ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » Challenge Forum » Challenge Question - 10 / 2008

This forum is locked: you cannot post, reply to, or edit topics.  This topic is locked: you cannot edit posts or make replies. Goto page 1, 2  Next
 Challenge Question - 10 / 2008 « View previous topic :: View next topic » 
Author Message
Challenger
PostPosted: Wed Oct 01, 2008 12:51 am    Post subject: Challenge Question - 10 / 2008 Reply with quote

Centurion

Joined: 31 Mar 2008
Posts: 115

Welcome to the October's challenge. I hope I found an exciting question for you and I am awaiting lots of interesting answers.


The challenge:

Connect two organisational units (companies, departments of a company, applications or whatever) via WebSphere MQ. The units shall be separated by each other using SSL certificates and connected via gateway queue managers. Use WebSphere MQ clusters to avoid single point of failures.


The tasks:

- Set up a queue manager topology for the connection of the organisational units.

- Define conventions for queue manager, queue, cluster and channel names, to enable communications between the clusters using the gateway queue managers.

- Think about necessary rules for the distinguished names (DN) of the queue manager certificates and the SSLPEER settings of the channels, to enable communications between the clusters using the gateways. Prevent queue managers of one unit to join the cluster of the other unit.


One hint: I like overlapping clusters and SSL, but I do not like exits.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Oct 03, 2008 12:42 am    Post subject: First toe dipped in the water... Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

TOPOLOGY
1. Create OU Alpha cluster (existing queue managers).
2. Create OU Beta cluster (existing queue managers).
3. Create a Gateway cluster (4 new queue managers).
4. Overlap one pair Gateway queue managers into Alpha cluster, the other pair into Beta cluster.

CONVENTIONS
1. Define a new naming standard for the Gateway cluster elements, e.g. queue manager names, channel names etc.
2. If the naming conventions are markedly different in each organisation, the naming convention of each OU can be used within each Gateway pair-to-OU cluster channel definitions, as can queue names (which will be aliases).

SEPARATION
1. Lock down the Gateway cluster by explicit use of the cluster name and other Gateway cluster unique items within the DN, e.g. use the cluster name as the OU name and ensure no wildcards are used in the SSLPEER values of the Gateway cluster channels, to ensure Alpha/Beta queue managers cannot join the Gateway cluster.
2. Use the Alpha/Beta cluster DN and SSLPEER conventions in each set of Gateway pair-to-OU channels.

PRO
1. Complete separation of OU's.
2. Flexible - if another OU is to be joined, add queue managers into the Gateway then add them to the OU cluster in the same manner as Alpha/Beta.

CON
1. Complexity.
2. Infrastructure requirements.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Challenger
PostPosted: Thu Oct 09, 2008 5:25 am    Post subject: Reply with quote

Centurion

Joined: 31 Mar 2008
Posts: 115

Exerk,

sorry for my late answer, but it seems my last reply is lost .

I am not sure, if I understand you solution correctly - maybe you provide us with some samples.

Especially I would like to know, how the DN definitions of the qmgr (gateway and application) certificates and the SSLPEER values for all channels would look like.

And how would you prevent qmgrs of one application cluster (e. g. ALPHA) to join the other application cluster (BETA in this sample).
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Oct 13, 2008 2:31 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Challenger,

My apologies for the delay in replying; I have had to do some 'real' work recently

I have revisited the (old) prototype I had, and with the benefit of hindsight, have modified it slightly to reduce complexity by overlapping the clusters using a gateway queue manager as a PR in each cluster.

    The certificates for the ALPHA and BETA queue managers would contain the cluster name as the OU, e.g. OU=ALPHA or OU=BETA

    The certificate for the Gateway queue manager would contain both cluster names as the OU, e.g. OU=ALPHABETA

    The SSLPEER value in the CLUSSDR's and CLUSRCVR's of the ALPHA cluster would be: CN=Enterprise,O=ABC,OU=ALPHA*

    The SSLPEER value in the CLUSSDR's and CLUSRCVR's of the BETA cluster would be: CN=Enterprise,O=ABC,OU=*BETA

    In the Gateway queue manager, separate CLUSSDR's and CLUSRCVR's would be defined for each cluster

This is not an elegant method, and despite your preference not to use exits (a preference I share) using BlockIP2 would be a belt and braces enhancement to the above.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Challenger
PostPosted: Mon Oct 13, 2008 11:04 pm    Post subject: Reply with quote

Centurion

Joined: 31 Mar 2008
Posts: 115

Exerk,

congratulations . Your solution is not exactly what I have, but it is very similar to what I thought about .

The main difference of my solution in comparison to yours is, that I changed the meanings of CN and OU. I thought about the following definitions:

1. The distinguished names (DN):

Internal QMgrs:
    OU="PROD.INTERNET.APPLICATION"
    CN="INTERN.Name_of_the_qmgr"

External QMgrs:
    OU="PROD.INTERNET.APPLICATION"
    CN="Name_of_the_qmgr.EXTERN"

Gateway QMgrs:
    OU="PROD.INTERNET.APPLICATION"
    CN="INTERN.Name_of_the_qmgr.EXTERN"


2. SSLPEER values:

Internal QMgrs:
    SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="INTERN.*"')

External QMgrs:
    SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="*.EXTERN"')

Gateway QMgrs, internal channels:
    SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="INTERN.*"')

Gateway QMgrs, external channels:
    SSLPEER('OU=PROD.INTERNET.APPLICATION,CN="*.EXTERN"')

An further benefit is, that I am able to separate production from test environments (you could add the environment to your CN attribute).


Some additional remarks to this challenge:

My first idea, when I thought about this challenge, was to use different OUs for each cluster. Then I tried SSLPEER like "SSLPEER('OU=Cluster1')" in one cluster and "SSLPEER('OU=Cluster2')" on a second cluster and so on. The gateway QMgrs in this scenario would have been both OUs defined (or more, the DN may have multiple OUs).

Unfortunately this does not work, because OUs have a hierarchical order. So what I missed in the SSLPEER attribute is some kind of "OR" function.

Exerk, you earned a coffee mug .

The Challenger!
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Oct 14, 2008 5:25 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Woohoo! I feel that I have finally arrived!

What details do you need from me, for me to receive my exalted award?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Challenger
PostPosted: Wed Oct 15, 2008 5:15 am    Post subject: Reply with quote

Centurion

Joined: 31 Mar 2008
Posts: 115

The Challenge has been solved very quickly, but till end of the month it takes a while, so I have some additional Challenge if you like!

(but no coffee mug for the winner )

Can you guess my true identity? One hint:

I like overlapping clusters.

Who am I?
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Oct 15, 2008 5:25 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Going for the full-house here: PeterPotkay?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Challenger
PostPosted: Wed Oct 15, 2008 5:51 am    Post subject: Reply with quote

Centurion

Joined: 31 Mar 2008
Posts: 115

exerk wrote:
Going for the full-house here: PeterPotkay?


No, try again ...
Back to top
View user's profile Send private message
Gaya3
PostPosted: Wed Oct 15, 2008 7:38 pm    Post subject: Reply with quote

Jedi

Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US

its spider man : fjb_saper
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die
Back to top
View user's profile Send private message
AkankshA
PostPosted: Wed Oct 15, 2008 8:23 pm    Post subject: Reply with quote

Grand Master

Joined: 12 Jan 2006
Posts: 1494
Location: Singapore

bruce2359 or gbaddelay
_________________
Cheers
Back to top
View user's profile Send private message Visit poster's website
atheek
PostPosted: Wed Oct 15, 2008 9:02 pm    Post subject: Reply with quote

Partisan

Joined: 01 Jun 2006
Posts: 327
Location: Sydney

bower5932
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Oct 16, 2008 5:06 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Hubert Kleinmanns?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Thu Oct 16, 2008 8:29 pm    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

exerk wrote:
Hubert Kleinmanns?



You got it!

Congratulations again!

I proclaim exerk as the double winner of the october challenge
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
exerk
PostPosted: Thu Oct 16, 2008 11:09 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Google is a wonderful thing! Found you on the list server discussing having up to 80 overlapping clusters...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.  This topic is locked: you cannot edit posts or make replies. Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » Challenge Forum » Challenge Question - 10 / 2008
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.