ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL/TLS implementation in subset of cluster channels

Post new topic  Reply to topic
 SSL/TLS implementation in subset of cluster channels « View previous topic :: View next topic » 
Author Message
adireddy123
PostPosted: Tue Mar 05, 2019 3:24 am    Post subject: SSL/TLS implementation in subset of cluster channels Reply with quote

Newbie

Joined: 20 Sep 2011
Posts: 9

QMA and QMB qmgrs are in my cluster setup.MQ cluster setup is already in place.

QMA - Full Repo queue manager and Cluster Channel -TO.QMA and TO.QMB

QMB - Full Repo queue manager and Cluster Channel-TO.QMB and TO.QMA

Two different customers queue managers are joined in my cluster setup as Partial repo queue manager

Customer-1:
Queue Manager: Cl_QMC

Customer-2
Queue Manager: C2_QMD

I am new to MQ SSL.

Now Customer-1 ( C1_QMC) want to implement SSL/TLS between my qmgrs(QMA/QMB) and C1_QMC.

I have implemented SSL/TLS between QMA &QMB <-> C1_QMC and it’s impacted C2_QMD channels (Customer-2) as common cluster receiver channel (TO.QMA and TO QMB) for Customer-1 and Customer-2

Is it possible implement SSL/TLS setup without impacting Customer-2?

Do i need to define new Gateway queue manager and new setup of cluster for SSL/TLS implementation for Customer-1 ?

Is it not possible with cluster setup and implement with P2P channels only using GW queue manager to avoid impact to Customer-2?

Appreciate - if you point me in the right direction.

Please let me know if you need more info

Thank You.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Mar 05, 2019 6:58 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

You have correctly deduced that it is not possible to implement SSL/TLS on a cluster channel without impacting all other users of that channel, since it is a shared definition.

It is possible to create an channel autodefinition exit to turn it on or off where needed, but that is a complex task.

You could have two pairs of channels, with NETPRTY set to cause the SSL one to be used in preference where it works, but that is not ideal.

You are correct that a GW queue manager could be used to isolate customer-2 from these changes to your cluster, and in fairness, most people have GW QMgrs rather than allowing other organisations to directly join their cluster.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
adireddy123
PostPosted: Wed Mar 06, 2019 4:52 am    Post subject: Reply with quote

Newbie

Joined: 20 Sep 2011
Posts: 9

Thank You Morag.

There are no SSL/TLS errors on Customer-2 queue manager after we have made the following changes

1. Alter cluster receiver channel SSLCAUTH as OPTIONAL in TO.QMA and TO.QMB channels on QMA and QMB queue managers

2. Added QMA and QMB SSL certs on Customer-2 queue manager ( Not added SSL at Customer-2 cluster sender/receiver channels)


Is it right direction?


If we go with GateWay queue manager's concept, Can we set only SSL at P2P channel level between GW qmgr and Customer-1 qmgr?

or Can we set SSL at cluster channel level with GateWay queue manager?
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Mar 06, 2019 12:51 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

adireddy123 wrote:
There are no SSL/TLS errors on Customer-2 queue manager after we have made the following changes

1. Alter cluster receiver channel SSLCAUTH as OPTIONAL in TO.QMA and TO.QMB channels on QMA and QMB queue managers

2. Added QMA and QMB SSL certs on Customer-2 queue manager ( Not added SSL at Customer-2 cluster sender/receiver channels)


So you are using one SSL/TLS channel and one non-SSL/TLS channel on Customer-2 then?

You appear to have an anonymous SSL/TLS channel from Customer-2 to QMA and to QMB (because although you haven't changed the cluster-sender channel at Customer-2, you are using the attributes defined in the cluster-receiver channels on QMA and QMB.

Your channel into the queue manager on Customer-2 is not using SSL/TLS because you haven't changes the cluster-receiver on that queue manager.

Is this what you intended? SSL/TLS on one channel and not on the other?

Given that you have gone this far, why not make a certificate for Customer-2 as well and finish it off?

P.S. Think about using CA-signed certificates rather than self-signed ones as you have described.

adireddy123 wrote:
If we go with GateWay queue manager's concept, Can we set only SSL at P2P channel level between GW qmgr and Customer-1 qmgr?

or Can we set SSL at cluster channel level with GateWay queue manager?


The point of the GW solution, is that all members of the cluster use SSL/TLS, so the cluster channels to the GW necessarily are using SSL/TLS. The P2P channels from GW to external customer can have an independent decision made about SSL/TLS - the independence being the whole point?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » SSL/TLS implementation in subset of cluster channels
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.