| Author |
Message
|
| bruce2359 |
 Posted: Wed Apr 15, 2009 10:10 am Post subject: |
 |
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Adding SSL (or any security) to only one of your channels (meaning not all) is like locking the front door but leaving the back door open.
If one of your channel ends is not secured, then someone can hack into the other end of the unsecured channel and traverse from your unsecure channel and through SSL-secured channels.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Apr 15, 2009 10:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| bruce2359 wrote: |
| Adding SSL (or any security) to only one of your channels (meaning not all) is like locking the front door but leaving the back door open. |
Did I say anything about "some" channels? |
|
| Back to top |
|
|
| dzifchock |
| Posted: Wed Apr 15, 2009 10:14 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
We are talking about 14-16 qmgrs, not all belonging to the same cluster, each cluster has between 4-5 qmgrs. The different clusters do not communicate with each other.
All FR's are on linux/unix, the PR's are on windows. I do have SSL setup amongst the clusters so that may be the way to go...
I think im still confused about the whole clusrcvr thing. If the manually defined clusrcvr is only used to join the cluster and nothing else, why is it that when I setup an exit to only allow connections from specific machines (on the manually defined cluster receiver channel ) do I still run into the whole issue that a CHAD exit would fix , ie looking for the security exit on the sender side ? If I run "display channels(*) all" or "display clusqmgr(qmgr) all" I still only see 1 clusrvcr. Sorry if I'm not getting the point here..... |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 15, 2009 10:18 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The manually defined channels are only started in and of themselves once.
The definition of the manually defined channel is used as the model for the autodefined channels. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Apr 15, 2009 11:06 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Did I say anything about "some" channels? |
You didn't. I wanted to make clear that securing one channel and leaving the others unsecured isn't a good solution.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dzifchock |
| Posted: Thu Apr 16, 2009 10:41 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
| Thank you all for the responses. Looks like the SSLPEER option is the way I will go to stop qmgrs from joining the cluster, and ill just keep using BlockIP2 to stop applications from connecting to the qmgrs. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Apr 16, 2009 2:01 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
As regards the cluster aspect, have a look here for a tip, or two.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Monk |
| Posted: Mon May 18, 2009 3:01 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
you can write a auto defn exit and design the exit in such a way as to allow only the qmgrs defined in say a file or a database.
the auto defn exit will read the queue manager name and ip address from a file and allow only these to connect to your qmgr..
this is one way of securing your cluster..
the other one..
write a security exit which will dynamically change the mca id on the cluster reciever channel and set appropriate permission for the user on S.C.C.Q
However i would not tread this path...
_________________
Thimk |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon May 18, 2009 3:18 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Monk wrote: |
| you can write a auto defn exit and design the exit in such a way as to allow only the qmgrs defined in say a file or a database. |
And if the file or database is inaccessable or slow, your cluster is unusable!
You also should not assume that other posters have your skill with exits (which are an advanced topic) or your gung-ho attitude to using them.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Monk |
| Posted: Mon May 18, 2009 3:21 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
| You also should not assume that other posters have your skill with exits (which are an advanced topic) or your gung-ho attitude to using them. |
What is advanced in using exits...its just C code...
if u can understand C code..and know C , u already know exits...
_________________
Thimk |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon May 18, 2009 3:24 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Monk wrote: |
| if u can understand C code..and know C , u already know exits... |
And if you don't know C code well, at best you'll cripple the queue manager, at worst you'll bring it down.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Monk |
| Posted: Mon May 18, 2009 3:27 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
| And if you don't know C code well, at best you'll cripple the queue manager, at worst you'll bring it down. |
Well , then you MUST know C... 
_________________
Thimk |
|
| Back to top |
|
|
| exerk |
| Posted: Mon May 18, 2009 3:31 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Monk wrote: |
What is advanced in using exits...its just C code...
if u can understand C code..and know C , u already know exits... |
I really, really wouldn't want you as my doctor 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Monk |
| Posted: Mon May 18, 2009 3:34 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
| I really, really wouldn't want you as my doctor |
That is true..i would never operate on a Grand master.
_________________
Thimk |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon May 18, 2009 3:48 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Monk wrote: |
| Quote: |
| And if you don't know C code well, at best you'll cripple the queue manager, at worst you'll bring it down. |
Well , then you MUST know C... |
If you mean you must know C to write an exit, then yes you must.
If you mean I must know C then I do and I still avoid exits like the plague. There are very few instances (except security) where you really can't get round using an exit, if you must use an exit buy a commercial one with support (in case this super-coder leaves the site and you have to maintain it) and don't make external calls!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
