MQ IPT, and http vs. MQ protocol's

Neil Casey

2013-12-09 11:42:47 UTC

Hi Damian,

you certainly should be able to define one MQIPT which can support both MQ Native and http connections, although I have never actually tried.

Each route you define can have its own protocol definitions, ssl certs, and pretty much any other option, independently of the other routes.

Each route has its own listener address and port number, so MQIPT is easily able to distinguish between different connections based on the port number. The two protocols dont come in on the same socket.

The only thing Im not sure about is what you need to set up in the way of a web server or proxy server to assist with the HTTP flows through the DMZ. I am not certain that it would be sensible to deal with that stuff, and also have MQ native flows going on.

My personal view is that MQ native flows are the most sensible option anyway. Corporate firewalls are in place for perfectly good reasons, and using well known web port numbers like 80 or 8080 to tunnel peer to peer (that is MQ Series) application traffic through the firewall strikes me as poor security practice.

I would prefer to see specific rules in place to pass and route the desired traffic, while blocking everything else. That way the organisation knows what is being allowed, and can audit it effectively.

When we built the examples for the B2B section of the Secure Messaging Scenarios with WebSphere MQ RedBook publication, we built it using native MQ protocol, not http, for that reason.

Regards,

Neil
--
Neil Casey
Senior Consultant | Syntegrity Solutions

+61 414 615 334 neil.casey-VLLIzlmz+***@public.gmane.org
Syntegrity Solutions Pty Ltd | Level 23 | 40 City Road | Southgate | VIC 3006
Analyse >> Integrate >> Secure >> Educate

Post by Costa, D. (Damian)
Hi all,
Can one specify MQ or http protocols on multiple links going thru the same MQ IPT deployment?
Ie one connection uses an MQ protocol another uses http?
I can see it working for outbound connections but can't see that this would work on inbound connections as they hit the same "listener". It would have to be quite smart to recognise http vs. MQ protocol connection requests on the same socket yes?
Thanks.
********************
Nedbank Limited Reg No 1951/000009/06. The following link displays
the names of the Nedbank Board of Directors and Company Secretary.
[ http://www.nedbank.co.za/terms/DirectorsNedbank.htm ]
This email is confidential and is intended for the addressee only.
The following link will take you to Nedbank's legal notice.
[ http://www.nedbank.co.za/terms/EmailDisclaimer.htm ]
********************
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html

To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html