ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ behind Load Balancer

Post new topic  Reply to topic
 MQ behind Load Balancer « View previous topic :: View next topic » 
Author Message
ttechsavvy
PostPosted: Mon Oct 05, 2020 12:32 am    Post subject: MQ behind Load Balancer Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

Hello!

I've set up MQ, generated certificates, configured channels, queues and so on. Due to my company's security policy, I cant let clients to connect straight to our MQ server. We are using load balancer with wildcard certificate and MQ server sits behind that.

I have problems with setting up connection with clients and actually for local testing also.

When I run curl command from linux cli (local machine where MQ is installed) -

with https, the connection is successful. Server receives "invalid data".

without https, curls says it gets connected but MQ server doesnt receive any connecton.

When I configure my "TEST" queue manager (also installed on the same server) with the same CONNAMEs -

with https (CONNAME('https://my.server.com(1414)')),
Code:
AMQ9202E: Remote host not available, retry later.

RCVR qmgr doesnt receive any connection.

without https (CONNAME('my.server.com(1414)')), LOGS:
Code:
An error occurred receiving data from 'x.x.x.x(1414)' over TCP/IP.  The
connection to the remote host has unexpectedly terminated.

RCVR qmgr doesnt receive any connection.


Why does curl command with HTTPS works, but with channel it doesnt?



Also, when I test with channel side SSL enabled without Load balancer, everything works. But as Load Balancer requires SSL enabled, I dont see a reason why I need to use SSL also on channels.



Does anybody have experience with this type of set up? Like I mentioned, I cant let clients connect straight to our MQ Server.


Any response & information would be useful
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Oct 05, 2020 4:53 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

cURL isn't the greatest in this circumstance; it thinks it's talking to a web server and sometimes goes funky. Go old school and repeat your test with telnet.

As to why you need SSL on channels when the load balancer requires it, there are 2 broad answers:

- If you're using SSL to encrypt communication from clients (which are presumably on a trusted, on-prem network) to the load balancer (on the same trusted, on-prem network), then why would you not use SSL to encrypt traffic from the load balancer (on a trusted, on-prem network) to the server (on the same trusted, on-prem network)? If you weren't required to use the load balancer, you'd have SSL on the whole length of the client to MQ connection; why should it be different because you have a network appliance in the middle?

- If the load balancer is forwarding the certificate being passed by the client (which many load balancers in this circumstance are configured to do) then you need the appropriate set up at the MQ end to deal with this.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ttechsavvy
PostPosted: Mon Oct 05, 2020 5:53 am    Post subject: Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

I am required to use load balancer in front of MQ Server - that's the thing.
And also the connection from client to load balancer has to be encrypted.
Back to top
View user's profile Send private message
Vitor
PostPosted: Mon Oct 05, 2020 6:21 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

ttechsavvy wrote:
I am required to use load balancer in front of MQ Server - that's the thing.


I understand that

ttechsavvy wrote:

And also the connection from client to load balancer has to be encrypted.


I understand that as well.

You said:
ttechsavvy wrote:

But as Load Balancer requires SSL enabled, I dont see a reason why I need to use SSL also on channels.


I was attempting to respond to that.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Oct 07, 2020 1:52 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Have you tried using MQIPT instead? Works find for a termination point to SSL and can make the next leg in clear....
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
ttechsavvy
PostPosted: Wed Oct 21, 2020 5:53 am    Post subject: Reply with quote

Novice

Joined: 09 Sep 2020
Posts: 10

Thanks for the answers!

MQIPT would be an option if I cant connect partners with the current solution.

Also, I managed to connect my first partner to our MQ Server! Yay! The trick was that partner had to add our Load Balancer SslCipher to their MQ Server sender channels. Internal connection is without SSL.

BUT..

Now I have another partner, who wants to send us messages AS 'client'. I asked them to add our Load Balancer SslCipher to their connection configuration and partner is able to connect to our MQ Server through Load Balancer but cant put the "test" message to local queue. Will provide logs from the partner and also from MQ Server.

Client Logs:

Code:

MQHelper.postMessageByJMS  : com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'EXAMPLE_QM1' with connection mode 'Client' and host name 'example.com(xxxx)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
   at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:595)
   at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:215)
   at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:424)
   at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:8475)
   at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:7815)
   at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl._createConnection(JmsConnectionFactoryImpl.java:303)
   at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:236)
   at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6016)
   at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:111)
   at com.thy.tropyaj.pnrgov.MQHelper.postMessageByJMS(MQHelper.java:334)
   at com.thy.tropyaj.pnrgov.SenderManagerThread.sendByMQ(SenderManagerThread.java:147)
   at com.thy.tropyaj.pnrgov.SenderManagerThread.run(SenderManagerThread.java:58)
   at java.lang.Thread.run(Unknown Source)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2009' ('MQRC_CONNECTION_BROKEN').
   at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2009;AMQ9204: Connection to host 'texample.com(xxxx)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2009],3=texample.com(xxxx),5=RemoteSession.receiveAsyncTsh]
   at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2302)
   at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1273)
   at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:377)
   at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:562)
   at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:357)
   ... 10 more

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2009;AMQ9213: A communications error for 'TCP' occurred. [1=java.net.SocketException[Socket is closed],4=TCP,5=Socket.setSoTimeout]
   at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.receive(RemoteTCPConnection.java:1800)
   at com.ibm.mq.jmqi.remote.impl.RemoteRcvThread.receiveBuffer(RemoteRcvThread.java:733)
   at com.ibm.mq.jmqi.remote.impl.RemoteRcvThread.receiveOneTSH(RemoteRcvThread.java:699)
   at com.ibm.mq.jmqi.remote.impl.RemoteRcvThread.run(RemoteRcvThread.java:139)


Logs from MQ Server

Code:


AMQ9503E: Channel negotiation failed.

EXPLANATION:
10/19/2020 10:48:49 AM

Channel 'xxxxxxxx' between this machine and the remote machine
'gateway (x.x.x.x)' could not be established due to a negotiation
failure. In some cases the channel name can not be determined and so is shown
as '????'.

The last control data received was type 1 with associated error code
4294967295.

ACTION:
Tell the systems administrator, who should attempt to identify the cause of the
channel failure using problem determination techniques.  For example, look for
FFST files, and examine the error logs on the local and remote systems where
there may be messages explaining the cause of failure.  More information may be
obtained by repeating the operation with tracing enabled.



10/19/2020 10:48:49 AM

AMQ9999E: Channel 'xxxxxxxx' to host 'x.x.x.x' ended
abnormally.

EXPLANATION:
The channel program running under process ID 42348 for channel
'xxxxxxxxx' ended abnormally. The host name is 'x.x.x.x'; in
some cases the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.




Does somebody have any clue why this fails?

Could this be the case that connection from Load Balancer to MQ Server is without SSL?


Thanks!
Back to top
View user's profile Send private message
onlysatishin
PostPosted: Wed Sep 06, 2023 11:42 am    Post subject: Same issue Reply with quote

Newbie

Joined: 08 Feb 2012
Posts: 4

What was the solution for this ?
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ behind Load Balancer
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.