| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ cluster over firewalls to third-party? |
« View previous topic :: View next topic » |
| Author |
Message
|
| zpat |
 Posted: Wed Sep 15, 2021 5:32 am Post subject: MQ cluster over firewalls to third-party? |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
It's been suggested that we connect a high volume feed to/from an external third-party over MQ - not using standard sender/receiver channels but using cluster channels.
That is we would connect to one of the other party's clusters (and FRs) by joining that cluster.
Given the connections will have to traverse firewalls and NAT at both ends - this seems like it might be complicated?
Any views on this or is it better to keep clustering purely internal and not expose it outside an organisation?
I assume it would be a new cluster set up just for this purpose.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Wed Sep 15, 2021 6:47 am Post subject: Re: MQ cluster over firewalls to third-party? |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9396
Location: US: west coast, almost. Otherwise, enroute.
|
| zpat wrote: |
| It's been suggested that we connect a high volume feed to/from an external third-party over MQ - not using standard sender/receiver channels but using cluster channels. |
Who suggested this? What would cluster channels offer over standard sender-receiver channels?
| zpat wrote: |
| Any views on this or is it better to keep clustering purely internal and not expose it outside an organisation? |
My general recommendation, without knowing the actual requirements or the politics involved, is to keep 3rd party qmgrs on the simple and standard sender-receiver channels, to/from a qmgr in a DMZ. IMHO.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Sep 15, 2021 11:45 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Thanks. It was suggested by the third-party in question.
They want to use the flexibility of MQ clustering to decide where messages land, but that can still be done "behind the scenes" inside their network.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Sep 15, 2021 12:04 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9396
Location: US: west coast, almost. Otherwise, enroute.
|
| zpat wrote: |
Thanks. It was suggested by the third-party in question.
They want to use the flexibility of MQ clustering to decide where messages land, but that can still be done "behind the scenes" inside their network. |
Your cluster need not be part of (known to) their cluster. Your cluster merely needs a plain old sender-receiver channel pair between your cluster gateway qmgr and their cluster gateway qmgr. When a message arrives on their gateway qmgr, the usual name resolution process, along with some qmgr-aliases, will accomplish message routing.
Ref: https://www.ibm.com/docs/en/ibm-mq/8.0?topic=cluster-routing-messages-from-clusters
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Sep 15, 2021 3:39 pm Post subject: Re: MQ cluster over firewalls to third-party? |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2494
Location: Melbourne, Australia
|
| zpat wrote: |
It's been suggested that we connect a high volume feed to/from an external third-party over MQ - not using standard sender/receiver channels but using cluster channels.
That is we would connect to one of the other party's clusters (and FRs) by joining that cluster.
Given the connections will have to traverse firewalls and NAT at both ends - this seems like it might be complicated?
Any views on this or is it better to keep clustering purely internal and not expose it outside an organisation? |
That doesn't seem to be a very informed suggestion that is based on MQ best practice for B2B. I would not use an MQ Cluster in this situation. Consider using sender/receiver channels, with TLS. Consider using MQ Client, with TLS. Consider using Internet Pass-Thru. Consider using a gateway queue manager.
Carefully read Chapter 10 in IBM Redbook "Secure Messaging Scenarios With WebSphere MQ".
_________________
Glenn |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Sep 15, 2021 3:44 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
If you go standard SNDR/RCVR channels, the availability of the 2 QMs on either end become critical, perhaps requiring the use of complicating methods like RDQM or Multi Instance or MQ Appliance or Shared QM Groups if z/OS. And/or you try to make it work with 2 simple QMs on each end each with their own SNDR/RCVR pair and get slick with clustered alias definition to load balance the work across these 2 paths for H.A. reasons.
Contrast that with adding your QM into their MQ Cluster and their MQ Full Repositories making your QM aware of all possible paths to all possible destination QMs in their cluster, QMs that individually might be running on simple solutions but collectively offer a very highly available destination for the next transaction.
At first glance, it just seems easier to add your QM into their cluster, no? But with Firewalls and NATs, TLS certs and other security related implications, its probably a lot more complicated to correctly and securely add your QM into their cluster. I would advise against this and frankly the primary pushback should be coming from them who should be protective of their MQ Cluster. I'd be surprised (pleasantly) if you didn't have free reign to put to some if not every queue on every QM in their cluster if you were added to their cluster.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Sep 15, 2021 11:24 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Thanks, I guess the MQ cluster would be dedicated for gateway purposes but it does still open up Pandora's Box to an extent.
Our end has HA using a QSG on z/OS.
There will be more than one QM at the third party end, but not sure of exactly how it will be hosted in terms of failover.
MQ clustering, of course, is not a HA solution per se - messages once delivered to a QM can become orphaned, unless a means to recover access to them is included.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
