| Author |
Message
|
| gr3ymatt3r |
 Posted: Fri Aug 31, 2007 3:26 am Post subject: Client to Server Connectivity on Internet |
 |
|
Novice
Joined: 25 Aug 2007
Posts: 11
|
Hi..
We have a query. We are trying to connect a MQ Client in India to MQ Server in US through internet. All required ports are opened and we are able to telnet to the port. We want to connect the client directly to the MQ Server. With VPN, we know this can be established.
We would like to know.. can we connect the MQ Client to the MQ Server directly on the internet.
And yes, i have gone through the intercommunication guide and system admin guide.
Just wanted to clarify on this..
Please help..
Thanks in Advance |
|
| Back to top |
|
 |
| Vitor |
| Posted: Fri Aug 31, 2007 3:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Yes.
Use the methods described in the Clients manual.
And some of the methods described in the Security manual!! 
(Or connect via the VPN)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gr3ymatt3r |
| Posted: Fri Aug 31, 2007 3:35 am Post subject: |
|
|
Novice
Joined: 25 Aug 2007
Posts: 11
|
Hi..
Thanks for the reply...
Please give some hints in the clients manual about where to find the methods.
And we are trying not to use VPN for the connectivity.
Regards |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2007 3:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gr3ymatt3r wrote: |
Please give some hints in the clients manual about where to find the methods.
|
The entire manual is devoted to the subject of client connections, and the various means of achieving them!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gr3ymatt3r |
| Posted: Fri Aug 31, 2007 5:00 am Post subject: |
|
|
Novice
Joined: 25 Aug 2007
Posts: 11
|
Hi..
And one more query,
Inst it that, it is not necessary for us to have a server-server connection (remote queue managers and all) for communication instead of a client-server connection for communication across the internet.
Also, we are getting 2035 when trying to connect to the server....
What is the procedure to authorize a client across the internet...does it have to do something with the IP of the client....
Please help...
Thanks... |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 31, 2007 5:04 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
IP addresses won't cause a 2035.
Your client userid (presumably Windows) must be defined on the queue manager and have sufficient MQ access.
Initially you can add it as a local id and grant it MQM group and Admin rights to make sure it can connect, and later reduce the access rights. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2007 5:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gr3ymatt3r wrote: |
| Inst it that, it is not necessary for us to have a server-server connection (remote queue managers and all) for communication instead of a client-server connection for communication across the internet. |
No. All client connections are over TCP/IP so it makes no odds if the connection is to the box next door or a server the other side of the world. The only additional considerations are security, resilience and response time. Any of which may (but not must) indicate that a local queue manager is preferable. I've certainly seen what you're trying to do done as a production solution. In general terms of course.
| gr3ymatt3r wrote: |
| What is the procedure to authorize a client across the internet...does it have to do something with the IP of the client.... |
No. It's exactly the same as authorising any client from anywhere. Remember the queue manager can't tell where the client is connecting from geographically, all it can see is an incoming connection (my comment above applies).
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2007 5:07 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| Initially you can add it as a local id and grant it MQM group and Admin rights to make sure it can connect, and later reduce the access rights. |
Or not. If you're connecting over the Internet don't allow remote users admin rights unless you have additional network security in place. VPN or similar.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 31, 2007 5:09 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
VPN is mentioned, so it is effectively an extension of the local network.
I wouldn't generally allow MQ client channels to be exposed on a public network. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2007 5:12 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| VPN is mentioned, so it is effectively an extension of the local network. |
But gr3ymatt3r said previously they're trying not to use it, and this prompted my fear that they're going over public lines without other protections.
Which as you correctly point out is a bad thing. Worse if the connection is granted admin rights.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gr3ymatt3r |
| Posted: Fri Aug 31, 2007 5:33 am Post subject: |
|
|
Novice
Joined: 25 Aug 2007
Posts: 11
|
| Vitor wrote: |
| Or not. If you're connecting over the Internet don't allow remote users admin rights unless you have additional network security in place. VPN or similar. |
Then would this be ok enough....
The Server firewall only allows our Client IP to access the port...
And then client is given admin rights...
| zpat wrote: |
Your client userid (presumably Windows) must be defined on the queue manager and have sufficient MQ access. |
Is the user id is the login username like "DOMAIN\WINDOWS_LOGIN_NAME"
and for this we have to use setmqaut isnt it...or can you pls provide a sample authorizing command to authorize a user across internet..
Also configuration is done using MQSERVER variable on the client....
But do we require a VAR or setting on the client for conveying the userid to the server... |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2007 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gr3ymatt3r wrote: |
The Server firewall only allows our Client IP to access the port...
And then client is given admin rights... |
And anyone with half a brain attaches to the queue manager as an administrator and does what they want.
| gr3ymatt3r wrote: |
| and for this we have to use setmqaut isnt it...or can you pls provide a sample authorizing command to authorize a user across internet.. |
It's setmqaut. I've already said it's the same as for any other authorisation. Please read what's being posted.
| gr3ymatt3r wrote: |
| But do we require a VAR or setting on the client for conveying the userid to the server... |
No. Read the Clients manual and it'll explain what ids are used, and how to influence it! As well as the answers to most of your other questions!! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 31, 2007 5:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Using a VPN would be much safer. Otherwise use SSL secured channels.
I just passed the CISSP - but MQ never got a mention in the material, nor indeed do mainframes. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Aug 31, 2007 7:25 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
Using a VPN would be much safer. Otherwise use SSL secured channels.
|
I'd use SSL over VPN because of the overhead. But in this case if the VPN is already in place & working then why go up another learning curve?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ashoon |
| Posted: Fri Aug 31, 2007 7:28 am Post subject: i'd use a queue manager!!! |
|
|
Master
Joined: 26 Oct 2004
Posts: 235
|
b/c connecting clients half-way around the world doesn't sound like the most sound solution (thinking orphaned messages/connections)...
and if you're going over the internet try using MQIPT...
_________________
IBM Certified - SOA Solution Designer & WebSphere Datapower SOA Appliances |
|
| Back to top |
|
|
|
|
