| Author |
Message
|
| mqwbiwf |
 Posted: Tue Jan 06, 2009 10:05 am Post subject: MQ IPT - Security concerns |
 |
|
Centurion
Joined: 21 Jul 2006
Posts: 126
|
hi there,
we r planning to send critical client data across two different data centers. mq ipt sounded to be a good option to go with. we r planning to implement ssl. i.e. have the mq ipt server ssl key certs stored at the client side as well, and make sure the mq ipt config file is updated with the ssl certs info.
our network team would take care of the security at the load balancer as well.
here's an overview of our setup:
[DataCenter1] Application -> MQ IPT | <-----[data moves through internet]-----> | [DataCenter2] LoadBalancer -> MQ IPT -> MQ server
just wanted to ask you if the setup that we have is secure enough to make sure there are no loopholes for harmful predators? or do you recommend any additional security measure that we can probably implement.
appreciate your advice guys. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Tue Jan 06, 2009 8:21 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Why do you want to use MQIPT versus SSL channels directly between the 2 QMs? In other words, what is your requirement that SSL channels alone cannot provide?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 07, 2009 3:41 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
| Why do you want to use MQIPT versus SSL channels directly between the 2 QMs? In other words, what is your requirement that SSL channels alone cannot provide? |
Peter, one of the considerations that had us going the MQIPT route, was that none of the qmgrs was in the DMZ zone. Our MQIPT server is in the DMZ zone..., as well as certificate names etc...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jan 07, 2009 11:03 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I'm trying to get mqwbiwf to tell us what his reason is, or to have him come to the conclusion that he doesn't need it.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqwbiwf |
| Posted: Wed Jan 07, 2009 2:09 pm Post subject: |
|
|
Centurion
Joined: 21 Jul 2006
Posts: 126
|
We don't have a qmgr in the data center 1 at all. But just in the data center 2.
So, planning to setup MQ IPT in datacenter 1(acts as client).
MQ IPT in datacenter 2 (acts as server) which is in DMZ.
Application connects to a qmgr in datacenter 2 which is in SDMZ. |
|
| Back to top |
|
|
| mqwbiwf |
| Posted: Mon Jan 12, 2009 8:15 pm Post subject: |
|
|
Centurion
Joined: 21 Jul 2006
Posts: 126
|
|
| Back to top |
|
|
| PhilBlake |
| Posted: Tue Jan 13, 2009 6:29 am Post subject: |
|
|
Acolyte
Joined: 25 Oct 2005
Posts: 64
|
| mqwbiwf wrote: |
| Any thoughts guys? |
One of prime reasons for IPT is to remove the need to put a queue manager in the DMZ - so you're ok there.
Using IPT-SSL means you wont be able to identify the MQ client, as SSL authentication will be done between the 2 IPT servers, but then this may not be an issue for you.
Using MQ-SSL from the client means you *can* authenticate with the queue manager, but you will need to use the SSLProxyMode property on IPT - and if you're going across HTTP between the 2 IPTs, then you will need to use IPT v2. |
|
| Back to top |
|
|
|
|
