MQ cluster, proxy, and NAT

Discussion:

LM Demey (MQ)

2013-09-29 21:45:35 UTC

Hi all,

I just came across an unexpected configuration problem on MQ clusters.

Consider an MQ cluster that allows the exchange of messages between the
two companies.
Here is an extract of the configuration:

QM1
company A
Full repo
DMZ 1
192.168.0.1

QM2
company A
partial repo
DMZ 1
192.168.0.2

QM3
company B
partial repo
DMZ 2
192.168.1.3

DMZ1 DMZ2 and are connected by a proxy that is doing NAT:

192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3

To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will
be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate
with QM1.
But the return channel can not be established because the Full Repo
attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.

The solution seems to be to configure the channel CLUSRCVR in QM3 with
192.168.0.3, so that the address would that be natted to 192.168.1.3
while crossing the PROXY.

In fact it is necessary that all CLUSRCVR channels not indicate the IP
address of QM, but that by which they are known to the proxy.

As a result, the link between QM1 and QM2 will also have to go through
the proxy

What do you think? Is this the right way to configure a cluster MQ
located on either side of a proxy?

Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Neil Casey

2013-09-30 04:23:14 UTC

Permalink

Hi Luc-Michel,

there are a couple of different issues here, and you have correctly identified that proxy addresses are one of them.

Firstly I would generally recommend to try to avoid using MQ clusters for B2B connectivity because they make management of the separation of the administrative scope much more difficult. They can also present some security challenges. That being said, if you do go down this path, there are a couple of things that you can do.

1. Use MQIPT. MQIPT with it's socks proxy capability can help with some of the issues with address resolution, and also help with SSL certificate validation and allowing your queue manager (actually MQIPT) to present different certificates internally and externally, or to different external partners.

2. Use host names in the receiver channel conname field instead of an address. Then use the /etc/hosts file to resolve the names. This allows your internal and external address resolution to be different, which is needed for a cluster to work as you have described. The internal servers can define the actual addresses. The external servers can define the natted addresses.

Regards,

Neil Casey

Post by LM Demey (MQ)
Hi all,
I just came across an unexpected configuration problem on MQ clusters.
Consider an MQ cluster that allows the exchange of messages between the two companies.
QM1
company A
Full repo
DMZ 1
192.168.0.1
QM2
company A
partial repo
DMZ 1
192.168.0.2
QM3
company B
partial repo
DMZ 2
192.168.1.3
192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3
To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with QM1.
But the return channel can not be established because the Full Repo attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.
The solution seems to be to configure the channel CLUSRCVR in QM3 with 192.168.0.3, so that the address would that be natted to 192.168.1.3 while crossing the PROXY.
In fact it is necessary that all CLUSRCVR channels not indicate the IP address of QM, but that by which they are known to the proxy.
As a result, the link between QM1 and QM2 will also have to go through the proxy
What do you think? Is this the right way to configure a cluster MQ located on either side of a proxy?
Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

gshubert-MaERPT+

2013-09-30 13:31:31 UTC

Permalink

We ran across that very scenario, and ended up using DNS names to "hide"
the real IP addresses.

Thank you,

Glen Shubert
Associate Director - Operations
T|SYS| - MQSeries Technical Support
email: gshubert-***@public.gmane.org

From: "LM Demey (MQ)" <lmd-4gGhCVI4xPzA+***@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Date: 09/29/2013 11:46 PM
Subject: MQ cluster, proxy, and NAT
Sent by: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>

Hi all,

I just came across an unexpected configuration problem on MQ clusters.

Consider an MQ cluster that allows the exchange of messages between the
two companies.
Here is an extract of the configuration:

QM1
company A
Full repo
DMZ 1
192.168.0.1

QM2
company A
partial repo
DMZ 1
192.168.0.2

QM3
company B
partial repo
DMZ 2
192.168.1.3

DMZ1 DMZ2 and are connected by a proxy that is doing NAT:

192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3

To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be
natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with
QM1.
But the return channel can not be established because the Full Repo
attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.

The solution seems to be to configure the channel CLUSRCVR in QM3 with
192.168.0.3, so that the address would that be natted to 192.168.1.3 while
crossing the PROXY.

In fact it is necessary that all CLUSRCVR channels not indicate the IP
address of QM, but that by which they are known to the proxy.

As a result, the link between QM1 and QM2 will also have to go through the
proxy

What do you think? Is this the right way to configure a cluster MQ located
on either side of a proxy?

Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com

-----------------------------------------
The information contained in this communication (including any
attachments hereto) is confidential and is intended solely for the
personal and confidential use of the individual or entity to whom
it is addressed. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, dissemination, copying,
or unauthorized use of this information, or the taking of any
action in reliance on the contents of this information is strictly
prohibited. If you have received this communication in error,
please notify us immediately by e-mail, and delete the original
message. Thank you

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

LM Demey (MQ)

2013-09-30 13:45:37 UTC

Permalink

Hi Neil,

Thank you for the information, it does appear to be an excellent solution.

MQ clusters are here to ensure high availability of MQ link between the
two companies. In fact there are on each side of the proxy two Partial
Repo, located in different data centers, a way to maximize the level of
service.

Initially, the technical architecture was not made by me, so I could not
offer the MS81.
I've used it in a simple configuration, but this function is totally
under-marketed by IBM (MQ 81 = an obscure supportpack!). So it is
difficult for customers to think about it.

I will implement your suggestion about host names. Thanks.

Post by Neil Casey
Hi Luc-Michel,
there are a couple of different issues here, and you have correctly
identified that proxy addresses are one of them.
Firstly I would generally recommend to try to avoid using MQ clusters
for B2B connectivity because they make management of the separation of
the administrative scope much more difficult. They can also present
some security challenges. That being said, if you do go down this
path, there are a couple of things that you can do.
1. Use MQIPT. MQIPT with it's socks proxy capability can help with
some of the issues with address resolution, and also help with SSL
certificate validation and allowing your queue manager (actually
MQIPT) to present different certificates internally and externally, or
to different external partners.
2. Use host names in the receiver channel conname field instead of an
address. Then use the /etc/hosts file to resolve the names. This
allows your internal and external address resolution to be different,
which is needed for a cluster to work as you have described. The
internal servers can define the actual addresses. The external servers
can define the natted addresses.
Regards,
Neil Casey

Post by LM Demey (MQ)
Hi all,
I just came across an unexpected configuration problem on MQ clusters.
Consider an MQ cluster that allows the exchange of messages between
the two companies.
QM1
company A
Full repo
DMZ 1
192.168.0.1
QM2
company A
partial repo
DMZ 1
192.168.0.2
QM3
company B
partial repo
DMZ 2
192.168.1.3
192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3
To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP
will be natted to 192.168.0.1 by the proxy. So QM3 is able to
communicate with QM1.
But the return channel can not be established because the Full Repo
attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.
The solution seems to be to configure the channel CLUSRCVR in QM3
with 192.168.0.3, so that the address would that be natted to
192.168.1.3 while crossing the PROXY.
In fact it is necessary that all CLUSRCVR channels not indicate the
IP address of QM, but that by which they are known to the proxy.
As a result, the link between QM1 and QM2 will also have to go
through the proxy
What do you think? Is this the right way to configure a cluster MQ
located on either side of a proxy?
Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
------------------------------------------------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html>
- Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>

------------------------------------------------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html>
- Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>

--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

T.Rob

2013-09-30 14:27:58 UTC

Permalink

Hi Luc-Michel,

I'm a strong opponent of clusters across B2B boundaries. However, if you *must* do this, consider the following:

Â· Make sure your CLUSRCVR has an MCAUSER that does *not* allow inbound messages to land directly on any transmit queue or the command queue. Ideally, use v7.1 or higher and set up dynamic MCAUSER on the CLUSRCVR channels to restrict inbound channels from internal and external QMgrs to different sets of objects.

Â· If you use triggering in any way, also disallow messages from landing on queues that trigger monitors listen on.

Â· Make sure the firewall rules enumerate the specific IP addresses and ports used by the channels and not routing an entire subnet.

Â· Do not allow the B2B QMgrs to participate in your regular internal cluster. Instead, set up an overlapping cluster that contains only the subset of QMgrs which require the ability to exchange messages with the B2B edge QMgrs. (Make sure the cluster channels are unique to the cluster and do not use a cluster namelist. Another example of why the convention TO.<qmgr> is so horrible.)

Â· Make sure that all routes through the QMgrs only pass through enumerated QALIAS definitions or QREMOTE definitions. No application queues on the B2B edge QMgrs, no QMgr-routing through XMitQs.

Â· Make sure that the internal QMgrs similarly use restricted MCAUSER values on their CLUSRCVR so that messages arriving from the B2B edge QMgrs cannot go to unspecified queues.

And for anyone reading this and thinking "oh good, here's a handy checklist to secure a B2B cluster", please don't. It's a checklist to somewhat mitigate the vulnerabilities of a B2B cluster and that's all. There is no way to secure a B2B cluster adequately because to offer B2B clustering is by definition to allow an extraordinary amount of visibility and control into the local network up to, in most cases including, full admin access. Remember that one of the stated design goals of WMQ clusters is specifically to relieve you from some of the administrative tasks. There is no option for clustering that says "please do the helpful load balancing things but don't do the administrative things and don't expose my entire namespace to the cluster." Even if a CHAD exit enforces policy on the channels, you don't get the benefits of clustering without giving up control of the cluster's namespace, which means control of how the resolution of routing works.

The right answer here for Luc-Michel and anyone else using B2B clusters is to get to V7.1 or higher and use multi-instance CONNAME and CHLAUTH rules at the edge QMgrs for the external-facing channels. Those QMgrs can participate in the *internal* cluster but not offer clustering to 3rd parties. Between the QMgr and the business partner can be MQIPT and all of the security described in the Redbook but this is the minimum on the QMgr itself.

If you are a WMQ administrator and have a B2B cluster, please make certain that you have either received sign-off from someone higher than your pay grade who has accepted the extraordinary risk (and get this updated yearly), or that you have definite plans to move to a modern version of WMQ that does not require clustering through the firewall.

If you are a WMQ administrator and have either a single B2B cluster that is used by multiple 3rd parties or else have B2B edge QMgrs that participate in multiple overlapping B2B clusters, then sell your stock and update your resume.

-- T.Rob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 9:46 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi Neil,

Thank you for the information, it does appear to be an excellent solution.

MQ clusters are here to ensure high availability of MQ link between the two companies. In fact there are on each side of the proxy two Partial Repo, located in different data centers, a way to maximize the level of service.

Initially, the technical architecture was not made ââby me, so I could not offer the MS81.
I've used it in a simple configuration, but this function is totally under-marketed by IBM (MQ 81 = an obscure supportpack!). So it is difficult for customers to think about it.

I will implement your suggestion about host names. Thanks.

Le 30/09/2013 06:23, Neil Casey a Ã©crit :

Hi Luc-Michel,

there are a couple of different issues here, and you have correctly identified that proxy addresses are one of them.

Firstly I would generally recommend to try to avoid using MQ clusters for B2B connectivity because they make management of the separation of the administrative scope much more difficult. They can also present some security challenges. That being said, if you do go down this path, there are a couple of things that you can do.

1. Use MQIPT. MQIPT with it's socks proxy capability can help with some of the issues with address resolution, and also help with SSL certificate validation and allowing your queue manager (actually MQIPT) to present different certificates internally and externally, or to different external partners.

2. Use host names in the receiver channel conname field instead of an address. Then use the /etc/hosts file to resolve the names. This allows your internal and external address resolution to be different, which is needed for a cluster to work as you have described. The internal servers can define the actual addresses. The external servers can define the natted addresses.

Regards,

Neil Casey

mailto:Neil_Casey-8K57OPj+***@public.gmane.org mobile: +61 414 615 334

On 30/09/2013, at 7:45 AM, LM Demey (MQ) <lmd-4gGhCVI4xPzA+***@public.gmane.org> wrote:

Hi all,

I just came across an unexpected configuration problem on MQ clusters.

Consider an MQ cluster that allows the exchange of messages between the two companies.
Here is an extract of the configuration:

QM1
company A
Full repo
DMZ 1
192.168.0.1

QM2
company A
partial repo
DMZ 1
192.168.0.2

QM3
company B
partial repo
DMZ 2
192.168.1.3

DMZ1 DMZ2 and are connected by a proxy that is doing NAT:

192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3

To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with QM1.
But the return channel can not be established because the Full Repo attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.

The solution seems to be to configure the channel CLUSRCVR in QM3 with 192.168.0.3, so that the address would that be natted to 192.168.1.3 while crossing the PROXY.

In fact it is necessary that all CLUSRCVR channels not indicate the IP address of QM, but that by which they are known to the proxy.

As a result, the link between QM1 and QM2 will also have to go through the proxy

What do you think? Is this the right way to configure a cluster MQ located on either side of a proxy?

Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

LM Demey (MQ)

2013-09-30 20:16:16 UTC

Permalink

Hi TRob,

In this project, no choice, I *must* !
The whole setup is a little more complex:
There are three interconnected clusters, the one in the middle act
as gateway and contains cluster alias queues and alias Queue Manager
cluster.
No apps nor triggering in the middle cluster.
Strict routing rules (a bit too much for now!) protect servers and SSL
with SSL peer filtering will be configured.
MCAUSER and / or CHLAUTHare still in discussion.

Multi-instance was not a solution because by design there is no way to
share a disk betweendata centers.

Clearly there would still be room for improvement, but compared to what
we see in other cases, the security level is reasonable.

As usual, the goal is to build a sufficiently advanced system, but still
manageable and understandable by operators in charge of production.

Regards, LMD.

Post by Neil Casey
Hi Luc-Michel,
I'm a strong opponent of clusters across B2B boundaries. However, if
Â· Make sure your CLUSRCVR has an MCAUSER that does **not**
allow inbound messages to land directly on any transmit queue or the
command queue. Ideally, use v7.1 or higher and set up dynamic MCAUSER
on the CLUSRCVR channels to restrict inbound channels from internal
and external QMgrs to different sets of objects.
Â· If you use triggering in any way, also disallow messages from
landing on queues that trigger monitors listen on.
Â· Make sure the firewall rules enumerate the specific IP
addresses and ports used by the channels and not routing an entire subnet.
Â· Do not allow the B2B QMgrs to participate in your regular
internal cluster. Instead, set up an overlapping cluster that
contains only the subset of QMgrs which require the ability to
exchange messages with the B2B edge QMgrs. (Make sure the cluster
channels are unique to the cluster and do not use a cluster namelist.
Another example of why the convention TO.<qmgr> is so horrible.)
Â· Make sure that all routes through the QMgrs only pass through
enumerated QALIAS definitions or QREMOTE definitions. No application
queues on the B2B edge QMgrs, no QMgr-routing through XMitQs.
Â· Make sure that the internal QMgrs similarly use restricted
MCAUSER values on their CLUSRCVR so that messages arriving from the
B2B edge QMgrs cannot go to unspecified queues.
And for anyone reading this and thinking "oh good, here's a handy
checklist to secure a B2B cluster", please don't. It's a checklist to
somewhat mitigate the vulnerabilities of a B2B cluster and that's
all. There is no way to secure a B2B cluster adequately because to
offer B2B clustering is by definition to allow an extraordinary amount
of visibility and control into the local network up to, in most cases
including, full admin access. Remember that one of the stated design
goals of WMQ clusters is specifically to relieve you from some of the
administrative tasks. There is no option for clustering that says
"please do the helpful load balancing things but don't do the
administrative things and don't expose my entire namespace to the
cluster." Even if a CHAD exit enforces policy on the channels, you
don't get the benefits of clustering without giving up control of the
cluster's namespace, which means control of how the resolution of
routing works.
The right answer here for Luc-Michel and anyone else using B2B
clusters is to get to V7.1 or higher and use multi-instance CONNAME
and CHLAUTH rules at the edge QMgrs for the external-facing channels.
Those QMgrs can participate in the **internal** cluster but not offer
clustering to 3^rd parties. Between the QMgr and the business partner
can be MQIPT and all of the security described in the Redbook but this
is the minimum on the QMgr itself.
If you are a WMQ administrator and have a B2B cluster, please make
certain that you have either received sign-off from someone higher
than your pay grade who has accepted the extraordinary risk (and get
this updated yearly), or that you have definite plans to move to a
modern version of WMQ that does not require clustering through the
firewall.
If you are a WMQ administrator and have either a single B2B cluster
that is used by multiple 3^rd parties or else have B2B edge QMgrs that
participate in multiple overlapping B2B clusters, then sell your stock
and update your resume.
-- T.Rob
Behalf Of *LM Demey (MQ)
*Sent:* Monday, September 30, 2013 9:46 AM
*Subject:* Re: MQ cluster, proxy, and NAT
Hi Neil,
Thank youfor the information, it does appear to be an excellent solution.
MQ clusters are here to ensure high availability of MQ link between
the two companies. In fact there are on each side of the proxy two
Partial Repo, located in different data centers, a way to maximize the
level of service.
Initially, the technical architecture was not made ââby me, so I could
not offer the MS81.
I've used it in a simple configuration, but this function is totally
under-marketed by IBM (MQ 81 = an obscure supportpack!). So it is
difficult for customers to think about it.
I will implement your suggestion about host names. Thanks.
Hi Luc-Michel,
there are a couple of different issues here, and you have
correctly identified that proxy addresses are one of them.
Firstly I would generally recommend to try to avoid using MQ
clusters for B2B connectivity because they make management of the
separation of the administrative scope much more difficult. They
can also present some security challenges. That being said, if you
do go down this path, there are a couple of things that you can do.
1. Use MQIPT. MQIPT with it's socks proxy capability can help with
some of the issues with address resolution, and also help with SSL
certificate validation and allowing your queue manager (actually
MQIPT) to present different certificates internally and
externally, or to different external partners.
2. Use host names in the receiver channel conname field instead of
an address. Then use the /etc/hosts file to resolve the names.
This allows your internal and external address resolution to be
different, which is needed for a cluster to work as you have
described. The internal servers can define the actual addresses.
The external servers can define the natted addresses.
Regards,
Neil Casey
Hi all,
I just came across an unexpected configuration problem on MQ clusters.
Consider an MQ cluster that allows the exchange of messages
between the two companies.
QM1
company A
Full repo
DMZ 1
192.168.0.1
QM2
company A
partial repo
DMZ 1
192.168.0.2
QM3
company B
partial repo
DMZ 2
192.168.1.3
192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3
To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP
will be natted to 192.168.0.1 by the proxy. So QM3 is able to
communicate with QM1.
But the return channel can not be established because the Full
Repo attempts to contact QM3 on 192.168.1.3, which is not known in
the DMZ2.
The solution seems to be to configure the channel CLUSRCVR in QM3
with 192.168.0.3, so that the address would that be natted to
192.168.1.3 while crossing the PROXY.
In fact it is necessary that all CLUSRCVR channels not indicate
the IP address of QM, but that by which they are known to the proxy.
As a result, the link between QM1 and QM2 will also have to go
through the proxy
What do you think? Is this the right way to configure a cluster MQ
located on either side of a proxy?
Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
------------------------------------------------------------------------
List Archive
<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are
provided in the Listserv General Users Guide available at
http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
------------------------------------------------------------------------
List Archive
<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are
provided in the Listserv General Users Guide available at
http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
------------------------------------------------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html>
- Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>
------------------------------------------------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html>
- Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>

T.Rob

2013-09-30 21:00:31 UTC

Permalink

Understood. Quick clarification on one point, though. When I said multi-instance CONNAME that does not necessarily imply multi-instance QMgrs.

Without MCAUSER and CHLAUTH, the QMgr can be administered by the adjacent upstream QMgr. If none of the QMgrs have this protection, it's possible for someone outside the company to have complete administrative control, including the ability to execute arbitrary OS commands, on the internal QMgrs. Hopefully the "discussion" revolves around either securing these effectively or else getting that "get out of jail free" memo I mentioned in the previous email. Keep escalating until you find someone with funding authority who *could* make it happen but signs off on the risk. It can be marginally helpful to get sign-off by someone not actually in a position to fund the remediation but not ideal. I have from time to time seen Operations managers sign off on risk rather than telling the business users about it or spending their political capital trying to get the remdiation funded. Then when the business users find out just how exposed they are, the Ops manager scapegoats the WMQ admin claiming they hadn't been properly informed.

(On the other hand, the people I've known who were fired over this have universally said later it turned out to be good for them. Companies who ignore risk until they can't hide it any longer and then blame the exposure on the very line manager who tried to do something about it tend to be sub-optimal as employers.)

-- T.Rob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 16:16 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi TRob,

In this project, no choice, I *must* !
The whole setup is a little more complex:
There are three interconnected clusters, the one in the middle act as gateway and contains cluster alias queues and alias Queue Manager cluster.
No apps nor triggering in the middle cluster.
Strict routing rules (a bit too much for now!) protect servers and SSL with SSL peer filtering will be configured.
MCAUSER and / or CHLAUTH are still in discussion.

Multi-instance was not a solution because by design there is no way to share a disk between data centers.

Clearly there would still be room for improvement, but compared to what we see in other cases, the security level is reasonable.

As usual, the goal is to build a sufficiently advanced system, but still manageable and understandable by operators in charge of production.

Regards, LMD.

Le 30/09/2013 16:27, T.Rob a Ã©crit :

Hi Luc-Michel,

I'm a strong opponent of clusters across B2B boundaries. However, if you *must* do this, consider the following:

1. Make sure your CLUSRCVR has an MCAUSER that does *not* allow inbound messages to land directly on any transmit queue or the command queue. Ideally, use v7.1 or higher and set up dynamic MCAUSER on the CLUSRCVR channels to restrict inbound channels from internal and external QMgrs to different sets of objects.

2. If you use triggering in any way, also disallow messages from landing on queues that trigger monitors listen on.

3. Make sure the firewall rules enumerate the specific IP addresses and ports used by the channels and not routing an entire subnet.

4. Do not allow the B2B QMgrs to participate in your regular internal cluster. Instead, set up an overlapping cluster that contains only the subset of QMgrs which require the ability to exchange messages with the B2B edge QMgrs. (Make sure the cluster channels are unique to the cluster and do not use a cluster namelist. Another example of why the convention TO.<qmgr> is so horrible.)

5. Make sure that all routes through the QMgrs only pass through enumerated QALIAS definitions or QREMOTE definitions. No application queues on the B2B edge QMgrs, no QMgr-routing through XMitQs.

6. Make sure that the internal QMgrs similarly use restricted MCAUSER values on their CLUSRCVR so that messages arriving from the B2B edge QMgrs cannot go to unspecified queues.

And for anyone reading this and thinking "oh good, here's a handy checklist to secure a B2B cluster", please don't. It's a checklist to somewhat mitigate the vulnerabilities of a B2B cluster and that's all. There is no way to secure a B2B cluster adequately because to offer B2B clustering is by definition to allow an extraordinary amount of visibility and control into the local network up to, in most cases including, full admin access. Remember that one of the stated design goals of WMQ clusters is specifically to relieve you from some of the administrative tasks. There is no option for clustering that says "please do the helpful load balancing things but don't do the administrative things and don't expose my entire namespace to the cluster." Even if a CHAD exit enforces policy on the channels, you don't get the benefits of clustering without giving up control of the cluster's namespace, which means control of how the resolution of routing works.

The right answer here for Luc-Michel and anyone else using B2B clusters is to get to V7.1 or higher and use multi-instance CONNAME and CHLAUTH rules at the edge QMgrs for the external-facing channels. Those QMgrs can participate in the *internal* cluster but not offer clustering to 3rd parties. Between the QMgr and the business partner can be MQIPT and all of the security described in the Redbook but this is the minimum on the QMgr itself.

If you are a WMQ administrator and have a B2B cluster, please make certain that you have either received sign-off from someone higher than your pay grade who has accepted the extraordinary risk (and get this updated yearly), or that you have definite plans to move to a modern version of WMQ that does not require clustering through the firewall.

If you are a WMQ administrator and have either a single B2B cluster that is used by multiple 3rd parties or else have B2B edge QMgrs that participate in multiple overlapping B2B clusters, then sell your stock and update your resume.

-- T.Rob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 9:46 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi Neil,

Thank you for the information, it does appear to be an excellent solution.

MQ clusters are here to ensure high availability of MQ link between the two companies. In fact there are on each side of the proxy two Partial Repo, located in different data centers, a way to maximize the level of service.

Initially, the technical architecture was not made ââby me, so I could not offer the MS81.
I've used it in a simple configuration, but this function is totally under-marketed by IBM (MQ 81 = an obscure supportpack!). So it is difficult for customers to think about it.

I will implement your suggestion about host names. Thanks.

Le 30/09/2013 06:23, Neil Casey a Ã©crit :

Hi Luc-Michel,

there are a couple of different issues here, and you have correctly identified that proxy addresses are one of them.

Firstly I would generally recommend to try to avoid using MQ clusters for B2B connectivity because they make management of the separation of the administrative scope much more difficult. They can also present some security challenges. That being said, if you do go down this path, there are a couple of things that you can do.

1. Use MQIPT. MQIPT with it's socks proxy capability can help with some of the issues with address resolution, and also help with SSL certificate validation and allowing your queue manager (actually MQIPT) to present different certificates internally and externally, or to different external partners.

2. Use host names in the receiver channel conname field instead of an address. Then use the /etc/hosts file to resolve the names. This allows your internal and external address resolution to be different, which is needed for a cluster to work as you have described. The internal servers can define the actual addresses. The external servers can define the natted addresses.

Regards,

Neil Casey

mailto:Neil_Casey-8K57OPj+***@public.gmane.org mobile: +61 414 615 334

On 30/09/2013, at 7:45 AM, LM Demey (MQ) <lmd-4gGhCVI4xPzA+***@public.gmane.org> wrote:

Hi all,

I just came across an unexpected configuration problem on MQ clusters.

Consider an MQ cluster that allows the exchange of messages between the two companies.
Here is an extract of the configuration:

QM1
company A
Full repo
DMZ 1
192.168.0.1

QM2
company A
partial repo
DMZ 1
192.168.0.2

QM3
company B
partial repo
DMZ 2
192.168.1.3

DMZ1 DMZ2 and are connected by a proxy that is doing NAT:

192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3

To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with QM1.
But the return channel can not be established because the Full Repo attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.

The solution seems to be to configure the channel CLUSRCVR in QM3 with 192.168.0.3, so that the address would that be natted to 192.168.1.3 while crossing the PROXY.

In fact it is necessary that all CLUSRCVR channels not indicate the IP address of QM, but that by which they are known to the proxy.

As a result, the link between QM1 and QM2 will also have to go through the proxy

What do you think? Is this the right way to configure a cluster MQ located on either side of a proxy?

Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Potkay, Peter M (CTO Architecture + Engineering)

2013-10-01 12:19:27 UTC

Permalink

âWhen I said multi-instance CONNAME that does not necessarily imply multi-instance QMgrsâ

:-? I thought it did. Otherwise the sending QM flipping to the secondary conname in its SNDR channel definition would only find itself talking to a RCVR channel on other QM and the sequence numbers would be off.

I had assumed you were going down the path of proposing traditional point to point channels (SNDR/RCVR or SNDR/RQSTR), optionally thru MQIPT, between companies, where the availability concerns of the single Edge Queue Manager is mitigated by making it a multi instance QM.

How else can you use multi instance CONNAMES in a QM to QM channel if not to a multi instance QM? To a Backup QM I suppose is one option.

Peter Potkay

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of T.Rob
Sent: Monday, September 30, 2013 5:01 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT
Subject: Re: MQ cluster, proxy, and NAT

Understood. Quick clarification on one point, though. When I said multi-instance CONNAME that does not necessarily imply multi-instance QMgrs.

Without MCAUSER and CHLAUTH, the QMgr can be administered by the adjacent upstream QMgr. If none of the QMgrs have this protection, it's possible for someone outside the company to have complete administrative control, including the ability to execute arbitrary OS commands, on the internal QMgrs. Hopefully the "discussion" revolves around either securing these effectively or else getting that "get out of jail free" memo I mentioned in the previous email. Keep escalating until you find someone with funding authority who *could* make it happen but signs off on the risk. It can be marginally helpful to get sign-off by someone not actually in a position to fund the remediation but not ideal. I have from time to time seen Operations managers sign off on risk rather than telling the business users about it or spending their political capital trying to get the remdiation funded. Then when the business users find out just how exposed they are, the Ops manager scapegoats the WMQ admin claiming they hadn't been properly informed.

(On the other hand, the people I've known who were fired over this have universally said later it turned out to be good for them. Companies who ignore risk until they can't hide it any longer and then blame the exposure on the very line manager who tried to do something about it tend to be sub-optimal as employers.)

-- T.Rob

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 16:16 PM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: MQ cluster, proxy, and NAT

Hi TRob,

In this project, no choice, I *must* !
The whole setup is a little more complex:
There are three interconnected clusters, the one in the middle act as gateway and contains cluster alias queues and alias Queue Manager cluster.
No apps nor triggering in the middle cluster.
Strict routing rules (a bit too much for now!) protect servers and SSL with SSL peer filtering will be configured.
MCAUSER and / or CHLAUTH are still in discussion.

Multi-instance was not a solution because by design there is no way to share a disk between data centers.

Clearly there would still be room for improvement, but compared to what we see in other cases, the security level is reasonable.

As usual, the goal is to build a sufficiently advanced system, but still manageable and understandable by operators in charge of production.

Regards, LMD.

Le 30/09/2013 16:27, T.Rob a Ã©crit :
Hi Luc-Michel,

I'm a strong opponent of clusters across B2B boundaries. However, if you *must* do this, consider the following:

1. Make sure your CLUSRCVR has an MCAUSER that does *not* allow inbound messages to land directly on any transmit queue or the command queue. Ideally, use v7.1 or higher and set up dynamic MCAUSER on the CLUSRCVR channels to restrict inbound channels from internal and external QMgrs to different sets of objects.

2. If you use triggering in any way, also disallow messages from landing on queues that trigger monitors listen on.

3. Make sure the firewall rules enumerate the specific IP addresses and ports used by the channels and not routing an entire subnet.

4. Do not allow the B2B QMgrs to participate in your regular internal cluster. Instead, set up an overlapping cluster that contains only the subset of QMgrs which require the ability to exchange messages with the B2B edge QMgrs. (Make sure the cluster channels are unique to the cluster and do not use a cluster namelist. Another example of why the convention TO.<qmgr> is so horrible.)

5. Make sure that all routes through the QMgrs only pass through enumerated QALIAS definitions or QREMOTE definitions. No application queues on the B2B edge QMgrs, no QMgr-routing through XMitQs.

6. Make sure that the internal QMgrs similarly use restricted MCAUSER values on their CLUSRCVR so that messages arriving from the B2B edge QMgrs cannot go to unspecified queues.

And for anyone reading this and thinking "oh good, here's a handy checklist to secure a B2B cluster", please don't. It's a checklist to somewhat mitigate the vulnerabilities of a B2B cluster and that's all. There is no way to secure a B2B cluster adequately because to offer B2B clustering is by definition to allow an extraordinary amount of visibility and control into the local network up to, in most cases including, full admin access. Remember that one of the stated design goals of WMQ clusters is specifically to relieve you from some of the administrative tasks. There is no option for clustering that says "please do the helpful load balancing things but don't do the administrative things and don't expose my entire namespace to the cluster." Even if a CHAD exit enforces policy on the channels, you don't get the benefits of clustering without giving up control of the cluster's namespace, which means control of how the resolution of routing works.

The right answer here for Luc-Michel and anyone else using B2B clusters is to get to V7.1 or higher and use multi-instance CONNAME and CHLAUTH rules at the edge QMgrs for the external-facing channels. Those QMgrs can participate in the *internal* cluster but not offer clustering to 3rd parties. Between the QMgr and the business partner can be MQIPT and all of the security described in the Redbook but this is the minimum on the QMgr itself.

If you are a WMQ administrator and have a B2B cluster, please make certain that you have either received sign-off from someone higher than your pay grade who has accepted the extraordinary risk (and get this updated yearly), or that you have definite plans to move to a modern version of WMQ that does not require clustering through the firewall.

If you are a WMQ administrator and have either a single B2B cluster that is used by multiple 3rd parties or else have B2B edge QMgrs that participate in multiple overlapping B2B clusters, then sell your stock and update your resume.

-- T.Rob

From: MQSeries List [mailto:***@LISTSERV.MEDUNIWIEN.AC.AT] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 9:46 AM
To: ***@LISTSERV.MEDUNIWIEN.AC.AT<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT>
Subject: Re: MQ cluster, proxy, and NAT

Hi Neil,

Thank you for the information, it does appear to be an excellent solution.

MQ clusters are here to ensure high availability of MQ link between the two companies. In fact there are on each side of the proxy two Partial Repo, located in different data centers, a way to maximize the level of service.

Initially, the technical architecture was not made ââby me, so I could not offer the MS81.
I've used it in a simple configuration, but this function is totally under-marketed by IBM (MQ 81 = an obscure supportpack!). So it is difficult for customers to think about it.

I will implement your suggestion about host names. Thanks.

Le 30/09/2013 06:23, Neil Casey a Ã©crit :
Hi Luc-Michel,

there are a couple of different issues here, and you have correctly identified that proxy addresses are one of them.

Firstly I would generally recommend to try to avoid using MQ clusters for B2B connectivity because they make management of the separation of the administrative scope much more difficult. They can also present some security challenges. That being said, if you do go down this path, there are a couple of things that you can do.

1. Use MQIPT. MQIPT with it's socks proxy capability can help with some of the issues with address resolution, and also help with SSL certificate validation and allowing your queue manager (actually MQIPT) to present different certificates internally and externally, or to different external partners.

2. Use host names in the receiver channel conname field instead of an address. Then use the /etc/hosts file to resolve the names. This allows your internal and external address resolution to be different, which is needed for a cluster to work as you have described. The internal servers can define the actual addresses. The external servers can define the natted addresses.

Regards,

Neil Casey
mailto:***@acslink.net.au mobile: +61 414 615 334

[cid:9A97F38E-4F37-483A-ACB4-***@casey.fam]

On 30/09/2013, at 7:45 AM, LM Demey (MQ) <***@DEMEY.NET<mailto:***@DEMEY.NET>> wrote:

Hi all,

I just came across an unexpected configuration problem on MQ clusters.

Consider an MQ cluster that allows the exchange of messages between the two companies.
Here is an extract of the configuration:

QM1
company A
Full repo
DMZ 1
192.168.0.1

QM2
company A
partial repo
DMZ 1
192.168.0.2

QM3
company B
partial repo
DMZ 2
192.168.1.3

DMZ1 DMZ2 and are connected by a proxy that is doing NAT:

192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3

To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with QM1.
But the return channel can not be established because the Full Repo attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.

The solution seems to be to configure the channel CLUSRCVR in QM3 with 192.168.0.3, so that the address would that be natted to 192.168.1.3 while crossing the PROXY.

In fact it is necessary that all CLUSRCVR channels not indicate the IP address of QM, but that by which they are known to the proxy.

As a result, the link between QM1 and QM2 will also have to go through the proxy

What do you think? Is this the right way to configure a cluster MQ located on either side of a proxy?

Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert

http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert

http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert

http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

T.Rob

2013-10-01 17:23:34 UTC

Permalink

How the sequence numbers work is an MQ internal and changes from time to time. However, my understanding is that the channel status records are keyed by a combination of attributes that would make the second B2B Edge QMgr unique, assuming it has a different name. QMgrs that apps connect to directly may have dependencies on the QMgr name (which I abhor) but a B2B Edge QMgr is used only for routing and that should be based on QMgr aliases (aliai?) and not the name. So if the pair of B2B Edge QMgrs are not exact clones, the seq numbers should be managed separately. This is how RQSTR channels on different QMgrs are able to start the same SVR channel and have it work.

That said, I've seen several cases using scripts (preferably that run on the B2B Edge QMgrs and not the internal ones) to spot a sequence number error and reset the inbound to match. Haven't seen these lately and I assumed it was because they were no longer necessary but I haven't tested.

So either it works the way you expect right out of the box or else it's easily fixed with instrumentation. In any case, clustering through the firewall represents much greater exposure and risk by far than SDR/RQSTR channels, even in the worst case that some instrumentation is required.

-- T.Rob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Potkay, Peter M (CTO Architecture + Engineering)
Sent: Tuesday, October 01, 2013 8:19 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

âWhen I said multi-instance CONNAME that does not necessarily imply multi-instance QMgrsâ

:-? I thought it did. Otherwise the sending QM flipping to the secondary conname in its SNDR channel definition would only find itself talking to a RCVR channel on other QM and the sequence numbers would be off.

I had assumed you were going down the path of proposing traditional point to point channels (SNDR/RCVR or SNDR/RQSTR), optionally thru MQIPT, between companies, where the availability concerns of the single Edge Queue Manager is mitigated by making it a multi instance QM.

How else can you use multi instance CONNAMES in a QM to QM channel if not to a multi instance QM? To a Backup QM I suppose is one option.

Peter Potkay

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of T.Rob
Sent: Monday, September 30, 2013 5:01 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Understood. Quick clarification on one point, though. When I said multi-instance CONNAME that does not necessarily imply multi-instance QMgrs.

Without MCAUSER and CHLAUTH, the QMgr can be administered by the adjacent upstream QMgr. If none of the QMgrs have this protection, it's possible for someone outside the company to have complete administrative control, including the ability to execute arbitrary OS commands, on the internal QMgrs. Hopefully the "discussion" revolves around either securing these effectively or else getting that "get out of jail free" memo I mentioned in the previous email. Keep escalating until you find someone with funding authority who *could* make it happen but signs off on the risk. It can be marginally helpful to get sign-off by someone not actually in a position to fund the remediation but not ideal. I have from time to time seen Operations managers sign off on risk rather than telling the business users about it or spending their political capital trying to get the remdiation funded. Then when the business users find out just how exposed they are, the Ops manager scapegoats the WMQ admin claiming they hadn't been properly informed.

(On the other hand, the people I've known who were fired over this have universally said later it turned out to be good for them. Companies who ignore risk until they can't hide it any longer and then blame the exposure on the very line manager who tried to do something about it tend to be sub-optimal as employers.)

-- T.Rob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 16:16 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi TRob,

In this project, no choice, I *must* !
The whole setup is a little more complex:
There are three interconnected clusters, the one in the middle act as gateway and contains cluster alias queues and alias Queue Manager cluster.
No apps nor triggering in the middle cluster.
Strict routing rules (a bit too much for now!) protect servers and SSL with SSL peer filtering will be configured.
MCAUSER and / or CHLAUTH are still in discussion.

Multi-instance was not a solution because by design there is no way to share a disk between data centers.

Clearly there would still be room for improvement, but compared to what we see in other cases, the security level is reasonable.

As usual, the goal is to build a sufficiently advanced system, but still manageable and understandable by operators in charge of production.

Regards, LMD.

Le 30/09/2013 16:27, T.Rob a Ã©crit :

Hi Luc-Michel,

I'm a strong opponent of clusters across B2B boundaries. However, if you *must* do this, consider the following:

1. Make sure your CLUSRCVR has an MCAUSER that does *not* allow inbound messages to land directly on any transmit queue or the command queue. Ideally, use v7.1 or higher and set up dynamic MCAUSER on the CLUSRCVR channels to restrict inbound channels from internal and external QMgrs to different sets of objects.

2. If you use triggering in any way, also disallow messages from landing on queues that trigger monitors listen on.

3. Make sure the firewall rules enumerate the specific IP addresses and ports used by the channels and not routing an entire subnet.

4. Do not allow the B2B QMgrs to participate in your regular internal cluster. Instead, set up an overlapping cluster that contains only the subset of QMgrs which require the ability to exchange messages with the B2B edge QMgrs. (Make sure the cluster channels are unique to the cluster and do not use a cluster namelist. Another example of why the convention TO.<qmgr> is so horrible.)

5. Make sure that all routes through the QMgrs only pass through enumerated QALIAS definitions or QREMOTE definitions. No application queues on the B2B edge QMgrs, no QMgr-routing through XMitQs.

6. Make sure that the internal QMgrs similarly use restricted MCAUSER values on their CLUSRCVR so that messages arriving from the B2B edge QMgrs cannot go to unspecified queues.

And for anyone reading this and thinking "oh good, here's a handy checklist to secure a B2B cluster", please don't. It's a checklist to somewhat mitigate the vulnerabilities of a B2B cluster and that's all. There is no way to secure a B2B cluster adequately because to offer B2B clustering is by definition to allow an extraordinary amount of visibility and control into the local network up to, in most cases including, full admin access. Remember that one of the stated design goals of WMQ clusters is specifically to relieve you from some of the administrative tasks. There is no option for clustering that says "please do the helpful load balancing things but don't do the administrative things and don't expose my entire namespace to the cluster." Even if a CHAD exit enforces policy on the channels, you don't get the benefits of clustering without giving up control of the cluster's namespace, which means control of how the resolution of routing works.

The right answer here for Luc-Michel and anyone else using B2B clusters is to get to V7.1 or higher and use multi-instance CONNAME and CHLAUTH rules at the edge QMgrs for the external-facing channels. Those QMgrs can participate in the *internal* cluster but not offer clustering to 3rd parties. Between the QMgr and the business partner can be MQIPT and all of the security described in the Redbook but this is the minimum on the QMgr itself.

If you are a WMQ administrator and have a B2B cluster, please make certain that you have either received sign-off from someone higher than your pay grade who has accepted the extraordinary risk (and get this updated yearly), or that you have definite plans to move to a modern version of WMQ that does not require clustering through the firewall.

If you are a WMQ administrator and have either a single B2B cluster that is used by multiple 3rd parties or else have B2B edge QMgrs that participate in multiple overlapping B2B clusters, then sell your stock and update your resume.

-- T.Rob

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of LM Demey (MQ)
Sent: Monday, September 30, 2013 9:46 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi Neil,

Thank you for the information, it does appear to be an excellent solution.

MQ clusters are here to ensure high availability of MQ link between the two companies. In fact there are on each side of the proxy two Partial Repo, located in different data centers, a way to maximize the level of service.

Initially, the technical architecture was not made ââby me, so I could not offer the MS81.
I've used it in a simple configuration, but this function is totally under-marketed by IBM (MQ 81 = an obscure supportpack!). So it is difficult for customers to think about it.

I will implement your suggestion about host names. Thanks.

Le 30/09/2013 06:23, Neil Casey a Ã©crit :

Hi Luc-Michel,

there are a couple of different issues here, and you have correctly identified that proxy addresses are one of them.

Firstly I would generally recommend to try to avoid using MQ clusters for B2B connectivity because they make management of the separation of the administrative scope much more difficult. They can also present some security challenges. That being said, if you do go down this path, there are a couple of things that you can do.

1. Use MQIPT. MQIPT with it's socks proxy capability can help with some of the issues with address resolution, and also help with SSL certificate validation and allowing your queue manager (actually MQIPT) to present different certificates internally and externally, or to different external partners.

2. Use host names in the receiver channel conname field instead of an address. Then use the /etc/hosts file to resolve the names. This allows your internal and external address resolution to be different, which is needed for a cluster to work as you have described. The internal servers can define the actual addresses. The external servers can define the natted addresses.

Regards,

Neil Casey

mailto:Neil_Casey-8K57OPj+***@public.gmane.org mobile: +61 414 615 334

On 30/09/2013, at 7:45 AM, LM Demey (MQ) <lmd-4gGhCVI4xPzA+***@public.gmane.org> wrote:

Hi all,

I just came across an unexpected configuration problem on MQ clusters.

Consider an MQ cluster that allows the exchange of messages between the two companies.
Here is an extract of the configuration:

QM1
company A
Full repo
DMZ 1
192.168.0.1

QM2
company A
partial repo
DMZ 1
192.168.0.2

QM3
company B
partial repo
DMZ 2
192.168.1.3

DMZ1 DMZ2 and are connected by a proxy that is doing NAT:

192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3

To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with QM1.
But the return channel can not be established because the Full Repo attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.

The solution seems to be to configure the channel CLUSRCVR in QM3 with 192.168.0.3, so that the address would that be natted to 192.168.1.3 while crossing the PROXY.

In fact it is necessary that all CLUSRCVR channels not indicate the IP address of QM, but that by which they are known to the proxy.

As a result, the link between QM1 and QM2 will also have to go through the proxy

What do you think? Is this the right way to configure a cluster MQ located on either side of a proxy?

Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

_____

List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Dominique Courtois

2013-10-01 19:23:15 UTC

Permalink

Hi T-Rob,

I fully agree with you on the principles but your point about channel
sequence numbers deserves a bit of testing. I can hardly imagine how two
different Queue Managers ( multi-instance CONNAME and not multi-instance
QMs) could synchronise their sequence numbers. Reading Peter's post I
thought also that a bit of scripting can do the extra job. I am still
skeptical about the sequence numbers. The only solution is to test. I'll do
it sometime in the next days in spite of the great respect we have for you.

Some years ago I had to deal with something that looked like Luc-Michel's
issue. As you underline I carefully asked the security officer and the upper
management to endorse the architecture. By the way we had not Multi-instance
and CHLAUTH available (not yet internally validated) at the time.

The customer was (and still is but I am not any more involved) one of the
largest french bank.
The topology was:
The partner sends messages from a site in France. It receives return
messages which mainly are some kind of acknowlege, never real business data.
This site is backed up by another site in Belgium (active/passive). The
failover between France and Belgium is handled by the partner. The two sites
are multi-server (Windows system clustered).
The 2 partner sites send and receive to/from the customer site (a 4 server
Windows clustered system (active/active) ).
The partner is only grouping and relaying messages without any
transformation or local storage.
The rationale was to use the fault-tolerant feature of the WMQ cluster.

After some discussion we eventually came to set-up an MQcluster between B2B
boundaries. The solution to the NAT problem was to use DNS names with the
proper definitions on both sides. I was not a very strong supporter of this
but the fear of some unexpected downtime was stronger than me. Moreover I
did not trust that much the MQ skills of the partner team.

Last year, prepararing an hardware and software upgrade of the systems they
came back to me. We came to the conclusion that WMQ clustering was not
actually useful provided that the MQservers are properly secured on either
side and there still was a SPOF somewhere in the telecom network.

So my advice is to carefully design the system to make sure that to
MQcluster on these boundaries is mandatory if even useful. The more I think
about the more I think that this is very very rare.

Regards

Dominique

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

T.Rob

2013-10-02 03:06:06 UTC

Permalink

Hi Dominique,

This definitely deserves some testing. That much, I believe, is not in
doubt.

Regarding the sequence numbers, we already know that a CLUSRCVR can manage
batches of inbound messages from several different QMgrs on the same channel
name. So I believe we are comfortable with the notion that a single channel
can talk to different remote QMgrs without getting confused, at least for
inbound messages.

But in this case we are talking about an outbound channel managing state
with different remote QMgrs. Here I draw your attention to the RQSTR/SVR
pair. This scenario - one outbound QMgr and multiple inbound QMgrs - is
what RQSTR/SVR pairs were designed to so. If we say that a single outbound
channel cannot talk to multiple inbound QMgrs without getting confused then
would not that also mean that RQSTR/SVR pairs are unfit for their core use
case?

The case of a SVR that can talk to RQSTR channels on two different remote
QMgrs is exactly the same case as if the SVR channel had the same two QMgrs
listed in a multi-instance CONNAME, is it not? I believe that we are not
only comfortable with the idea if we stopped and thought about it for a
while, but that there's a case to be made that the channels are defective if
it should not work as expected when you test it. Of course, any such case
that is not documented in the Infocenter is hypothetical, but it's a good
case nonetheless I should think.

I do have direct experience with automating the reset of the sequence
numbers to match the inbound SDR values so I know that works. I used
scripts but only because I didn't have a decent monitor at the time. My
scripts only knew what happened at the B2B Edge QMgr. A monitor would be
able to correlate the sequence number to a channel failover event and not
reset the sequence number for a legitimate in-doubt situation. I believe
there are a few people on-list who do some flavor of automated seq nbr reset
today and am hoping they reply. One in particular is a hub-and-spoke
operation that has many customers and used to offer B2B clustering. They no
longer offer it for new setups and I believe they use a multi-host B2B edge
setup with automated seq nbr resetting. I'm not naming names but their
initials are in the UTF-8 character set. Not that that narrows it down
much. :-)

-- T.Rob

-----Original Message-----
Behalf Of Dominique Courtois
Sent: Tuesday, October 01, 2013 15:23 PM
Subject: Re: MQ cluster, proxy, and NAT
Hi T-Rob,
I fully agree with you on the principles but your point about channel
sequence numbers deserves a bit of testing. I can hardly imagine how two
different Queue Managers ( multi-instance CONNAME and not multi-
instance
QMs) could synchronise their sequence numbers. Reading Peter's post I
thought also that a bit of scripting can do the extra job. I am still

skeptical

about the sequence numbers. The only solution is to test. I'll do it
sometime in the next days in spite of the great respect we have for you.
Some years ago I had to deal with something that looked like Luc-Michel's
issue. As you underline I carefully asked the security officer and the

upper

management to endorse the architecture. By the way we had not Multi-
instance and CHLAUTH available (not yet internally validated) at the time.
The customer was (and still is but I am not any more involved) one of the
largest french bank.
The partner sends messages from a site in France. It receives return
messages which mainly are some kind of acknowlege, never real business
data.
This site is backed up by another site in Belgium (active/passive). The
failover between France and Belgium is handled by the partner. The two
sites are multi-server (Windows system clustered).
The 2 partner sites send and receive to/from the customer site (a 4 server
Windows clustered system (active/active) ).
The partner is only grouping and relaying messages without any
transformation or local storage.
The rationale was to use the fault-tolerant feature of the WMQ cluster.
After some discussion we eventually came to set-up an MQcluster between
B2B boundaries. The solution to the NAT problem was to use DNS names
with the proper definitions on both sides. I was not a very strong

supporter

of this but the fear of some unexpected downtime was stronger than me.
Moreover I did not trust that much the MQ skills of the partner team.
Last year, prepararing an hardware and software upgrade of the systems
they came back to me. We came to the conclusion that WMQ clustering
was not actually useful provided that the MQservers are properly secured
on either side and there still was a SPOF somewhere in the telecom
network.
So my advice is to carefully design the system to make sure that to
MQcluster on these boundaries is mandatory if even useful. The more I
think about the more I think that this is very very rare.
Regards
Dominique
the message body (not the subject), write: SIGNOFF MQSERIES Instructions
for managing your mailing list subscription are provided in the Listserv
General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES

Paul Clarke

2013-10-02 06:40:59 UTC

Permalink

X-CTCH-Spam: Unknown
Received: from PAM7 (86.134.128.205) by smtpout08.bt.lon5.cpcloud.co.uk
(8.6.100.09) (authenticated as paul.clarke85) id 524AB54D0010DA97 for
MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org; Wed, 2 Oct 2013 07:41:10 +0100
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3555.308
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3555.308
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379,
Antispam-Data: 2013.10.2.62114
X-PMX-Spam: Gauge= Probability=9%, Report='
AT_TLD 0.1, REPLYTO_FROM_DIFF_ADDY 0.1, HTML_00_01 0.05, HTML_00_10 0.05, INVALID_MSGID_NO_FQDN 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __FORWARDED_MSG 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __HAS_FROM 0, __HAS_LIST_HEADER 0, __HAS_LIST_HELP 0, __HAS_LIST_SUBSCRIBE 0, __HAS_LIST_UNSUBSCRIBE 0, __HAS_MSGID 0, __HAS_MSMAIL_PRI 0, __HAS_REPLYTO 0, __HAS_X_MAILER 0, __HAS_X_PRIORITY 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __PHISH_FROM 0, __PHISH_FROM2 0, __PHISH_PHRASE11 0, __PHISH_SPEAR_STRUCTURE_1 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NS , __USER_AGENT_MS_GENERIC 0'
Sender: MQSeries List <MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
In-Reply-To: <25511_1380683177_1380683177_027501cebf1c$565b0c00$03112400$@ioptconsulting.com>
Precedence: list
List-Help: <http://listserv.meduniwien.ac.at/cgi-bin/wa?LIST=MQSERIES>,
<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?body=INFO%20MQSERIES>
List-Unsubscribe: <mailto:MQSERIES-unsubscribe-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Subscribe: <mailto:MQSERIES-subscribe-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Owner: <mailto:MQSERIES-request-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org>
List-Archive: <http://listserv.meduniwien.ac.at/cgi-bin/wa?LIST=MQSERIES>
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.10.2.63020
Archived-At: <http://permalink.gmane.org/gmane.network.mq.devel/16896>

Channels use the Queue Manager name at the 'other' end of the channel as
part of the key to the state data for the sequence numbers. So, provided
that a channel is always talking to unique Queue Manager names there should
be no problem with sequence number confusion. When a channel talks to two
(or more) different Queue Managers that are named the same is when you start
getting sequence number errors (or worse).

Where some customers have come unstuck is where they have defined multiple
Queue Managers with the same name, say as a DR site or for HA purposes, and
then tried to point a single channel at the two different QMs. The only time
that the channels will support this neatly is when the Queue Managers are a
multi-instance, ie. effectively a single Queue Manager located at two
different places.

Cheers,
Paul,

Paul Clarke
www.mqgem.com
-----Original Message-----
From: T.Rob
Sent: Wednesday, October 02, 2013 4:06 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi Dominique,

This definitely deserves some testing. That much, I believe, is not in
doubt.

Regarding the sequence numbers, we already know that a CLUSRCVR can manage
batches of inbound messages from several different QMgrs on the same channel
name. So I believe we are comfortable with the notion that a single channel
can talk to different remote QMgrs without getting confused, at least for
inbound messages.

But in this case we are talking about an outbound channel managing state
with different remote QMgrs. Here I draw your attention to the RQSTR/SVR
pair. This scenario - one outbound QMgr and multiple inbound QMgrs - is
what RQSTR/SVR pairs were designed to so. If we say that a single outbound
channel cannot talk to multiple inbound QMgrs without getting confused then
would not that also mean that RQSTR/SVR pairs are unfit for their core use
case?

The case of a SVR that can talk to RQSTR channels on two different remote
QMgrs is exactly the same case as if the SVR channel had the same two QMgrs
listed in a multi-instance CONNAME, is it not? I believe that we are not
only comfortable with the idea if we stopped and thought about it for a
while, but that there's a case to be made that the channels are defective if
it should not work as expected when you test it. Of course, any such case
that is not documented in the Infocenter is hypothetical, but it's a good
case nonetheless I should think.

I do have direct experience with automating the reset of the sequence
numbers to match the inbound SDR values so I know that works. I used
scripts but only because I didn't have a decent monitor at the time. My
scripts only knew what happened at the B2B Edge QMgr. A monitor would be
able to correlate the sequence number to a channel failover event and not
reset the sequence number for a legitimate in-doubt situation. I believe
there are a few people on-list who do some flavor of automated seq nbr reset
today and am hoping they reply. One in particular is a hub-and-spoke
operation that has many customers and used to offer B2B clustering. They no
longer offer it for new setups and I believe they use a multi-host B2B edge
setup with automated seq nbr resetting. I'm not naming names but their
initials are in the UTF-8 character set. Not that that narrows it down
much. :-)

-- T.Rob

skeptical

upper

supporter

Andrew Hickson

2013-10-02 08:16:19 UTC

Permalink

While there is no sequence number confusion, any indoubt messages will
remain indoubt until the channel reconnects to the same queue manager (or
until manually resolved).

From: Paul Clarke <paul.clarke85-C2P5NI4ZpDVm9/***@public.gmane.org>
To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org
Date: 02/10/2013 07:41
Subject: Re: MQ cluster, proxy, and NAT
Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org>

Channels use the Queue Manager name at the 'other' end of the channel as
part of the key to the state data for the sequence numbers. So, provided
that a channel is always talking to unique Queue Manager names there
should
be no problem with sequence number confusion. When a channel talks to two
(or more) different Queue Managers that are named the same is when you
start
getting sequence number errors (or worse).

Where some customers have come unstuck is where they have defined multiple

Queue Managers with the same name, say as a DR site or for HA purposes,
and
then tried to point a single channel at the two different QMs. The only
time
that the channels will support this neatly is when the Queue Managers are
a
multi-instance, ie. effectively a single Queue Manager located at two
different places.

Cheers,
Paul,

Paul Clarke
www.mqgem.com
-----Original Message-----
From: T.Rob
Sent: Wednesday, October 02, 2013 4:06 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi Dominique,

This definitely deserves some testing. That much, I believe, is not in
doubt.

Regarding the sequence numbers, we already know that a CLUSRCVR can manage
batches of inbound messages from several different QMgrs on the same
channel
name. So I believe we are comfortable with the notion that a single
channel
can talk to different remote QMgrs without getting confused, at least for
inbound messages.

But in this case we are talking about an outbound channel managing state
with different remote QMgrs. Here I draw your attention to the RQSTR/SVR
pair. This scenario - one outbound QMgr and multiple inbound QMgrs - is
what RQSTR/SVR pairs were designed to so. If we say that a single
outbound
channel cannot talk to multiple inbound QMgrs without getting confused
then
would not that also mean that RQSTR/SVR pairs are unfit for their core use
case?

The case of a SVR that can talk to RQSTR channels on two different remote
QMgrs is exactly the same case as if the SVR channel had the same two
QMgrs
listed in a multi-instance CONNAME, is it not? I believe that we are not
only comfortable with the idea if we stopped and thought about it for a
while, but that there's a case to be made that the channels are defective
if
it should not work as expected when you test it. Of course, any such case
that is not documented in the Infocenter is hypothetical, but it's a good
case nonetheless I should think.

I do have direct experience with automating the reset of the sequence
numbers to match the inbound SDR values so I know that works. I used
scripts but only because I didn't have a decent monitor at the time. My
scripts only knew what happened at the B2B Edge QMgr. A monitor would be
able to correlate the sequence number to a channel failover event and not
reset the sequence number for a legitimate in-doubt situation. I believe
there are a few people on-list who do some flavor of automated seq nbr
reset
today and am hoping they reply. One in particular is a hub-and-spoke
operation that has many customers and used to offer B2B clustering. They
no
longer offer it for new setups and I believe they use a multi-host B2B
edge
setup with automated seq nbr resetting. I'm not naming names but their
initials are in the UTF-8 character set. Not that that narrows it down
much. :-)

-- T.Rob

skeptical

Luc-Michel's

issue. As you underline I carefully asked the security officer and the

upper

management to endorse the architecture. By the way we had not Multi-
instance and CHLAUTH available (not yet internally validated) at the

time.

The customer was (and still is but I am not any more involved) one of

the

largest french bank.
The partner sends messages from a site in France. It receives return
messages which mainly are some kind of acknowlege, never real business
data.
This site is backed up by another site in Belgium (active/passive). The
failover between France and Belgium is handled by the partner. The two
sites are multi-server (Windows system clustered).
The 2 partner sites send and receive to/from the customer site (a 4

server

Windows clustered system (active/active) ).
The partner is only grouping and relaying messages without any
transformation or local storage.
The rationale was to use the fault-tolerant feature of the WMQ cluster.
After some discussion we eventually came to set-up an MQcluster between
B2B boundaries. The solution to the NAT problem was to use DNS names
with the proper definitions on both sides. I was not a very strong

supporter

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Paul Clarke

2013-10-02 08:30:07 UTC

Permalink

Indeed.....and just to expand on that a bit. A sending channel will not allow you to start a channel to a Queue Manager if it is currently indoubt with a different Queue Manager. In other words, a channel can not be indoubt to more than one queue manager at any given time.

Cheers,
P.

Paul Clarke
www.mqgem.com

From: Andrew Hickson
Sent: Wednesday, October 02, 2013 9:16 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

While there is no sequence number confusion, any indoubt messages will remain indoubt until the channel reconnects to the same queue manager (or until manually resolved).

From: Paul Clarke <paul.clarke85-C2P5NI4ZpDVm9/***@public.gmane.org>
To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org
Date: 02/10/2013 07:41
Subject: Re: MQ cluster, proxy, and NAT
Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org>

--------------------------------------------------------------------------------

Channels use the Queue Manager name at the 'other' end of the channel as
part of the key to the state data for the sequence numbers. So, provided
that a channel is always talking to unique Queue Manager names there should
be no problem with sequence number confusion. When a channel talks to two
(or more) different Queue Managers that are named the same is when you start
getting sequence number errors (or worse).

Where some customers have come unstuck is where they have defined multiple
Queue Managers with the same name, say as a DR site or for HA purposes, and
then tried to point a single channel at the two different QMs. The only time
that the channels will support this neatly is when the Queue Managers are a
multi-instance, ie. effectively a single Queue Manager located at two
different places.

Cheers,
Paul,

Paul Clarke
www.mqgem.com
-----Original Message-----
From: T.Rob
Sent: Wednesday, October 02, 2013 4:06 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

Hi Dominique,

This definitely deserves some testing. That much, I believe, is not in
doubt.

Regarding the sequence numbers, we already know that a CLUSRCVR can manage
batches of inbound messages from several different QMgrs on the same channel
name. So I believe we are comfortable with the notion that a single channel
can talk to different remote QMgrs without getting confused, at least for
inbound messages.

But in this case we are talking about an outbound channel managing state
with different remote QMgrs. Here I draw your attention to the RQSTR/SVR
pair. This scenario - one outbound QMgr and multiple inbound QMgrs - is
what RQSTR/SVR pairs were designed to so. If we say that a single outbound
channel cannot talk to multiple inbound QMgrs without getting confused then
would not that also mean that RQSTR/SVR pairs are unfit for their core use
case?

The case of a SVR that can talk to RQSTR channels on two different remote
QMgrs is exactly the same case as if the SVR channel had the same two QMgrs
listed in a multi-instance CONNAME, is it not? I believe that we are not
only comfortable with the idea if we stopped and thought about it for a
while, but that there's a case to be made that the channels are defective if
it should not work as expected when you test it. Of course, any such case
that is not documented in the Infocenter is hypothetical, but it's a good
case nonetheless I should think.

I do have direct experience with automating the reset of the sequence
numbers to match the inbound SDR values so I know that works. I used
scripts but only because I didn't have a decent monitor at the time. My
scripts only knew what happened at the B2B Edge QMgr. A monitor would be
able to correlate the sequence number to a channel failover event and not
reset the sequence number for a legitimate in-doubt situation. I believe
there are a few people on-list who do some flavor of automated seq nbr reset
today and am hoping they reply. One in particular is a hub-and-spoke
operation that has many customers and used to offer B2B clustering. They no
longer offer it for new setups and I believe they use a multi-host B2B edge
setup with automated seq nbr resetting. I'm not naming names but their
initials are in the UTF-8 character set. Not that that narrows it down
much. :-)

-- T.Rob

skeptical

upper

supporter

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

--------------------------------------------------------------------------------

List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Alderson, Ian1

2013-10-02 08:50:18 UTC

Permalink

I was about to reply to say the same thing but Andy beat me to it.

I will just add that we did something similar (multi connames to different queue managers) and this was our experience. We had a requirement to have partner Queue Managers connect in to a "gateway" that spanned 2 datacentres. The requirement was no downtime for the application ever and the SLA for traditional switching to DR site was too long. As the messages were all request/reply, replayable and NP there was no concern about replicating messages to a DR Queue Manager.

We found that when sending NP messages outside of syncpoint (NPMSPEED=FAST on the channel) there was never any problem in failing over when the primary Queue Manager was killed (endmqm -p). However testing with NPMSPEED NORMAL then the channel often went in doubt with the channel defaults. Using BATCHHB and HBINT set to 10 seconds seemed to solve this but there was still a theoretical small window where the batch may still go in doubt although I was unable to cause it to happen in repeated tests. However we still reverted back to NPMSPEED set to FAST to ensure no syncpoint was done over this multi-conname channel to eliminate the risk of the channel going in doubt.

In conclusion, I personally would only consider multi connames in a SDR channel to a MIM set-up, unless you are willing to lose or duplicate messages and have possible delays while you resolve the channel. Even the special case I mention above where messages are only NP and sent outside of syncpoint, it is non-standard and can cause confusion with even experienced MQ support staff and documentation understandably only points to its use with MIM.

Hope that helps with the planning.

From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Andrew Hickson
Sent: 02 October 2013 09:16
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: MQ cluster, proxy, and NAT

While there is no sequence number confusion, any indoubt messages will remain indoubt until the channel reconnects to the same queue manager (or until manually resolved).

From: Paul Clarke <paul.clarke85-C2P5NI4ZpDVm9/***@public.gmane.org<mailto:***@BTINTERNET.COM>>
To: MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org<mailto:MQSERIES-JX7+OpRa80Ties2YCUG/***@public.gmane.orgniwien.ac.at>
Date: 02/10/2013 07:41
Subject: Re: MQ cluster, proxy, and NAT
Sent by: MQSeries List <MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org<mailto:MQSERIES-JX7+OpRa80QeFbOYke1v4oOpTq8/***@public.gmane.org>>
________________________________

Channels use the Queue Manager name at the 'other' end of the channel as
part of the key to the state data for the sequence numbers. So, provided
that a channel is always talking to unique Queue Manager names there should
be no problem with sequence number confusion. When a channel talks to two
(or more) different Queue Managers that are named the same is when you start
getting sequence number errors (or worse).

Where some customers have come unstuck is where they have defined multiple
Queue Managers with the same name, say as a DR site or for HA purposes, and
then tried to point a single channel at the two different QMs. The only time
that the channels will support this neatly is when the Queue Managers are a
multi-instance, ie. effectively a single Queue Manager located at two
different places.

Cheers,
Paul,

Paul Clarke
www.mqgem.com
-----Original Message-----
From: T.Rob
Sent: Wednesday, October 02, 2013 4:06 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:MQSERIES-0lvw86wZMd9k/***@public.gmane.orgAC.AT>
Subject: Re: MQ cluster, proxy, and NAT

Hi Dominique,

This definitely deserves some testing. That much, I believe, is not in
doubt.

Regarding the sequence numbers, we already know that a CLUSRCVR can manage
batches of inbound messages from several different QMgrs on the same channel
name. So I believe we are comfortable with the notion that a single channel
can talk to different remote QMgrs without getting confused, at least for
inbound messages.

But in this case we are talking about an outbound channel managing state
with different remote QMgrs. Here I draw your attention to the RQSTR/SVR
pair. This scenario - one outbound QMgr and multiple inbound QMgrs - is
what RQSTR/SVR pairs were designed to so. If we say that a single outbound
channel cannot talk to multiple inbound QMgrs without getting confused then
would not that also mean that RQSTR/SVR pairs are unfit for their core use
case?

The case of a SVR that can talk to RQSTR channels on two different remote
QMgrs is exactly the same case as if the SVR channel had the same two QMgrs
listed in a multi-instance CONNAME, is it not? I believe that we are not
only comfortable with the idea if we stopped and thought about it for a
while, but that there's a case to be made that the channels are defective if
it should not work as expected when you test it. Of course, any such case
that is not documented in the Infocenter is hypothetical, but it's a good
case nonetheless I should think.

I do have direct experience with automating the reset of the sequence
numbers to match the inbound SDR values so I know that works. I used
scripts but only because I didn't have a decent monitor at the time. My
scripts only knew what happened at the B2B Edge QMgr. A monitor would be
able to correlate the sequence number to a channel failover event and not
reset the sequence number for a legitimate in-doubt situation. I believe
there are a few people on-list who do some flavor of automated seq nbr reset
today and am hoping they reply. One in particular is a hub-and-spoke
operation that has many customers and used to offer B2B clustering. They no
longer offer it for new setups and I believe they use a multi-host B2B edge
setup with automated seq nbr resetting. I'm not naming names but their
initials are in the UTF-8 character set. Not that that narrows it down
much. :-)

-- T.Rob

skeptical

upper

supporter

of this but the fear of some unexpected downtime was stronger than me.
Moreover I did not trust that much the MQ skills of the partner team.
Last year, prepararing an hardware and software upgrade of the systems
they came back to me. We came to the conclusion that WMQ clustering
was not actually useful provided that the MQservers are properly secured
on either side and there still was a SPOF somewhere in the telecom
network.
So my advice is to carefully design the system to make sure that to
MQcluster on these boundaries is mandatory if even useful. The more I
think about the more I think that this is very very rare.
Regards
Dominique
the message body (not the subject), write: SIGNOFF MQSERIES Instructions
for managing your mailing list subscription are provided in the Listserv
General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org<mailto:***@LISTSERV.MEDUNIWIEN.AC.AT> and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/>
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
________________________________
List Archive<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe<mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>

Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com<http://www.lsoft.com/resources/manuals.asp>

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

LM Demey (MQ)

2013-10-13 10:57:27 UTC

Permalink

Hi Glen,

Thank you for the tip, it works as expected.

I have put DNS names in CONNAMEs, and I use the hosts file on each side
of the proxy to resolve DNS names to the right IP. Thissolves the problem.

Now I must succeed in convincing the LOCLADDR to work the way I want.
One server is multi-homed and MQ flow out with the wrong IP address (the
one which is not open in the firewall). LOCLADDR on this explicit
CLUSSDR channel is not honored.

The interesting point is that DQM configuration from the same server
works perfectly.

Post by gshubert-MaERPT+
We ran across that very scenario, and ended up using DNS names to
"hide" the real IP addresses.
Thank you,
Glen Shubert
Associate Director - Operations
*T**|SYS|*- MQSeries Technical Support
Date: 09/29/2013 11:46 PM
Subject: MQ cluster, proxy, and NAT
------------------------------------------------------------------------
Hi all,
I just came across an unexpected configuration problem on MQ clusters.
Consider an MQ cluster that allows the exchange of messages between
the two companies.
QM1
company A
Full repo
DMZ 1
192.168.0.1
QM2
company A
partial repo
DMZ 1
192.168.0.2
QM3
company B
partial repo
DMZ 2
192.168.1.3
192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3
To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP
will be natted to 192.168.0.1 by the proxy. So QM3 is able to
communicate with QM1.
But the return channel can not be established because the Full Repo
attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.
The solution seems to be to configure the channel CLUSRCVR in QM3 with
192.168.0.3, so that the address would that be natted to 192.168.1.3
while crossing the PROXY.
In fact it is necessary that all CLUSRCVR channels not indicate the IP
address of QM, but that by which they are known to the proxy.
As a result, the link between QM1 and QM2 will also have to go through
the proxy
What do you think? Is this the right way to configure a cluster MQ
located on either side of a proxy?
Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
_http://www.demey-consulting.fr/_- lmd at demey-consulting dot fr
------------------------------------------------------------------------
_List Archive_
<http://listserv.meduniwien.ac.at/archives/mqser-l.html>- _Manage Your
List Settings_
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1>-
_Unsubscribe_
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at
_http://www.lsoft.com_ <http://www.lsoft.com/resources/manuals.asp>
----------------------------------------- The information contained in
this communication (including any attachments hereto) is confidential
and is intended solely for the personal and confidential use of the
individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that
you have received this communication in error and that any review,
dissemination, copying, or unauthorized use of this information, or
the taking of any action in reliance on the contents of this
information is strictly prohibited. If you have received this
communication in error, please notify us immediately by e-mail, and
delete the original message. Thank you
------------------------------------------------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html>
- Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>

Neil Casey

2013-10-13 20:17:42 UTC

Permalink

Hi Luc-Michel,

After the initial connection to the first full repository, the static cluster sender channels are basically ignored for most practical purposes. The definition which is used to build the channel instance at run time is the dynamic definition, built from the cluster receiver details provided by the destination queue manager.

If you have a multi-homed server, and need to direct specific MQ cluster channels to use particular source addresses/interfaces, then you have 2 options.

1. Create a CHAD exit to control the locladdr value as each dynamic cluster sender channel is created.
2. Define static routes on the server to direct traffic to the MQ hosts via the correct interface and gateway.

Option 1 is really the perfect way, because it only affects MQ traffic.

Option 2 is probably easier to implement, but means that all IP traffic between the specified hosts will use the static route, rather than just the MQ traffic.

Regards,

Neil Casey

Post by LM Demey (MQ)
Hi Glen,
Thank you for the tip, it works as expected.
I have put DNS names in CONNAMEs, and I use the hosts file on each side of the proxy to resolve DNS names to the right IP. This solves the problem.
Now I must succeed in convincing the LOCLADDR to work the way I want.
One server is multi-homed and MQ flow out with the wrong IP address (the one which is not open in the firewall). LOCLADDR on this explicit CLUSSDR channel is not honored.
The interesting point is that DQM configuration from the same server works perfectly.

We ran across that very scenario, and ended up using DNS names to "hide" the real IP addresses.
Thank you,
Glen Shubert
Associate Director - Operations
T|SYS| - MQSeries Technical Support
Date: 09/29/2013 11:46 PM
Subject: MQ cluster, proxy, and NAT
Hi all,
I just came across an unexpected configuration problem on MQ clusters.
Consider an MQ cluster that allows the exchange of messages between the two companies.
QM1
company A
Full repo
DMZ 1
192.168.0.1
QM2
company A
partial repo
DMZ 1
192.168.0.2
QM3
company B
partial repo
DMZ 2
192.168.1.3
192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3
To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP will be natted to 192.168.0.1 by the proxy. So QM3 is able to communicate with QM1.
But the return channel can not be established because the Full Repo attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.
The solution seems to be to configure the channel CLUSRCVR in QM3 with 192.168.0.3, so that the address would that be natted to 192.168.1.3 while crossing the PROXY.
In fact it is necessary that all CLUSRCVR channels not indicate the IP address of QM, but that by which they are known to the proxy.
As a result, the link between QM1 and QM2 will also have to go through the proxy
What do you think? Is this the right way to configure a cluster MQ located on either side of a proxy?
Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com
----------------------------------------- The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you
List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
List Archive - Manage Your List Settings - Unsubscribe
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com

LM Demey (MQ)

2013-10-14 21:03:45 UTC

Permalink

Hi Neil,

Interesting information.
I'm not sure it totally applies to this problem because:
- This is the very first connection made by the static channel sender
- Information on the IP address (one that does not pass the firewall) is
not known to the MQ configuration, and I do not see how it could be used
as CONNAME on this static sender channel.

There is also a unclear technote
(http://www-01.ibm.com/support/docview.wss?uid=swg1IY49334) suggesting
that in some cases in MQ 5.3 you must use a CHAD for setting LOCLADDR

If a customer wishes to use LOCLADDR to specify an IP Address within a
Any value specified in the LOCLADDR field of a manually defined
CLUSSDR channel will be over-written with the value in the
repositories CLUSRCVR channel once communication has been established
with the repository queue manager.

But this technote is more than 6 years old and applies to MQ 5.3!
In 2013 and with 7.0.1.6 version, I'd be amazed if I have to use a CHAD
exit in a MQ cluster configuration to use LOCLADDR!

What I understand is that there are a number of MQ behaviors that are
little / no / poorly documented. It's a bit like the problem of the
number of Full Repo and changing topologies subscriptions (see a
previous exchange on the list).

I'll try your method with static routes, but I do not have direct access
to the machine so it will take some time.

Thank you!

Hi Luc-Michel,
After the initial connection to the first full repository, the static
cluster sender channels are basically ignored for most practical
purposes. The definition which is used to build the channel instance
at run time is the dynamic definition, built from the cluster receiver
details provided by the destination queue manager.
If you have a multi-homed server, and need to direct specific MQ
cluster channels to use particular source addresses/interfaces, then
you have 2 options.
1. Create a CHAD exit to control the locladdr value as each dynamic
cluster sender channel is created.
2. Define static routes on the server to direct traffic to the MQ
hosts via the correct interface and gateway.
Option 1 is really the perfect way, because it only affects MQ traffic.
Option 2 is probably easier to implement, but means that all IP
traffic between the specified hosts will use the static route, rather
than just the MQ traffic.
Regards,
Neil Casey

Post by LM Demey (MQ)
Hi Glen,
Thank you for the tip, it works as expected.
I have put DNS names in CONNAMEs, and I use the hosts file on each
side of the proxy to resolve DNS names to the right IP. Thissolves
the problem.
Now I must succeed in convincing the LOCLADDR to work the way I want.
One server is multi-homed and MQ flow out with the wrong IP address
(the one which is not open in the firewall). LOCLADDR on this
explicit CLUSSDR channel is not honored.
The interesting point is that DQM configuration from the same server
works perfectly.

Post by gshubert-MaERPT+
We ran across that very scenario, and ended up using DNS names to
"hide" the real IP addresses.
Thank you,
Glen Shubert
Associate Director - Operations
*T**|SYS|*- MQSeries Technical Support
Date: 09/29/2013 11:46 PM
Subject: MQ cluster, proxy, and NAT
------------------------------------------------------------------------
Hi all,
I just came across an unexpected configuration problem on MQ clusters.
Consider an MQ cluster that allows the exchange of messages between
the two companies.
QM1
company A
Full repo
DMZ 1
192.168.0.1
QM2
company A
partial repo
DMZ 1
192.168.0.2
QM3
company B
partial repo
DMZ 2
192.168.1.3
192.168.1.1 is natted to 192.168.0.1
192.168.0.3 is natted to 192.168.1.3
To contact QM1, QM3 specify IP 192.168.1.1 in the CLUSSDR, this IP
will be natted to 192.168.0.1 by the proxy. So QM3 is able to
communicate with QM1.
But the return channel can not be established because the Full Repo
attempts to contact QM3 on 192.168.1.3, which is not known in the DMZ2.
The solution seems to be to configure the channel CLUSRCVR in QM3
with 192.168.0.3, so that the address would that be natted to
192.168.1.3 while crossing the PROXY.
In fact it is necessary that all CLUSRCVR channels not indicate the
IP address of QM, but that by which they are known to the proxy.
As a result, the link between QM1 and QM2 will also have to go
through the proxy
What do you think? Is this the right way to configure a cluster MQ
located on either side of a proxy?
Thanks in advance
--
Luc-Michel Demey - Freelance WAS & WMQ Expert
_http://www.demey-consulting.fr/_- lmd at demey-consulting dot fr
------------------------------------------------------------------------
_List Archive_
<http://listserv.meduniwien.ac.at/archives/mqser-l.html>- _Manage
Your List Settings_
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1>-
_Unsubscribe_
Instructions for managing your mailing list subscription are
provided in the Listserv General Users Guide available at
_http://www.lsoft.com_ <http://www.lsoft.com/resources/manuals.asp>
----------------------------------------- The information contained
in this communication (including any attachments hereto) is
confidential and is intended solely for the personal and
confidential use of the individual or entity to whom it is
addressed. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, dissemination, copying,
or unauthorized use of this information, or the taking of any action
in reliance on the contents of this information is strictly
prohibited. If you have received this communication in error, please
notify us immediately by e-mail, and delete the original message.
Thank you
------------------------------------------------------------------------
List Archive
<http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage
Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are
provided in the Listserv General Users Guide available at
http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>

--
Luc-Michel Demey - Freelance WAS & WMQ Expert
http://www.demey-consulting.fr/ - lmd at demey-consulting dot fr
------------------------------------------------------------------------
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html>
- Manage Your List Settings
<http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> -
Unsubscribe
Instructions for managing your mailing list subscription are provided
in the Listserv General Users Guide available at http://www.lsoft.com
<http://www.lsoft.com/resources/manuals.asp>