| Author |
Message
|
| PeterPotkay |
 Posted: Mon May 20, 2013 12:15 pm Post subject: CHLAUTH - Can they be used on CLUSRCVR in a mixed cluster |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
If a MQ 7.5 Queue Manager wants to use CHLAUTH records for its Cluster Receiver, but there are some MQ 7.0.1 QMs in the cluster, is it OK?
I think so, but wanted to double check with y’all.
It’s the cluster receiver channel definition that is used as a template for creating the automatic cluster sender channel, and the channels themselves don’t know anything about CHLAUTH records, so we should be fine, yes? The 7.0.1 Queue Manager will not have to deal with anything it can’t handle when connecting to a 7.5 clustered queue manager, no matter how many CHLAUTH records that 7.5 QM has. It may be blocked by those CHLAUTH rules, understood. But if the rules specifically allow this QM it will be able to connect even though its running at a version that does not know about CHLAUTH?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon May 20, 2013 8:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Fastest way... try it out and report back. Theory seems right... practice will tell! 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 21, 2013 4:54 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
- I don't believe CHLAUTH records are shareable in the cluster, since they're "rules" and not "objects". This is also why you have to do horrendous things like "SET CHLAUTH ACTION(REPLACE)" instead of being able to sensibly ALTER them.
- Even if they were shareable in the cluster, they are only enforced on the qmgr they are defined on.
- If they were shareable in the cluster, that would make MQ into a distributed global security provider, which I suspect that nobody wants MQ to become, especially Hursley.
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 21, 2013 4:57 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I don't think Peter was thinking along those lines.
I understood his request as pertaining uniquely to the FR cluster receiver channels so as to avoid having a rogue qmgr join the cluster.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 21, 2013 4:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
I don't think Peter was thinking along those lines.
I understood his request as pertaining uniquely to the FR cluster receiver channels so as to avoid having a rogue qmgr join the cluster.
|
I think Peter was explicitly asking if the CHLAUTH rules defined on a 7.5 qmgr were enforced on a 7.0.1 qmgr.
The only way they could be made visible to a 7.0.1 qmgr is if they were shareable in a cluster, which they're not. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 21, 2013 7:30 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
I think Peter was explicitly asking if the CHLAUTH rules defined on a 7.5 qmgr were enforced on a 7.0.1 qmgr.
The only way they could be made visible to a 7.0.1 qmgr is if they were shareable in a cluster, which they're not. |
Enforced on -- I don't think so and Peter is clear about that.
Enforced against (set up on the 7.5 side and preventing the 7.0.1 to attach) is what I believe Perter was looking for.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 21, 2013 8:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I still disagree.
I will await Peter's clarification.
Again, CHLAUTH rules are only applied or valid or meaningful or defined or exist or otherwise etc. etc. etc. on the queue manager that they are actually SET on.
A 7.0.1 qmgr will never know anything about any CHLAUTH rules. Any connections it makes may be modified, filtered, or denied because of CHLAUTH rules on the remote end, but the 7.0.1 qmgr will never know that it is because of a CHLAUTH rule. It will only know that it can't connect. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue May 21, 2013 10:37 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
| A 7.0.1 qmgr will never know anything about any CHLAUTH rules. Any connections it makes may be modified, filtered, or denied because of CHLAUTH rules on the remote end, but the 7.0.1 qmgr will never know that it is because of a CHLAUTH rule. It will only know that it can't connect. |
This is what I was thinking.
I was wondering if a 7.5 QM on Server 1 had a very restrictive CHLAUTH rule against its CLUSRCVR channel that would block the wrong connections but was meant to allow a legitimate QM2 on Server2 to connect it, would the connection succeed if Server2 was at MQ 7.0.1? Or would the connection fail simply because CHLAUTH was executing even though the connection was meant to succeed.
It looks like a CHLAUTH rule defined on QM1 would only execute on QM1, and the rejection / aceptance of that connection would be determined on QM1. Nothing in the automatic cluster sender channel on QM2 / Server 2 would know about the CHLAUTH rule(s) on QM1 / Server1, so there should be no issue with QM2 / Server 2 running on MQ 7.0.1. The connection from the 7.0.1 QM will be accepted / rejected on the QM2 / Server 2 side based on the CHLAUTH rules. In other words, it shouldn't matter what MQ version the incoming client or incoming QM connection is when it comes to CHLAUTH.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 21, 2013 11:02 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| PeterPotkay wrote: |
| I was wondering if a 7.5 QM on Server 1 had a very restrictive CHLAUTH rule against its CLUSRCVR channel that would block the wrong connections but was meant to allow a legitimate QM2 on Server2 to connect it, would the connection succeed if Server2 was at MQ 7.0.1? Or would the connection fail simply because CHLAUTH was executing even though the connection was meant to succeed. |
Again, CHLAUTH rules are only applied at the queue manager that has defined them. I don't believe you can set up a CHLAUTH rule that knows what version of MQ the remote side is, although presumably one could fake it with SSLPEER and properly scoped DNs.
| PeterPotkay wrote: |
| It looks like a CHLAUTH rule defined on QM1 would only execute on QM1, and the rejection / aceptance of that connection would be determined on QM1. Nothing in the automatic cluster sender channel on QM2 / Server 2 would know about the CHLAUTH rule(s) on QM1 / Server1, so there should be no issue with QM2 / Server 2 running on MQ 7.0.1. The connection from the 7.0.1 QM will be accepted / rejected on the QM2 / Server 2 side based on the CHLAUTH rules. In other words, it shouldn't matter what MQ version the incoming client or incoming QM connection is when it comes to CHLAUTH. |
Yes, exactly.
The CHLAUTH rule is only visible on the QM that defines it, and only executes against the information that is available on that side of the network connection. This may have something to do with Roger's assertions that they only "filter" and don't authorize or authenticate. But I'll leave that discussion for he and T-Rob to have or not have. |
|
| Back to top |
|
|
|
|
