| Author |
Message
|
| Michael Dag |
 Posted: Thu Nov 17, 2011 8:41 am Post subject: |
 |
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
| zpat wrote: |
OK, I have just installed 7.1 on Windows (alongside 7016).
I created a 7.1 QM, when I try to connect to it from MQ explorer (7.1) - I get a AMQ4999 - Unexpected Error (2063). An unlisted error while retrieving PCF data.
Hmm, how do I open a command window against the 7.1 install? It would be nice to have a menu item for this (like we have for WMB versions).
I am sure it's all in the infocentre - but that didn't start up when I ran the start bat for it (or rather Internet Explorer did not open up). |
alongside WMQ 7.0.1.6 you can install, but there is no transparancy from an application perspective, you need to open a command prompt, goto to the installpath\bin directory and execute your command i.e. strmqm or strmqcfg -i to reset the explorer
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
 |
| zpat |
| Posted: Thu Nov 17, 2011 9:10 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Hmm, had to sort out the MQ service id (why does MQ need a domain account anyway?) and delete the default channel access rule that was blocking client connections from my preferred tool (MO71). |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 18, 2011 8:27 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Channel Authentication Records are neat - but they only allow IP numbers to be used, not DNS names.
Reminds me of unix cave dwellers using octal for permissions - not exactly memorable for normal people 
Anyway I must go and order that DVD from 72.21.211.176 ..... (www.amazon.com) |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 18, 2011 8:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| It's much easier to spoof DNS records than it is to spoof IP addresses. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 18, 2011 9:36 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
It's like this.
I want to code a channel rule for MQ using a DNS name of an internal server to allow access.
When the QM initialises - it resolves the DNS name (using our internal DNS) and converts it to a number. End of story.
The incoming connections can be numbers, I don't care - as along as I can code a name, not a number in the rules.
Now, if you are saying I can't trust my internal DNS repository then our entire IT infrastructure is not good.
I am quite happy to limit the trusted domains. But to force us to refer to internal systems as numbers is just antediluvian.
Last edited by zpat on Fri Nov 18, 2011 9:37 am; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Nov 18, 2011 9:37 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
Channel Authentication Records are neat - but they only allow IP numbers to be used, not DNS names.
Reminds me of unix cave dwellers using octal for permissions - not exactly memorable for normal people
Anyway I must go and order that DVD from 72.21.211.176 ..... (www.amazon.com) |
Wouldn't that be ::ffff:72.21.211.176, or ::72.21.211.176 depending on your IPV6 setup... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 18, 2011 9:39 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
My point exactly - use the name not the number. This is 2011, not 1977 (although Unix systems seem curiously vintage in many respects).
Even if it is some theoretical risk (in IBM land) - it's one we take for every other reference to another internal host, and one I am happy to do for this.
Are you saying all MQ connection strings should only use numbers as well? - get real!
Oh well, keep using BlockIP2 for a bit longer...
Aside from readability it avoids changes when systems update their DNS entry for some reason. IP numbers should not be coded in rules or configurations (for internal references anyway).
But otherwise it's a great new feature and is welcome.
Last edited by zpat on Fri Nov 18, 2011 9:52 am; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Nov 18, 2011 9:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Think broader, not just ip change in DNS, think Natting across multiple segments of your distributed IP network, think routing changes, think MPLS cloud and vpn tunnels, etc...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 18, 2011 9:54 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
So you are saying every configurable reference to any other internal system, whether over http, odbc, jdbc, ftp, sftp, smtp, snmp, mq and all the rest should use IP numbers, not names?
I really can't express how much I disagree with that. We have to do regular DR roleswaps where production DNS names are updated with new IP numbers, it would be a nightmare to discover and change every IP number reference from the old to new value.
I am not talking about crossing networks here. But inside one domain. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Nov 18, 2011 10:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
So you are saying every configurable reference to any other internal system, whether over http, odbc, jdbc, ftp, sftp, smtp, snmp, mq and all the rest should use IP numbers, not names?
I really can't express how much I disagree with that. We have to do regular DR roleswaps where production DNS names are updated with new IP numbers, it would be a nightmare to discover and change every IP number reference from the old to new value. |
On the contrary. What I am saying is that the numbers can change depending on external circumstances like NAT, routing etc... This is why it is important to be able to use the DNS name. This is why it is even more important to have both an internal & external DNS server with the hope that any corruption on the internal one would be your network admin's doing (fat fingers of course!)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 18, 2011 10:05 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
But we can't use the DNS name in these channel rules.. that's my point.
Having the choice would be nice. I just hate numbers - but then my memory is not what it used to be... I used to know all my credit card numbers. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Nov 18, 2011 10:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Open a request for enhancement!
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Nov 18, 2011 10:13 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Maybe they like to leave something for the next release 
However IBM are still the best software company in the universe though.  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 18, 2011 10:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zpat wrote: |
| But we can't use the DNS name in these channel rules.. that's my point. |
My point is that these are security rules, and you can't trust DNS names.
You can more reasonably trust IP addresses.
So from a security point of view, you don't want to configure a rule that's not trustworthy. |
|
| Back to top |
|
|
| Toronto_MQ |
| Posted: Fri Nov 18, 2011 11:38 am Post subject: |
|
|
Master
Joined: 10 Jul 2002
Posts: 263
Location: read my name
|
| mqjeff wrote: |
| zpat wrote: |
| But we can't use the DNS name in these channel rules.. that's my point. |
My point is that these are security rules, and you can't trust DNS names.
You can more reasonably trust IP addresses.
So from a security point of view, you don't want to configure a rule that's not trustworthy. |
While your statement makes theoretical sense, it does not apply here.
Whether you code an IP or a DNS name on the CHLAUTH (assuming CHLAUTH will some day support DNS names), you're still being presented with an IP address by the incoming call. The difference is whether the CHLAUTH record matches the IP directly or does a call to our own internal DNS servers to resolve the name in the CHLAUTH record to see if it matches.
Assuming your organization has tight control over your DNS servers, this is no less secure than using an IP. If it doesn't, as zpat mentioned, you have bigger problems than MQ security. |
|
| Back to top |
|
|
|
|
