| Author |
Message
|
| Monk |
 Posted: Tue Sep 01, 2009 8:34 pm Post subject: How can I control security within a single cluster? |
 |
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Hi All,
How can I control security within a single cluster?
for e.g. I have one big cluster in which qmgrs of different parties participate.
Now since they are all in one big cluster , each party knows the cluster queues of other party. Now this is fine. but I need to control authorization for each parties queues.
Is there any way to do this?
_________________
Thimk |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Tue Sep 01, 2009 9:23 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
Yes, it is. how it can be done is described in the queue manager clusters manual, chapter "keep clusters secure"
_________________
Regards, Butcher |
|
| Back to top |
|
|
| Monk |
| Posted: Tue Sep 01, 2009 9:29 pm Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Mr Butcher,
I m not able to find the relevant section.
Can you please point me to the relevant section?.
_________________
Thimk |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 01, 2009 11:41 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Monk wrote: |
Mr Butcher,
I m not able to find the relevant section.
Can you please point me to the relevant section?. |
Go to the Info Centre and put "keep clusters secure" in the Search bar and click GO
...modern technology's a wonderful thing. If you need further help, I'll post a video on Youtube that shows you how.
Mr Butcher, my apologies if I stole your thunder 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Tue Sep 01, 2009 11:56 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
no problem at all. I think i already post too many rtfms, but unfortunately, it seems like some people do not know what a documentation is, and even if they know it exists they either are unable to handle it or they want other people to read it for them. too bad. life is short, and so are projects budgets, but there should be enough time to read documentation.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 02, 2009 12:53 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Mr Butcher ,
Following are the sections in the chapter.
Stopping unauthorized queue managers sending messages to
your queue manager
>Does this mean that the unauthorized queue manager is not part of the cluster or is it part of the cluster?
if the sentence means that the queue manager is not part of the cluster , then this doesn't help.
I have all authorized queue managers in my cluster.
Stopping unauthorized queue managers putting messages on
your queues
>Again, I have all authorized queue managers in my cluster.
Stopping your queue manager putting messages to remote
queues
> I dont talk to remote queue managers or remote queues.
Preventing queue managers joining a cluster
I have a custom written autodef exit that does this for me.
Forcing unwanted queue managers to leave a cluster
> I do not want any queue managers to leave my clusters as of now.
Using SSL
Not really worried about SSL and certificates as of now , so no SSL.
Which of these sections helps me to prevent access to other parties cluster queues?
I m sorry if i am not able to understand the documentation.
May be the experts here can clear some doubts.
_________________
Thimk |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Sep 02, 2009 12:58 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
do you think you will get knowledge by just reading headlines or single lines of documentation? read that whole chapter, and you will find what you need.
better - read the whole manual.
better - read all of the mq documentation
_________________
Regards, Butcher |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 02, 2009 1:01 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Mr butcher,
I have read the entire chapter and even tried out a few things
for e.g the the PUTAUT attribute, even that didnt solve my problem.
Anyways..I dont think MQ can do what I m trying to do.
May be in newer versions.
_________________
Thimk |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Sep 02, 2009 1:14 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
maybe i fail to understand your requirement, but what about these few lines?
| Quote: |
It is possible to avoid the need to give general access to all cluster resources and +Put access to the transmit queue. You do this by defining alias or remote queue definitions on your machine which resolve to queues in the cluster, and giving the appropriate authority for access to these instead of the cluster transmit queue. For example, suppose there is a queue called Q1 in the clusters to which your queue manager CORK belongs. If you DEFINE QALIAS(Q1) TARGQ(Q1) DEFBIND(NOTFIXED) and then setmqaut -m CORK -t qmgr -p GUEST +connect setmqaut -m CORK -t queue -n Q1 -p GUEST -all +put The user GUEST would only be able to send messages to the cluster queue Q1. Restricting access to your queues
Note that it is not possible to use the same technique for a queue manager alias, because this requires access to the underlying SYSTEM.CLUSTER.TRANSMIT.QUEUE queue. |
_________________
Regards, Butcher |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Sep 02, 2009 1:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
An unauthorised queue manager is any queue manager which you do not want joining your cluster. By definition, any queue manager which you have joined into your cluster, in a controlled manner, is authorised. Which part of '...Write a program that authenticates queue managers trying to send messages on your cluster-receiver channel and denies them access if they are not authorized...' did you not understand?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 02, 2009 1:25 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Sorry to tell you Mr Butcher, But my requirements are completely different from what your suggesting.
Let me make it more clear.
I have three queue managers QM1 ,QM2 and QM3 in a cluster MQSERIES.
Now i define a cluster queue QM1.CLQ on QM1 , but I DO NOT want QM2 to access or even see QM1.CLQ , but QM3 should.
Is there anyway to do this?
_________________
Thimk |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Sep 02, 2009 1:32 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Monk wrote: |
...Now i define a cluster queue QM1.CLQ on QM1 , but I DO NOT want QM2 to access or even see QM1.CLQ , but QM3 should.
Is there anyway to do this? |
Not that I am aware of, but your requirements are not completely different from what Mr Butcher is suggesting, but you seem reluctant to take the advice.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 02, 2009 1:35 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
How will creating alias queues and pointing them to clusters queue help my requirements?.
QM2 can still see all the cluster queues locally defined on QM1 , irrespective of creating alias queues?
Am I missing something here?
_________________
Thimk |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Wed Sep 02, 2009 1:40 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
if you do not want a cluster queue to be visible in cluster queuemanagers, do not define it as a cluster queue. In the beginning, you wrote that you want to control authorization to the queues, now it seems to me you are stuck in your cluster design.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed Sep 02, 2009 5:40 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
| Monk wrote: |
I have three queue managers QM1 ,QM2 and QM3 in a cluster MQSERIES.
Now i define a cluster queue QM1.CLQ on QM1 , but I DO NOT want QM2 to access or even see QM1.CLQ , but QM3 should.
|
Why do you want to put a queue manager in a cluster which would be in the cluster but wont be the able to see the cluster (as you said.) ?
The statement is badly constructed, I believe.
I mean generally queue managers are being put in the cluster so that they can access the shared/clustered objects and can avail the advantages of the cluster facilities.
I am agree with Mr Butcher and exerk as Your requirement definition has been changed over the discussion on the first req. definition.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
|
|
