| Author |
Message
|
| zpat |
 Posted: Tue Mar 15, 2022 5:56 am Post subject: HTTPS to MQ - use MQ REST or MQ IPT? |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I have a requirement which could be solved if I could provide a means to put and get MQ messages over https.
The originating application would be based outside our network and then connect to our backends over https via Firewalls and F5 etc to a MQ QM endpoint.
If I wanted to to enable such https connectivity to MQ there are several options possible, such as using MQ IPT (Internet Pass Thru) or the more recent MQ REST interface.
Neither of these is used by us currently. Which would people favour for this requirement (assume the MQ QM is z/OS based)? MQ version 9.2 will be available.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Mar 15, 2022 9:17 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 15, 2022 4:28 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
No, that is another model using Datapower (which is also an option for us).
However I was referring to the (now) standard MQ product features of MQIPT or MQ/REST.
The application can use Web Services (https) or the MQI. However we do not accept direct MQ connections through our DMZ (NLZ).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Mar 15, 2022 7:41 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I expect the choice may come down to what your application needs to do. The REST MQ API spelling is not complete compared to the full MQ API, so if you need anything that is not part of that interface then that will make your decision for you. For example, I don't think the REST API can do anything trasnactionly yet?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 15, 2022 11:55 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Is there any presentation or diagrams showing MQ IPT?
I am a little confused - is it a protocol bridge (converts https to MQ) or is it used to transport MQ messages over https?
In the case of the latter, one would presumably need two MQ IPT installations - one at each end?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Mar 17, 2022 1:05 pm Post subject: Re: HTTPS to MQ - use MQ REST or MQ IPT? |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| zpat wrote: |
| The originating application would be based outside our network |
Since you mentioned you have the DataPower option....
I'd lean towards directing this HTTPs call to the DataPower appliance where it can introduce some level of threat protection before making the protocol switch to MQ.
I'd rather have my DataPower appliance connecting to my queue manager versus some app outside of my control running on some network outside of my control.
I'd rather have a DataPower appliance be the front line defender against this app from another network than my queue manager.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Mar 17, 2022 8:10 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zpat wrote: |
| Is there any presentation or diagrams showing MQ IPT? |
Do these help?
Possible configurations of MQIPT
| zpat wrote: |
| I am a little confused - is it a protocol bridge (converts https to MQ) or is it used to transport MQ messages over https? |
I don't think MQIPT is a protocol bridge. I believe the applications at either end are always speaking "MQ FAP". It can be a tunnel over HTTP and it can be used to proxy SSL and even add a session break, but not a protocol bridge.
| zpat wrote: |
| we do not accept direct MQ connections through our DMZ |
I think MQIPT is designed for this. You would have the MQ Client application using MQI, connect to MQ IPT and tunnel through DMZ over HTTP[S] then out the other end to the queue manager as MQ FAP again.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Mar 18, 2022 10:02 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Thanks for the link.
I should point out that this 3rd party application and MQ client would be hosted in their own AWS (Amazon Web Services) region - and on that side of the fence the 3rd party are not willing to host a MQ QM, nor I suspect a MQ IPT, in their AWS (as they can't support it).
However it might be possible to talk FAP into the DMZ as long as the connection is terminated there by IPT. But in that case it could just be a QM hosted in the DMZ, is there any advantage of using IPT like that?
It's yet another situation where contractual issues and support boundaries are the main challenge, rather than the capabilities of IBM MQ software.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Mar 18, 2022 3:29 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zpat wrote: |
| However it might be possible to talk FAP into the DMZ as long as the connection is terminated there by IPT. But in that case it could just be a QM hosted in the DMZ, is there any advantage of using IPT like that? |
I think the answer is in the question there. The advantage of using MQIPT like that is to avoid having a QM in the DMZ. Many folks don't like having a QM in the DMZ, as, even though it may not host any application queues, there still may be messages "at rest" in the DMZ on transmission queues and such.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Mar 22, 2022 1:56 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Thanks - looks like MQ IPT is a good option.
One more question - does MQ IPT offer any facility to inspect the MQI traffic or any other audit options?
Our security people would like some way to "inspect" what might be flowing through it to make sure nothing untoward was sent.
This is a bit at odds with having no data visible at rest - I suppose pub/sub to an "audit" queue would be one way to capture messages on a standard QM.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
