ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexClusteringMQPut to Cluster queue of a specific cluster only

Post new topicReply to topic
MQPut to Cluster queue of a specific cluster only View previous topic :: View next topic
Author Message
lamtbs
PostPosted: Thu Sep 27, 2018 8:25 pm Post subject: MQPut to Cluster queue of a specific cluster only Reply with quote

Acolyte

Joined: 07 Nov 2005
Posts: 55
Location: Hong Kong

Dear,

In an overlapping cluster, is there a way to put to cluster-queues of a specific cluster ONLY?

Say my QM is participating in CL1, CL2, CL3, where Q1 is a clustered queue defined in all 3 clusters, would it be possible to MQPut to Q1 in CL1, and NOT to CL2, CL3?

I have simplified the question for easier discussion, the underlying issue is Q1 is supposed to be used by CL1 only. However, by mistake or by fraud, CL2 and CL3 is also defining Q1 to steal message from CL1. What are some ways around such issue?

Thank you!
Back to top
View user's profile Send private message Send e-mail MSN Messenger
exerk
PostPosted: Thu Sep 27, 2018 11:55 pm Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6102

Queues are shared in one cluster only, or in all clusters.

If shared in all clusters, there is very little you can do to prevent load-balancing of messages across all instances of the queue.

You can either:

1. Remove the offending queue instances so that messages cannot go to them;
2. If the above cannot be done, PUT(DISABLE) the offending queue instances;*
3. Have the application open the correct queue instance by specifying the queue manager name (highly NOT recommended, and only included as an option for completeness).

My advice would be for option 1 above.

* Be aware that if none of the correct queue instances are available, messages will then go to the offending queue instances.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
lamtbs
PostPosted: Fri Sep 28, 2018 2:20 am Post subject: Reply with quote

Acolyte

Joined: 07 Nov 2005
Posts: 55
Location: Hong Kong

Thanks exerk,

I am reading on cluster channel security exit, say with some naming convention, or even ip address list, to limit / forbid sending of message to queue Q1 on CL2, CL3.

Say with naming convention like CL1.Q1. If the message is going through CL1.CLUSSDR, it is allowed, but if it is going thru CL2.CLUSSDR, it is prohibited. Wonder if that approach works.

Thanks!
Back to top
View user's profile Send private message Send e-mail MSN Messenger
exerk
PostPosted: Fri Sep 28, 2018 2:26 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6102

lamtbs wrote:
...Say with naming convention like CL1.Q1. If the message is going through CL1.CLUSSDR, it is allowed, but if it is going thru CL2.CLUSSDR, it is prohibited. Wonder if that approach works...

If the queues are shared in all clusters then you may not be able to control the route messages take; for example, depending on the state of the CLUSSDR channels (for all clusters), the queue manager will decide which set of channels is most appropriate down which to send messages.

Again, if those queues are NOT supposed to be in CL2 and CL3, remove them from those clusters!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
bruce2359
PostPosted: Fri Sep 28, 2018 4:59 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8492
Location: US: west coast, almost. Otherwise, enroute.

exerk wrote:
Queues are shared in one cluster only, or in all clusters.

Or a NAMELIST of clusters.
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Sep 28, 2018 5:00 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6102

bruce2359 wrote:
exerk wrote:
Queues are shared in one cluster only, or in all clusters.

Or a NAMELIST of clusters.

Which is a more accurate description of my meaning
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Sep 29, 2018 2:38 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20107
Location: LI,NY

Guys,

This is totally solvable, and relatively easy.

Imagine you have a gateway QMGR participating in multiple clusters ...
Now you have a cluster alias defined on one or multiple qmgrs that are not shared in the other clusters

Send a message with the cluster alias in the qmgr name and it will be load balanced in the cluster of your choice...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
lamtbs
PostPosted: Sat Sep 29, 2018 7:01 pm Post subject: Reply with quote

Acolyte

Joined: 07 Nov 2005
Posts: 55
Location: Hong Kong

really!

How do I do a "cluster alias", I've tried defining DEFINE QR(CL1.ALIAS) RQMNAME(CL1.QM1, CL1.QM2) to try to restrict message to CL1 only, but the aliasing does not work.

Please help further, thanks a lot!
Back to top
View user's profile Send private message Send e-mail MSN Messenger
bruce2359
PostPosted: Sat Sep 29, 2018 9:38 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8492
Location: US: west coast, almost. Otherwise, enroute.

If an object is to be known to a cluster, it must have the CLUSTER(clusternsme) attribute.
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
lamtbs
PostPosted: Sun Sep 30, 2018 12:40 am Post subject: Reply with quote

Acolyte

Joined: 07 Nov 2005
Posts: 55
Location: Hong Kong

Oh, did it. Thanks!

On gateway QM
DEFINE QR(Q1.REMOTE) RNAME(Q1) RQMNAME('CL1.ALIAS') DEFBIND(NOTFIXED) XMITQ(SCTQ) CLUSTER('CL1')

On all the cluster QMs where the targeted queues are
DEFINE QR(CL1.ALIAS) RNAME('') RQMNAME('') CLUSTER('CL1')


But actually, with a knowledge of the naming convention, like if I can guessed "CL1.ALIAS", I could also have faked in my cluster to steal your message


So, it's really a matter of whether we should use cluster if the environment is really not to be trusted.
Back to top
View user's profile Send private message Send e-mail MSN Messenger
bruce2359
PostPosted: Sun Sep 30, 2018 6:49 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8492
Location: US: west coast, almost. Otherwise, enroute.

MQ clusters are no more or no less secure than non clusters. CHLAUTH rules will prevent unknown up-network qmgrs from connecting to a qmgr. CHLAUTH rules can also restrict remote MQ administration. SSL/TLS will further limit access to MQ channels.

As an MQ admin, you have lots of power that normal users do not.
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Tue Oct 02, 2018 4:40 am Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7557

I can't think of any way >in the base MQ product< on the >sending< queue manager in a cluster to prevent messages being load balanced to a clustered queue on the receiving queue manager in the cluster(s), if you trust that receiving queue manager to be in the same cluster you are in.

Issues like this are why you should never span an MQ Cluster between your company and another, unless you implemented some custom exits to control what data is leaving your clustered queue manager. As soon as you trust the connection to send to one queue on the destination clustered queue manager you just trusted sending to any and every queue on that destination clustered queue manager. You are at the mercy of the destination queue manager to not define clustered definitions you hope/wish/pray they wouldn't.

And never, never span an MQ Cluster across multiple companies where the cluster acts as a bridge between unrelated companies thru your company - the liability implications are something to think about.

Especially when you are limited to the features of the base MQ product, there is a level of trust implied between members of the same cluster. And when you overlap clusters, between all members of all clusters. To my knowledge, the base MQ product simply doesn't offer a way to control on the sending clustered queue manager what the receiving clustered queue manager can advertise and be sent.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Tue Oct 02, 2018 3:52 pm Post subject: Re: MQPut to Cluster queue of a specific cluster only Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2014
Location: Melbourne, Australia

lamtbs wrote:
Dear,
In an overlapping cluster, is there a way to put to cluster-queues of a specific cluster ONLY?
Say my QM is participating in CL1, CL2, CL3, where Q1 is a clustered queue defined in all 3 clusters, would it be possible to MQPut to Q1 in CL1, and NOT to CL2, CL3?
I have simplified the question for easier discussion, the underlying issue is Q1 is supposed to be used by CL1 only. However, by mistake or by fraud, CL2 and CL3 is also defining Q1 to steal message from CL1. What are some ways around such issue?
Thank you!

As with most things, MQ configuration relies on the honesty and integrity of the administrators. There are approaches to minimise mistakes or fraud. I guess you are looking for this.

When putting to a queue, the destination queue name (and optional queue manager) can be specified, but the cluster can't be specified.

You should be using a hierarchical naming standard for queues, so that their home cluster can be easily identified. It is then possible to run regular reporting to identify rogue queues. The mistake can then be rectified, investigate the root cause, and take appropriate preventative action.
_________________
Glenn
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexClusteringMQPut to Cluster queue of a specific cluster only
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.