| Author |
Message
|
| merien_took |
 Posted: Fri Jan 12, 2007 9:02 am Post subject: Setting up SSL with a VIP |
 |
|
Novice
Joined: 15 Dec 2006
Posts: 13
|
Hi,
We have two queue managers that are clustered and are running on two different servers. They are sitting behind a load balancer that will allow a queue manager outside the cluster to connect to either QM inside the cluster. The outside QM (not under our control) requires that we connect to it using SSL. Does anyone know of any issues we should be aware of before purchasing an SSL certificate and setting this up?
Thanks. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri Jan 12, 2007 9:29 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You can't use a network load balancer on MQ server channels.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| merien_took |
| Posted: Fri Jan 12, 2007 9:42 am Post subject: |
|
|
Novice
Joined: 15 Dec 2006
Posts: 13
|
Thanks for the quick reply.
| Quote: |
| You can't use a network load balancer on MQ server channels. |
That shouldn't be a problem...We'll be using regular sender/receiver channels. 
I've never worked with SSL, and I've been researching it all week... The best I can tell is we create one certificate with the VIP as the cn...it doesn't seem like the external QM will accept our connection if we create two certificates with the individual server DNS entries as the cns. Is that correct?
Normally I'd just play with different setups and see what works, but in this instance I'd like to make sure I purchase the certificates correctly the first time.  |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jan 12, 2007 10:09 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| merien_took wrote: |
Thanks for the quick reply.
| Quote: |
| You can't use a network load balancer on MQ server channels. |
That shouldn't be a problem...We'll be using regular sender/receiver channels. |
Let me try again.
You can only use network load balancers with CLIENT channels.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| merien_took |
| Posted: Fri Jan 12, 2007 1:56 pm Post subject: |
|
|
Novice
Joined: 15 Dec 2006
Posts: 13
|
| Why would using sender/receiver channels not work? Could you point me to that in the documentation? Searches in the IBM MQ InfoCenter on "load balancer", "vip", and "virtual ip" return nothing about having to use a client channel. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 15, 2007 1:02 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| merien_took wrote: |
| Why would using sender/receiver channels not work? |
The channels maintain a status for handshaking purposes (last message received, that sort of thing) so the MCAs can resend failed messages or incomplete batches in the event of network issues. This is documented behaviour and one of the key planks of MQ's assured delivery.
If MCA A is talking to MCA B, and the load balancer then starts routing traffic from A to C then the two MCA will be out of sync because A has sent more messages than C has received. If you resolve the channel so C starts accepting messages, you get exactly the same problem when A switches back to B for the same reason.
If you want to achieve this kind of load balancing with MQ, you need hard links and an MQ cluster.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Jan 15, 2007 3:08 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The topology you should put in is to add a third qmgr that acts as a gateway qmgr. Then your external connections will go to that, and MQ clustering will loadbalance the work to the oher qmgrs.
The gateway qmgr is in the cluster, but doesn't host any queues (mostly - unless the external parties need to GET from it - but that would have to be with client channels and you aren't using that).
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| merien_took |
| Posted: Mon Jan 15, 2007 9:49 am Post subject: |
|
|
Novice
Joined: 15 Dec 2006
Posts: 13
|
Ok...I see the confusion...
Vitor, we have the load balancer set to send all messages in a session to a particular queue manager on a particular server. I can't remember the workload algorithm off the top of my head...but we do have this setup working with sender/receiver channels.
jefflowrey wrote:
| Quote: |
| The topology you should put in is to add a third qmgr that acts as a gateway qmgr. Then your external connections will go to that, and MQ clustering will loadbalance the work to the oher qmgrs. |
The two queue managers I mentioned are gateways; there are more queue managers in this setup that they route to. I'm just trying to figure out how to get an SSL cert so our gateway queue managers can talk through the VIP with a queue manager that is 300 miles from us and that we have no control over.[/quote] |
|
| Back to top |
|
|
|
|
