ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » Clustering » I have a real cluster F*

Post new topic  Reply to topic
 I have a real cluster F* « View previous topic :: View next topic » 
Author Message
smeunier
PostPosted: Fri May 26, 2017 10:51 am    Post subject: I have a real cluster F* Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont

I have either created a monster it is soon to be that. I have clustered in a queue manager in a DMZ as a gateway for Queue Managers(2) in another network. While the clustering works perfect, and I get the desired effect of loadbalancing to the two queue managers, it is time to add some SSL since we are crossing company networks.
Code:

                                            |                            QMGRB(FR)
                                            |
QMGRA(in DMZ) Partial Repo    |       
                                            |                            QMGRC(FR)


I need to have cluster channels be SSL into and out of the DMZ, but the FR cluster channels do not need to be SSL as they are in the same network and just sync the FR's. I have taken care of the DMZ channels and have SSL applied to them, but have not a clue how to address the QMGRS that are the FR's and the autodefined channels back to the DMZ and add SSL to them. This is a total mental block for me. Can someone clear the fog on how I might do this?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat May 27, 2017 7:55 am    Post subject: Re: I have a real cluster F* Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

smeunier wrote:
I have either created a monster it is soon to be that. I have clustered in a queue manager in a DMZ as a gateway for Queue Managers(2) in another network. While the clustering works perfect, and I get the desired effect of loadbalancing to the two queue managers, it is time to add some SSL since we are crossing company networks.
Code:

                                            |                            QMGRB(FR)
                                            |
QMGRA(in DMZ) Partial Repo    |       
                                            |                            QMGRC(FR)


I need to have cluster channels be SSL into and out of the DMZ, but the FR cluster channels do not need to be SSL as they are in the same network and just sync the FR's. I have taken care of the DMZ channels and have SSL applied to them, but have not a clue how to address the QMGRS that are the FR's and the autodefined channels back to the DMZ and add SSL to them. This is a total mental block for me. Can someone clear the fog on how I might do this?


You'd need 2 different cluster receivers. The easiest would probably be to have overlapping clusters. One cluster with the gateway and the qmgr it talks to all with SSL, and then the internal cluster without SSL.

You could also define all in a single cluster with 2 cluster receivers (SSL and not SSL) and block the DMZ queue manager from using the non SSL channels with channel authentication records...

Depending on the number of queue managers in your cluster, I'd lean towards one or the other solution. (big number, use overlapping clusters)...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Sat May 27, 2017 10:17 am    Post subject: Re: I have a real cluster F* Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

smeunier wrote:
I have clustered in a queue manager in a DMZ as a gateway for Queue Managers(2) in another network.

Does the qmgr in the DMZ necessarily need to be part of the cluster? You might want to consider a non-cluster qmgr in the DMZ with SENDER-RECEIVER channels to/from a cluster qmgr inside the firewall, and let it do the workload distribution.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Sun May 28, 2017 5:03 pm    Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2492
Location: Melbourne, Australia

Quote:
clustered in a queue manager in a DMZ as a gateway for Queue Managers(2) in another network

Its not recommended to use MQ clustering across multiple networks, as theoretically every qmgr in the cluster needs to be is connectable to every other qmgr, using the host(port) and SSL settings in the predefined cluster receiver channels. This could also create security loopholes.

If MQ cluster features are required to external qmgrs, use a separate cluster that only involves the gateway qmgr. Use overlapping clusters to link the gateway qmgr to other internal qmgrs.
_________________
Glenn
Back to top
View user's profile Send private message
smeunier
PostPosted: Tue May 30, 2017 1:06 pm    Post subject: Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont

Thanks to those who replied.

Using a gateway Queue Manager outside of the DMZ would have been ideal, if cost constraints and physical resources were not an issue. Using a Multi-Instance Queue Manager implementation would have been a great solution also, but the lack of a NFS appliance (again costs constraints) have lead to this hokey but adaptable solution.

In the end, I created parallel SSL channels with non-ssl channels, migrated the current traffic to the SSL channels, applied SSL to the receivers first and then to the senders. This seems to be working and the FR reports the appropriate information about the auto channels in regards to the SSL parameters.

The only problem, was that the SSLPEER information was being rejected(DN), which did not make sense, since I also have non clustered SSL channels using the same parameters just fine. I resolutioned this, by removing the SSLPEER information and letting it default to the certificate DN (I have read that if the SSLPEER is blank it will pull it from the Certificate itself), this worked. [/quote]
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue May 30, 2017 8:11 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

This is not good as now any cert signed by any of the signers in your chain is allowed...

What you should do is use a common DN. Don't worry about the CN it would be different for each queue manager. However if the rest of the DN is the same you can then use SSLPEER to limit who can talk to you in the cluster.

If you do have to allow everybody (i.e. SSLPEER blank on the channel) make sure you have the corresponding chlauth records restricting the certificates by DN and Issuer DN...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » Clustering » I have a real cluster F*
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.