| Author |
Message
|
| Challenger |
 Posted: Wed Oct 01, 2008 12:51 am Post subject: Challenge Question - 10 / 2008 |
 |
|
Centurion
Joined: 31 Mar 2008
Posts: 115
|
Welcome to the October's challenge. I hope I found an exciting question for you and I am awaiting lots of interesting answers.
The challenge:
Connect two organisational units (companies, departments of a company, applications or whatever) via WebSphere MQ. The units shall be separated by each other using SSL certificates and connected via gateway queue managers. Use WebSphere MQ clusters to avoid single point of failures.
The tasks:
- Set up a queue manager topology for the connection of the organisational units.
- Define conventions for queue manager, queue, cluster and channel names, to enable communications between the clusters using the gateway queue managers.
- Think about necessary rules for the distinguished names (DN) of the queue manager certificates and the SSLPEER settings of the channels, to enable communications between the clusters using the gateways. Prevent queue managers of one unit to join the cluster of the other unit.
One hint: I like overlapping clusters and SSL, but I do not like exits. |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Oct 03, 2008 12:42 am Post subject: First toe dipped in the water... |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
TOPOLOGY
1. Create OU Alpha cluster (existing queue managers).
2. Create OU Beta cluster (existing queue managers).
3. Create a Gateway cluster (4 new queue managers).
4. Overlap one pair Gateway queue managers into Alpha cluster, the other pair into Beta cluster.
CONVENTIONS
1. Define a new naming standard for the Gateway cluster elements, e.g. queue manager names, channel names etc.
2. If the naming conventions are markedly different in each organisation, the naming convention of each OU can be used within each Gateway pair-to-OU cluster channel definitions, as can queue names (which will be aliases).
SEPARATION
1. Lock down the Gateway cluster by explicit use of the cluster name and other Gateway cluster unique items within the DN, e.g. use the cluster name as the OU name and ensure no wildcards are used in the SSLPEER values of the Gateway cluster channels, to ensure Alpha/Beta queue managers cannot join the Gateway cluster.
2. Use the Alpha/Beta cluster DN and SSLPEER conventions in each set of Gateway pair-to-OU channels.
PRO
1. Complete separation of OU's.
2. Flexible - if another OU is to be joined, add queue managers into the Gateway then add them to the OU cluster in the same manner as Alpha/Beta.
CON
1. Complexity.
2. Infrastructure requirements.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Challenger |
| Posted: Thu Oct 09, 2008 5:25 am Post subject: |
|
|
Centurion
Joined: 31 Mar 2008
Posts: 115
|
Exerk,
sorry for my late answer, but it seems my last reply is lost  .
I am not sure, if I understand you solution correctly  - maybe you provide us with some samples.
Especially I would like to know, how the DN definitions of the qmgr (gateway and application) certificates and the SSLPEER values for all channels would look like.
And how would you prevent qmgrs of one application cluster (e. g. ALPHA) to join the other application cluster (BETA in this sample). |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Oct 13, 2008 2:31 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Challenger,
My apologies for the delay in replying; I have had to do some 'real' work recently 
I have revisited the (old) prototype I had, and with the benefit of hindsight, have modified it slightly to reduce complexity by overlapping the clusters using a gateway queue manager as a PR in each cluster.
The certificates for the ALPHA and BETA queue managers would contain the cluster name as the OU, e.g. OU=ALPHA or OU=BETA
The certificate for the Gateway queue manager would contain both cluster names as the OU, e.g. OU=ALPHABETA
The SSLPEER value in the CLUSSDR's and CLUSRCVR's of the ALPHA cluster would be: CN=Enterprise,O=ABC,OU=ALPHA*
The SSLPEER value in the CLUSSDR's and CLUSRCVR's of the BETA cluster would be: CN=Enterprise,O=ABC,OU=*BETA
In the Gateway queue manager, separate CLUSSDR's and CLUSRCVR's would be defined for each cluster
This is not an elegant method, and despite your preference not to use exits (a preference I share) using BlockIP2 would be a belt and braces enhancement to the above.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Challenger |
| Posted: Mon Oct 13, 2008 11:04 pm Post subject: |
|
|
Centurion
Joined: 31 Mar 2008
Posts: 115
|
Exerk,
congratulations  . Your solution is not exactly what I have, but it is very similar to what I thought about  .
The main difference of my solution in comparison to yours is, that I changed the meanings of CN and OU. I thought about the following definitions:
1. The distinguished names (DN):
Internal QMgrs:
OU="PROD.INTERNET.APPLICATION"
CN="INTERN.Name_of_the_qmgr"
External QMgrs:
OU="PROD.INTERNET.APPLICATION"
CN="Name_of_the_qmgr.EXTERN"
Gateway QMgrs:
OU="PROD.INTERNET.APPLICATION"
CN="INTERN.Name_of_the_qmgr.EXTERN"
2. SSLPEER values:
Internal QMgrs:
SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="INTERN.*"')
External QMgrs:
SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="*.EXTERN"')
Gateway QMgrs, internal channels:
SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="INTERN.*"')
Gateway QMgrs, external channels:
SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="*.EXTERN"')
An further benefit is, that I am able to separate production from test environments (you could add the environment to your CN attribute).
Some additional remarks to this challenge:
My first idea, when I thought about this challenge, was to use different OUs for each cluster. Then I tried SSLPEER like "SSLPEER('OU=Cluster1')" in one cluster and "SSLPEER('OU=Cluster2')" on a second cluster and so on. The gateway QMgrs in this scenario would have been both OUs defined (or more, the DN may have multiple OUs).
Unfortunately this does not work, because OUs have a hierarchical order. So what I missed in the SSLPEER attribute is some kind of "OR" function.
Exerk, you earned a coffee mug  .
The Challenger! |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 14, 2008 5:25 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Woohoo! I feel that I have finally arrived!
What details do you need from me, for me to receive my exalted award?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Challenger |
| Posted: Wed Oct 15, 2008 5:15 am Post subject: |
|
|
Centurion
Joined: 31 Mar 2008
Posts: 115
|
The Challenge has been solved very quickly, but till end of the month it takes a while, so I have some additional Challenge if you like!
(but no coffee mug for the winner  )
Can you guess my true identity? One hint:
I like overlapping clusters.
Who am I? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 15, 2008 5:25 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Going for the full-house here: PeterPotkay?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Challenger |
| Posted: Wed Oct 15, 2008 5:51 am Post subject: |
|
|
Centurion
Joined: 31 Mar 2008
Posts: 115
|
| exerk wrote: |
| Going for the full-house here: PeterPotkay? |
No, try again ... |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Wed Oct 15, 2008 7:38 pm Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
its spider man : fjb_saper
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
| AkankshA |
| Posted: Wed Oct 15, 2008 8:23 pm Post subject: |
|
|
Grand Master
Joined: 12 Jan 2006
Posts: 1494
Location: Singapore
|
bruce2359 or gbaddelay
_________________
Cheers |
|
| Back to top |
|
|
| atheek |
| Posted: Wed Oct 15, 2008 9:02 pm Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 16, 2008 5:06 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Hubert Kleinmanns?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Thu Oct 16, 2008 8:29 pm Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| exerk wrote: |
| Hubert Kleinmanns? |
You got it!
Congratulations again!
I proclaim exerk as the double winner of the october challenge
_________________
Regards
Hubert |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 16, 2008 11:09 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Google is a wonderful thing! Found you on the list server discussing having up to 80 overlapping clusters...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
