| Author |
Message
|
| PeterPotkay |
 Posted: Tue Mar 26, 2013 4:13 pm Post subject: Using the Listener's IP White List to prevent rogue QMs fro |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Using SSL (with SSLPEER) or a Security Exit on every CLUSRCVR channel in the cluster is the common way to secure the cluster, preventing any rogue QMs from introducing themselves to the cluster, preventing them from participating in the load balancing to legitimate QMs, or sending messages to legitimate QMs in the cluster.
Is there an easier, cheaper way that is better than doing nothing at all, but that actually accomplishes something?
Use Case
Small cluster (a dozen QMs)
A varied one (Windows, Linux, Solaris, z/OS).
Assume no open RCVR, RQSTR or SVRCONN channels on the QMs. Only MQ Clustering is being used and only QM to QM communications over cluster channels are intended.
All QMs are inside the corporate firewall, on servers in the same physical data center.
The varied platforms makes exits tricky, but not impossible.
No SSL expertise and no internal Certificate Authority ($$$ for certs)
A. Is the only way a QM can introduce itself into the cluster is by establishing a connection to one of the cluster’s Full Repositories’ CLUSRCVR channels?
B. If the answer to A. is yes, would getting the Full Repository MQ Listeners running with a white list of IP addresses that only included the partner Full Repository’s and the ten Partial Repository’s IP addresses accomplish this?
C. I assume a rogue QM could not talk directly to an open Partial Repository’s CLUSRCVR channel as the initial and only way of attempting to talk to that QM or that cluster, that it must go thru the FR’s CLUSRCVR to establish cluster membership, or any ability to send to any PR via the PR’s CLUSRCVRs. True?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Mar 27, 2013 1:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Mar 27, 2013 2:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| exerk wrote: |
| Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary. |
Remember, first use a more generic channel name to refuse connection from qmgr *. Then whitelist the qmgrs in the cluster using the more specific channel name. You could also specify the ips of the qmgrs.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Wed Mar 27, 2013 2:58 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 27, 2013 3:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
A british citizen making a baseball analogy? That's just not cricket. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 27, 2013 3:47 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
A british citizen making a baseball analogy? That's just not cricket. |
I think meneer Dag might take umbrage at being called British! Mind you, having heard lots of Hursley Brits say 'zee' instead of 'zed' I can understand that they may have picked up a few Americanisms...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 27, 2013 4:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
| mqjeff wrote: |
A british citizen making a baseball analogy? That's just not cricket. |
I think meneer Dag might take umbrage at being called British! Mind you, having heard lots of Hursley Brits say 'zee' instead of 'zed' I can understand that they may have picked up a few Americanisms... |
I would certainly agree with that, and I would certainly never even mistake him for a Belgian.
However, it was Morag who was making the analogy - and I'm reasonably sure she considers herself a British citizen. I accept that that may not be a properly nuanced description.... |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 27, 2013 4:03 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| exerk wrote: |
| mqjeff wrote: |
A british citizen making a baseball analogy? That's just not cricket. |
I think meneer Dag might take umbrage at being called British! Mind you, having heard lots of Hursley Brits say 'zee' instead of 'zed' I can understand that they may have picked up a few Americanisms... |
I would certainly agree with that, and I would certainly never even mistake him for a Belgian.
However, it was Morag who was making the analogy - and I'm reasonably sure she considers herself a British citizen. I accept that that may not be a properly nuanced description.... |
Precisely my point about the Hursleyites - as for Morag's citizenship (there is no such thing as a British citizen anyway, we're all Queen's subjects) the vote next year will decide 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 27, 2013 4:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 27, 2013 4:10 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| mqjeff wrote: |
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
No offence was meant or implied  - I don't mind being a subject (usually of derision!).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Mar 27, 2013 4:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
As a fully qualified American I find it possible but very difficult.
It's a necessary evil to say "zee" not "zed" to aid communication. Just like making a call on a cell or a mobile, or driving stick. George Bernard Shaw - clever man.
Like anyone or anything called Bernard.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 27, 2013 5:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| mqjeff wrote: |
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
As a fully qualified American I find it possible but very difficult. |
And *now* you understand what it means to be an American. |
|
| Back to top |
|
|
| rammer |
| Posted: Wed Mar 27, 2013 5:27 am Post subject: |
|
|
Partisan
Joined: 02 May 2002
Posts: 359
Location: England
|
| mqjeff wrote: |
| Vitor wrote: |
| mqjeff wrote: |
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
As a fully qualified American I find it possible but very difficult. |
And *now* you understand what it means to be an American. |
And wish me luck I am marrying one next year! |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Mar 27, 2013 5:37 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| rammer wrote: |
| mqjeff wrote: |
| Vitor wrote: |
| mqjeff wrote: |
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
As a fully qualified American I find it possible but very difficult. |
And *now* you understand what it means to be an American. |
And wish me luck I am marrying one next year! |
Run. While there's still time. Don't touch the Kool-Aid.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Mar 27, 2013 6:52 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Vitor wrote: |
| rammer wrote: |
| mqjeff wrote: |
| Vitor wrote: |
| mqjeff wrote: |
| exerk wrote: |
| there is no such thing as a British citizen anyway, we're all Queen's subjects |
It is actually possible for an American to be polite sometimes. |
As a fully qualified American I find it possible but very difficult. |
And *now* you understand what it means to be an American. |
And wish me luck I am marrying one next year! |
Run. While there's still time. Don't touch the Kool-Aid..... |
Lenny Kravitz re-recorded American Woman ... stay away from me, ee. I find the lyrics to be true.
I married a Filipina whose Pinay culture works really well for me. Now, my food is cooked, my dishes are washed, my shirts are pressed, my house is cleaned, my laundry is done, and she is dressy when I come home from work.
No American woman will ever do that. I tried several of them.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Last edited by lancelotlinc on Thu Mar 28, 2013 4:23 am; edited 1 time in total |
|
| Back to top |
|
|
|
|
