other unexpected events. Measures such as redundancy, failover, and
graceful degradation can help ensure fault tolerance.
 Standardization: There are several RPC frameworks and protocols available, and
it is important to choose a standardized and widely accepted one to ensure
interoperability and compatibility across different platforms and programming
languages.
 Performance tuning: Fine-tuning the RPC system for optimal performance is
important. This may involve optimizing the network protocol, minimizing the data
transferred over the network, and reducing the latency and overhead associated
with RPC calls.
RPC ISSUES :
Issues that must be addressed:
1. RPC Runtime:
RPC run-time system is a library of routines and a set of services that handle the
network communications that underlie the RPC mechanism. In the course of an RPC
call, client-side and server-side run-time systems’ code handle binding, establish
communications over an appropriate protocol, pass call data between the client
and server, and handle communications errors.
2. Stub:
The function of the stub is to provide transparency to the programmer-written
application code.
 On the client side, the stub handles the interface between the client’s local
procedure call and the run-time system, marshalling and unmarshalling data,
invoking the RPC run-time protocol, and if requested, carrying out some of the
binding steps.
 On the server side, the stub provides a similar interface between the run-time
system and the local manager procedures that are executed by the server.
3. Binding: How does the client know who to call, and where the service resides?
The most flexible solution is to use dynamic binding and find the server at run time
when the RPC is first made. The first time the client stub is invoked, it contacts a
name server to determine the transport address at which the server resides.
Binding consists of two parts:
 Naming:
 Locating:
1. A Server having a service to offer exports an interface for it. Exporting an
interface registers it with the system so that clients can use it.
2. A Client must import an (exported) interface before communication can begin.
4. The call semantics associated with RPC :
It is mainly classified into following choices-
 Retry request message –
Whether to retry sending a request message when a server has failed or the
receiver didn’t receive the message.
 Duplicate filtering –
Remove the duplicate server requests.
 Retransmission of results –
To resend lost messages without re-executing the operations at the server side.
ADVANTAGES :
1. RPC provides ABSTRACTION i.e message-passing nature of network
communication is hidden from the user.
2. RPC often omits many of the protocol layers to improve performance. Even a
small performance improvement is important because a program may invoke RPCs
often.
3. RPC enables the usage of the applications in the distributed environment, not only
in the local environment.
4. With RPC code re-writing / re-developing effort is minimized.
5. Process-oriented and thread oriented models supported by RPC.
 Security Overview
These seven types of data security technologies -- from encryption to
masking -- will better protect customer and enterprise data from
inappropriate and unauthorized access and use.
The most important aspect of any company's cyber security strategy revolves around
how to keep enterprise data protected and how to prevent data loss. This includes data
at rest, in transit and in use.
Data security technologies come in a variety of forms, including the following:
1. firewalls
2. authentication and authorization
3. encryption
4. data masking
5. hardware-based security
6. data backup and resilience
7. data erasure
Each of these has the same goal: keeping data safe and protected.
What is data security and why is it important?
Data security refers to the practice of protecting data from theft, loss or unauthorized
access throughout its lifecycle.
Data breaches are a continuing issue for organizations. A ThoughtLab report found a
15.1% rise in the number of data breaches and cyber attacks in 2021 over 2020. Data
breaches not only expose enterprise data, but also open companies up
to lawsuits and fines.

Data security practices, policies and technologies are also key to keeping internal
users from conducting inappropriate actions with any data.

Data security is important because it helps with the following:

 keep intellectual property safe;

 prevent financial losses;
 maintain customer trust; and
 ensure compliance with several regulatory standards is met.

The last point is significant because organizations have a variety of industry and
federal regulations with which to comply, from GDPR and CCPA to the Sarbanes-
Oxley Act and PCI DSS.
Types of data security technologies
Data security is paramount because attackers relentlessly look for any and all
vulnerabilities to infiltrate corporate networks. To keep data properly protected,
enterprises can use the following seven technologies.
1. Firewalls
A firewall is the initial security layer in a system. It is designed to keep unauthorized
sources from accessing enterprise data. A firewall serves as an intermediary between a
personal or enterprise network and the public internet. Firewalls use pre-configured rules
to inspect all the packets entering and exiting a network and, therefore, help stop malware
and other unauthorized traffic from connecting to devices on a network.
Different types of firewalls include the following:
 basic packet-filtering firewalls
 circuit-level gateways
 application-level gateways
 stateful inspection firewalls
 next-generation firewalls
2. Authentication and authorization
Two processes are used to ensure only appropriate users can access enterprise
data: authentication and Authorization.
Authentication involves users providing proof that they are who they claim to be. This proof can
be providing a secret, such as password or PIN, or biometric authentication. Depending on the
authentication scenario, users may be required to provide one or more additional factors when
signing in, known as two-factor authentication or multifactor authentication (MFA).
Examples of authentication are the following:
 passwords/PINs
 MFA
 biometric scans
 behavioral scans
Once users have proven their identity, authorization determines whether the user has
the appropriate permissions to access and interact with specific data. By authorizing
users, they gain permissions within the system to read, edit and write different
resources.
Examples of authorization are the following:
 principle of least privilege access
 attribute-based access control
 role-based access control
3. Data encryption
Data encryption converts data into coded ciphertext to keep it secure at rest
and while in transit between approved parties. Encrypting data ensures only
those who have the proper decryption key can view the data in its original
plaintext form. Encrypted data is meaningless if captured by attackers.
Examples of data encryption are the following:
 asymmetric encryption, also known as public key encryption; and

 symmetric encryption, also known as secret key encryption.

4. Data masking
Data masking obscures data so that, even if criminals exfiltrate it, they can't make sense
of what they stole. Unlike encryption, which uses encryption algorithms to encode data,
data masking involves replacing legitimate data with similar but fake data.
Tokenization is an example of data masking. It involves replacing data with a unique
string of characters that holds no value and cannot be reverse-engineered should it be
captured by bad actors.
Other examples of data masking are the following:
 data deidentification

 data generalization
 data anonymization
 pseudonymization
5. Hardware-based security
Hardware-based security involves physical protection of a device rather than relying
solely on software installed onto the hardware. Because attackers target every IT layer,
companies need protections built into the silicon to ensure hardened devices.
Examples of hardware-based security are the following:
 hardware-based firewalls
 proxy servers
 hardware security modules
6. Data backup and resilience
Organizations should save multiple copies of data, especially if they want to fully recover
following a data breach or other disaster. With data backups in place, companies can
resume normal business functions faster and with fewer hiccups. To ensure data
resilience, organizations need protections in place to keep the backed-up data secure
and ready for use.
One example of data backup protection is data vaulting, which creates air-gapped
versions of backed-up data. Organizations should also follow a 3-2-1 backup strategy,
which results in at least three saved copies of data in different locations.
Other types of data backup protection include the following:
 redundancy
 cloud backup
 external hard drives
 hardware appliances
7. Data erasure
It is important organizations properly delete data and ensure that deleted data is not
recoverable. Known as data erasure, this process involves completely overwriting
stored data so that it cannot be recovered. Also known as data destruction, data erasure
often involves turning data illegible after erasing it.
Organizations must be able to properly destroy data, especially in the wake of regulations
such as GDPR, which stipulate customers can request the erasure of their personal data.
Other types of data erasure include the following:
 data wiping
 overwriting
 physical destruction
 degaussing