ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Using the Listener's IP White List to prevent rogue QMs fro

Post new topic  Reply to topic Goto page 1, 2  Next
 Using the Listener's IP White List to prevent rogue QMs fro « View previous topic :: View next topic » 
Author Message
PeterPotkay
PostPosted: Tue Mar 26, 2013 4:13 pm    Post subject: Using the Listener's IP White List to prevent rogue QMs fro Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7722

Using SSL (with SSLPEER) or a Security Exit on every CLUSRCVR channel in the cluster is the common way to secure the cluster, preventing any rogue QMs from introducing themselves to the cluster, preventing them from participating in the load balancing to legitimate QMs, or sending messages to legitimate QMs in the cluster.

Is there an easier, cheaper way that is better than doing nothing at all, but that actually accomplishes something?

Use Case
Small cluster (a dozen QMs)
A varied one (Windows, Linux, Solaris, z/OS).
Assume no open RCVR, RQSTR or SVRCONN channels on the QMs. Only MQ Clustering is being used and only QM to QM communications over cluster channels are intended.
All QMs are inside the corporate firewall, on servers in the same physical data center.
The varied platforms makes exits tricky, but not impossible.
No SSL expertise and no internal Certificate Authority ($$$ for certs)


A. Is the only way a QM can introduce itself into the cluster is by establishing a connection to one of the cluster’s Full Repositories’ CLUSRCVR channels?
B. If the answer to A. is yes, would getting the Full Repository MQ Listeners running with a white list of IP addresses that only included the partner Full Repository’s and the ten Partial Repository’s IP addresses accomplish this?
C. I assume a rogue QM could not talk directly to an open Partial Repository’s CLUSRCVR channel as the initial and only way of attempting to talk to that QM or that cluster, that it must go thru the FR’s CLUSRCVR to establish cluster membership, or any ability to send to any PR via the PR’s CLUSRCVRs. True?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Mar 27, 2013 1:12 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Mar 27, 2013 2:50 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

exerk wrote:
Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary.


Remember, first use a more generic channel name to refuse connection from qmgr *. Then whitelist the qmgrs in the cluster using the more specific channel name. You could also specify the ips of the qmgrs.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Michael Dag
PostPosted: Wed Mar 27, 2013 2:58 am    Post subject: Reply with quote

Jedi Knight

Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)

fjb_saper wrote:
exerk wrote:
Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary.


Remember, first use a more generic channel name to refuse connection from qmgr *. Then whitelist the qmgrs in the cluster using the more specific channel name. You could also specify the ips of the qmgrs.

Have fun


Back-stop first indeed!
https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule?lang=en
_________________
Michael



MQSystems Facebook page
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
mqjeff
PostPosted: Wed Mar 27, 2013 3:44 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Michael Dag wrote:
fjb_saper wrote:
exerk wrote:
Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary.


Remember, first use a more generic channel name to refuse connection from qmgr *. Then whitelist the qmgrs in the cluster using the more specific channel name. You could also specify the ips of the qmgrs.

Have fun


Back-stop first indeed!
https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule?lang=en


A british citizen making a baseball analogy? That's just not cricket.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Mar 27, 2013 3:47 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

mqjeff wrote:
Michael Dag wrote:
fjb_saper wrote:
exerk wrote:
Depending on your WMQ version (assuming v7.1+ as you mention white-listing) the CHLAUTH capabilities should give you what you need, including MCAUSER mapping if necessary.


Remember, first use a more generic channel name to refuse connection from qmgr *. Then whitelist the qmgrs in the cluster using the more specific channel name. You could also specify the ips of the qmgrs.

Have fun


Back-stop first indeed!
https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule?lang=en


A british citizen making a baseball analogy? That's just not cricket.

I think meneer Dag might take umbrage at being called British! Mind you, having heard lots of Hursley Brits say 'zee' instead of 'zed' I can understand that they may have picked up a few Americanisms...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Mar 27, 2013 4:00 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

exerk wrote:
mqjeff wrote:
Michael Dag wrote:

Back-stop first indeed!
https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule?lang=en


A british citizen making a baseball analogy? That's just not cricket.

I think meneer Dag might take umbrage at being called British! Mind you, having heard lots of Hursley Brits say 'zee' instead of 'zed' I can understand that they may have picked up a few Americanisms...


I would certainly agree with that, and I would certainly never even mistake him for a Belgian.

However, it was Morag who was making the analogy - and I'm reasonably sure she considers herself a British citizen. I accept that that may not be a properly nuanced description....
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Mar 27, 2013 4:03 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

mqjeff wrote:
exerk wrote:
mqjeff wrote:
Michael Dag wrote:

Back-stop first indeed!
https://www.ibm.com/developerworks/mydeveloperworks/blogs/aimsupport/entry/websphere_mq_chlauth_the_back_stop_rule?lang=en


A british citizen making a baseball analogy? That's just not cricket.

I think meneer Dag might take umbrage at being called British! Mind you, having heard lots of Hursley Brits say 'zee' instead of 'zed' I can understand that they may have picked up a few Americanisms...


I would certainly agree with that, and I would certainly never even mistake him for a Belgian.

However, it was Morag who was making the analogy - and I'm reasonably sure she considers herself a British citizen. I accept that that may not be a properly nuanced description....

Precisely my point about the Hursleyites - as for Morag's citizenship (there is no such thing as a British citizen anyway, we're all Queen's subjects) the vote next year will decide
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Mar 27, 2013 4:07 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Mar 27, 2013 4:10 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

mqjeff wrote:
exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.

No offence was meant or implied - I don't mind being a subject (usually of derision!).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Mar 27, 2013 4:54 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mqjeff wrote:
exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.


As a fully qualified American I find it possible but very difficult.

It's a necessary evil to say "zee" not "zed" to aid communication. Just like making a call on a cell or a mobile, or driving stick. George Bernard Shaw - clever man.

Like anyone or anything called Bernard.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Wed Mar 27, 2013 5:16 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Vitor wrote:
mqjeff wrote:
exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.


As a fully qualified American I find it possible but very difficult.


And *now* you understand what it means to be an American.
Back to top
View user's profile Send private message
rammer
PostPosted: Wed Mar 27, 2013 5:27 am    Post subject: Reply with quote

Partisan

Joined: 02 May 2002
Posts: 359
Location: England

mqjeff wrote:
Vitor wrote:
mqjeff wrote:
exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.


As a fully qualified American I find it possible but very difficult.


And *now* you understand what it means to be an American.


And wish me luck I am marrying one next year!
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Mar 27, 2013 5:37 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

rammer wrote:
mqjeff wrote:
Vitor wrote:
mqjeff wrote:
exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.


As a fully qualified American I find it possible but very difficult.


And *now* you understand what it means to be an American.


And wish me luck I am marrying one next year!


Run. While there's still time. Don't touch the Kool-Aid.....
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
lancelotlinc
PostPosted: Wed Mar 27, 2013 6:52 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Vitor wrote:
rammer wrote:
mqjeff wrote:
Vitor wrote:
mqjeff wrote:
exerk wrote:
there is no such thing as a British citizen anyway, we're all Queen's subjects


It is actually possible for an American to be polite sometimes.


As a fully qualified American I find it possible but very difficult.


And *now* you understand what it means to be an American.


And wish me luck I am marrying one next year!


Run. While there's still time. Don't touch the Kool-Aid.....


Lenny Kravitz re-recorded American Woman ... stay away from me, ee. I find the lyrics to be true.

I married a Filipina whose Pinay culture works really well for me. Now, my food is cooked, my dishes are washed, my shirts are pressed, my house is cleaned, my laundry is done, and she is dressy when I come home from work.

No American woman will ever do that. I tried several of them.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER


Last edited by lancelotlinc on Thu Mar 28, 2013 4:23 am; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » Using the Listener's IP White List to prevent rogue QMs fro
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.