ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Communcation between z/os and suse Linux queue manager

Post new topic  Reply to topic Goto page 1, 2  Next
 Communcation between z/os and suse Linux queue manager « View previous topic :: View next topic » 
Author Message
kalam475
PostPosted: Sun Jan 17, 2016 3:10 am    Post subject: Communcation between z/os and suse Linux queue manager Reply with quote

Acolyte

Joined: 16 Jan 2015
Posts: 63

Hi,
I am fairly new to MQ I need suggestion from any one of you on below mentioned problem.

I want to connect my Queue manager which is on SUSE Linux to be connected to Queue manager sitting on Z/os mainframes. They are saying it is not safe to use the channels(Sender-Reciver) in mainframes due to security reasons. They are suggesting to implement gateway queue manager concept. I am little confused here, we are using 7.5.0.5 version in SUSE Linux i thought from version 6 the gateway queue manager's are replaced by some parameter.Is gateway queue manager is different from cluster? Please guide me on this

thanks in advance
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Sun Jan 17, 2016 6:36 am    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Quote:
"...due to "security reasons".


Could you (or they) be any more vague?

Unless we know what specific security reason they are trying to mitigate, its hard for us to comment.

I struggle to determine what could be done more securely from an MQ perspective with a 3rd Queue Manager connected to their z/OS Queue Manager instead of your SUSE queue manager if SNDR/RCVR channels are used in both cases.

Need more details to provide more feedback...
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
smdavies99
PostPosted: Sun Jan 17, 2016 7:15 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

I am sure that IBM would love to know the exact security reasons for not connecting MQ (an IBM product) to a Z/OS System (Multiple IBM products).

There are many such connections in use today where security is exteemly important.
Many of the people who comment here work with just these systems all day, every day.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Jan 17, 2016 8:12 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Moved to Security form (from Java forum).
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Jan 17, 2016 8:31 am    Post subject: Re: Communcation between z/os and suse Linux queue manager Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

kalam475 wrote:
Hi,
I am fairly new to MQ I need suggestion from any one of you on below mentioned problem.

Search google for 'mq+primer'. Download and read one of the newer introductory documents on MQ fundamentals.

kalam475 wrote:

I want to connect my Queue manager which is on SUSE Linux to be connected to Queue manager sitting on Z/os mainframes. They are saying it is not safe to use the channels(Sender-Reciver) in mainframes due to security reasons.

What security reasons exactly? Newer versions of MQ are more secure and reliable than older versions. Generally, mainframe z/OS is more secure than midrange Windows/UNIX.
kalam475 wrote:
They are suggesting to implement gateway queue manager concept.

ok. Why? What will the gateway qmgr do?
kalam475 wrote:
I am little confused here, we are using 7.5.0.5 version in SUSE Linux i thought from version 6 the gateway queue manager's are replaced by some parameter.

Please be more precise. What parameter of what?

kalam475 wrote:
Is gateway queue manager is different from cluster? Please guide me on this.

Yes, gateway and cluster are different concepts. Search google for 'mq+gateway' and 'mq+cluster'. Read.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
kalam475
PostPosted: Mon Jan 18, 2016 12:18 am    Post subject: Reply with quote

Acolyte

Joined: 16 Jan 2015
Posts: 63

Hi Thanks for prompt reply

The issue here is they don't want to connect QMGR's through direct channels rather they want is to use the default gateway queue manager. My problem here is normally we use gateway queue manager in cluster scenarios now do i have to implement cluster i dont think so. I think what they are looking here is multiple hopping where the gateway queue manager has the alias queue manager and it will put message in SUSE Linux QMGR.

the problem here is can gateway queue manager and actual qmgr should be in same MQ installation or should be in different queue manager.

Here we are talking about two way communication
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jan 18, 2016 6:09 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

my guess here is that the gateway qmgr (used for multi-hopping) will be in the DMZ. Usually you'd put support pack MS81 (MQIPT) into the DMZ to avoid any data at rest there...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
kalam475
PostPosted: Mon Jan 18, 2016 7:28 am    Post subject: Reply with quote

Acolyte

Joined: 16 Jan 2015
Posts: 63

yes the gateway queue manager is in DMZ

I was thinking the solution here is to create the sender and receiver channels between gateway queue manager and SUSU Linux Queue manager and create a alias Queue manager in gateway Queue manager

Correct me if I am wrong
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Jan 18, 2016 7:57 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

kalam475 wrote:
yes the gateway queue manager is in DMZ

I was thinking the solution here is to create the sender and receiver channels between gateway queue manager and SUSU Linux Queue manager and create a alias Queue manager in gateway Queue manager

Correct me if I am wrong

What you will need on a gateway (or hub or multi-hop) qmgr is a queue-manager alias (not an alias Queue manager) definition that satisfies the gateway qmgr name resolution process when a message arrives on a qmgr that is not the qmgr named in the transmission queue header (XQH).
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
kalam475
PostPosted: Mon Jan 18, 2016 8:15 am    Post subject: Reply with quote

Acolyte

Joined: 16 Jan 2015
Posts: 63

Along with queue-manager alias we will also need sender and receiver channels right to SUSE Linux with out which connection is not possible

I know it's kind of dumb question and i tried in local also it needed channels to communicate. Just want to confirm is there any way without channels.

Thanks for your patience..
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Jan 18, 2016 8:25 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Every connection between any part of MQ needs channels. Qmgr->Qmgr, client->qmgr.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Jan 18, 2016 8:34 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

kalam475 wrote:
Along with queue-manager alias we will also need sender and receiver channels right to SUSE Linux with out which connection is not possible

Exactly. Qmgrs communicate (send/receive messages) with other qmgrs through MQ channels.

kalam475 wrote:
I know it's kind of dumb question and i tried in local also it needed channels to communicate. Just want to confirm is there any way without channels.

The concepts of local and remote have little to do with distance. Rather, in MQ-speak, the local qmgr is the one that that the application MQCONNects to so that it can create (MQPUT) messages. By definition, all other qmgrs (whether in the same o/s image or other o/s image) are remote. A channel pair connects the local qmgr to its remote partner qmgr.

kalam475 wrote:
Thanks for your patience..

Happy to help.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Mon Jan 18, 2016 3:38 pm    Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7717

Putting queue managers in the DMZ has historically been not the preferred choice. It introduces the possibility of MQ messages residing on disk in the DMZ, typically something to be avoided. There are various configuration choices in MQ that can help minimize the possibility of messages spilling to disk if you need to have a QM in the DMZ for some reason.

I'm still looking to understand what the people you are working with hope to achieve by placing an intermediate queue manager between your z/OS QM and your SUSE Linux QM, in the DMZ no less.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jan 19, 2016 5:49 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

PeterPotkay wrote:
Putting queue managers in the DMZ has historically been not the preferred choice. It introduces the possibility of MQ messages residing on disk in the DMZ, typically something to be avoided. There are various configuration choices in MQ that can help minimize the possibility of messages spilling to disk if you need to have a QM in the DMZ for some reason.




PeterPotkay wrote:
I'm still looking to understand what the people you are working with hope to achieve by placing an intermediate queue manager between your z/OS QM and your SUSE Linux QM, in the DMZ no less.




As with others, I'd like to know the exact reasoning rather than the "it's not safe to use sender / receiver channels due to security reasons". Firstly, "security reasons" are the same as "national security concerns"; it's a large blanket covering all sorts of undefined stuff. Secondly, what's not safe about a link between z/OS and Linux that is safe between 2 Linux queue managers? Extending that, what's different about those 2 configurations?

It sounds much more like the z/OS people can't be bothered to set up more TCP/IP configuration, want to use the existing route into the DMZ and have used "security reasons" as an excuse because "we're lazy and worried the magic will go away if we change SYS1.PARMLIB" sounds too whiney
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
kalam475
PostPosted: Tue Feb 09, 2016 10:33 pm    Post subject: Reply with quote

Acolyte

Joined: 16 Jan 2015
Posts: 63

Hi all,

In our deployment we have SUSE linux on which MQ is used. the CCSID for our SUSE Linux is 1208 Where as the queue manager we are connecting is in Z/OS and want to see message in EBCDIC. They are having a problem with the conversion of the message to EBCDIC.Currently the message header does not contain the correct parameters so Z/OS MQ cannot convert the message to EBCDIC correctly.

I have went through the document where we have a property in channel setting data conversion presently it is set to "No Conversion".
Do i have to change it to Conversion does it resolve the issue.

Please help me out here.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » Communcation between z/os and suse Linux queue manager
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.