| Author |
Message
|
| pcelari |
 Posted: Wed Jan 11, 2017 6:42 am Post subject: Ways for MQClient apps in the cloud to access internal qmgr |
 |
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
Hello,
we're planning to move an MQClient application to the cloud, that must be allowed to access a qmgr inside the Firewall. our FW policy prevents direct connection from external network to MQ zone.
Would someone who have done similar projects share a best practice or two over how to properly and securely establish such a connection?
Is a MQIPT in the DMZ the best choice or is there other possible solutions?
thanks much.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Jan 11, 2017 6:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I see no reason why a MQ client in a private cloud should not contact a QM directly.
Otherwise you will have to use some sort of gateway QM which is allowed to connect, and pass message back and forth.
No different to what people have done in DMZ situations.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| pcelari |
| Posted: Wed Jan 11, 2017 6:56 am Post subject: |
|
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
| zpat wrote: |
| I see no reason why a MQ client in a private cloud should not contact a QM directly.. |
No it will be moved to a public cloud. and no gateway qmgr is permitted in the DMZ.
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 11, 2017 7:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| pcelari wrote: |
| zpat wrote: |
| I see no reason why a MQ client in a private cloud should not contact a QM directly.. |
No it will be moved to a public cloud. and no gateway qmgr is permitted in the DMZ. |
Then MQIPT sounds like your best option.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Jan 11, 2017 7:13 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
DMZ was an analogy, you would need the gateway QM in the cloud.
If you are saying that only the inherently fragile HTTP protocols are allowed in or out then I would say your public cloud is not fit for transactional use.
I don't know much about the MQIPT, I guess it is intended to overcome what seems an arbitrary and backward looking restriction.
I would prefer a VPN connection into the public cloud. What does IBM offer with its MQ and IIB cloud service?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 11, 2017 7:35 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| zpat wrote: |
| What does IBM offer with its MQ and IIB cloud service? |
There's no guarantee that the cloud in this instance is an IBM one.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jan 11, 2017 7:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If you're using IIB, you would have to make very specific changes to allow it to make MQ Client connections.
I don't know if you did any investigation into datapower or not...
But Datapower certainly won't let you work with server->server channels.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| pcelari |
| Posted: Wed Jan 11, 2017 10:36 am Post subject: |
|
|
Chevalier
Joined: 31 Mar 2006
Posts: 411
Location: New York
|
| mqjeff wrote: |
I don't know if you did any investigation into datapower or not...
But Datapower certainly won't let you work with server->server channels. |
I've just started learning DP, still wondering if it can serve as a client connection forwarder. I mean accepting connection from MQclient and forward to qmgrs inside the FW. DP is suppose to serve as a secure gateway right?
but there seems to be a lot to learn.
Many thanks for all the insight!
_________________
pcelari
-----------------------------------------
- a master of always being a newbie |
|
| Back to top |
|
|
|
|
