|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
|
|
MQPut to Cluster queue of a specific cluster only |
« View previous topic :: View next topic » |
Author |
Message
|
lamtbs |
Posted: Thu Sep 27, 2018 8:25 pm Post subject: MQPut to Cluster queue of a specific cluster only |
|
|
Acolyte
Joined: 07 Nov 2005 Posts: 57 Location: Hong Kong
|
Dear,
In an overlapping cluster, is there a way to put to cluster-queues of a specific cluster ONLY?
Say my QM is participating in CL1, CL2, CL3, where Q1 is a clustered queue defined in all 3 clusters, would it be possible to MQPut to Q1 in CL1, and NOT to CL2, CL3?
I have simplified the question for easier discussion, the underlying issue is Q1 is supposed to be used by CL1 only. However, by mistake or by fraud, CL2 and CL3 is also defining Q1 to steal message from CL1. What are some ways around such issue?
Thank you! |
|
Back to top |
|
|
exerk |
Posted: Thu Sep 27, 2018 11:55 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
Queues are shared in one cluster only, or in all clusters.
If shared in all clusters, there is very little you can do to prevent load-balancing of messages across all instances of the queue.
You can either:
1. Remove the offending queue instances so that messages cannot go to them;
2. If the above cannot be done, PUT(DISABLE) the offending queue instances;*
3. Have the application open the correct queue instance by specifying the queue manager name (highly NOT recommended, and only included as an option for completeness).
My advice would be for option 1 above.
* Be aware that if none of the correct queue instances are available, messages will then go to the offending queue instances. _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
|
lamtbs |
Posted: Fri Sep 28, 2018 2:20 am Post subject: |
|
|
Acolyte
Joined: 07 Nov 2005 Posts: 57 Location: Hong Kong
|
Thanks exerk,
I am reading on cluster channel security exit, say with some naming convention, or even ip address list, to limit / forbid sending of message to queue Q1 on CL2, CL3.
Say with naming convention like CL1.Q1. If the message is going through CL1.CLUSSDR, it is allowed, but if it is going thru CL2.CLUSSDR, it is prohibited. Wonder if that approach works.
Thanks! |
|
Back to top |
|
|
exerk |
Posted: Fri Sep 28, 2018 2:26 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
lamtbs wrote: |
...Say with naming convention like CL1.Q1. If the message is going through CL1.CLUSSDR, it is allowed, but if it is going thru CL2.CLUSSDR, it is prohibited. Wonder if that approach works... |
If the queues are shared in all clusters then you may not be able to control the route messages take; for example, depending on the state of the CLUSSDR channels (for all clusters), the queue manager will decide which set of channels is most appropriate down which to send messages.
Again, if those queues are NOT supposed to be in CL2 and CL3, remove them from those clusters! _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
|
bruce2359 |
Posted: Fri Sep 28, 2018 4:59 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
exerk wrote: |
Queues are shared in one cluster only, or in all clusters. |
Or a NAMELIST of clusters. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
exerk |
Posted: Fri Sep 28, 2018 5:00 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006 Posts: 6339
|
bruce2359 wrote: |
exerk wrote: |
Queues are shared in one cluster only, or in all clusters. |
Or a NAMELIST of clusters. |
Which is a more accurate description of my meaning _________________ It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
Back to top |
|
|
fjb_saper |
Posted: Sat Sep 29, 2018 2:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
Guys,
This is totally solvable, and relatively easy.
Imagine you have a gateway QMGR participating in multiple clusters ...
Now you have a cluster alias defined on one or multiple qmgrs that are not shared in the other clusters
Send a message with the cluster alias in the qmgr name and it will be load balanced in the cluster of your choice...
Have fun _________________ MQ & Broker admin |
|
Back to top |
|
|
lamtbs |
Posted: Sat Sep 29, 2018 7:01 pm Post subject: |
|
|
Acolyte
Joined: 07 Nov 2005 Posts: 57 Location: Hong Kong
|
really!
How do I do a "cluster alias", I've tried defining DEFINE QR(CL1.ALIAS) RQMNAME(CL1.QM1, CL1.QM2) to try to restrict message to CL1 only, but the aliasing does not work.
Please help further, thanks a lot! |
|
Back to top |
|
|
bruce2359 |
Posted: Sat Sep 29, 2018 9:38 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
If an object is to be known to a cluster, it must have the CLUSTER(clusternsme) attribute. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
lamtbs |
Posted: Sun Sep 30, 2018 12:40 am Post subject: |
|
|
Acolyte
Joined: 07 Nov 2005 Posts: 57 Location: Hong Kong
|
Oh, did it. Thanks!
On gateway QM
DEFINE QR(Q1.REMOTE) RNAME(Q1) RQMNAME('CL1.ALIAS') DEFBIND(NOTFIXED) XMITQ(SCTQ) CLUSTER('CL1')
On all the cluster QMs where the targeted queues are
DEFINE QR(CL1.ALIAS) RNAME('') RQMNAME('') CLUSTER('CL1')
But actually, with a knowledge of the naming convention, like if I can guessed "CL1.ALIAS", I could also have faked in my cluster to steal your message
So, it's really a matter of whether we should use cluster if the environment is really not to be trusted. |
|
Back to top |
|
|
bruce2359 |
Posted: Sun Sep 30, 2018 6:49 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
MQ clusters are no more or no less secure than non clusters. CHLAUTH rules will prevent unknown up-network qmgrs from connecting to a qmgr. CHLAUTH rules can also restrict remote MQ administration. SSL/TLS will further limit access to MQ channels.
As an MQ admin, you have lots of power that normal users do not. _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
PeterPotkay |
Posted: Tue Oct 02, 2018 4:40 am Post subject: |
|
|
Poobah
Joined: 15 May 2001 Posts: 7717
|
I can't think of any way >in the base MQ product< on the >sending< queue manager in a cluster to prevent messages being load balanced to a clustered queue on the receiving queue manager in the cluster(s), if you trust that receiving queue manager to be in the same cluster you are in.
Issues like this are why you should never span an MQ Cluster between your company and another, unless you implemented some custom exits to control what data is leaving your clustered queue manager. As soon as you trust the connection to send to one queue on the destination clustered queue manager you just trusted sending to any and every queue on that destination clustered queue manager. You are at the mercy of the destination queue manager to not define clustered definitions you hope/wish/pray they wouldn't.
And never, never span an MQ Cluster across multiple companies where the cluster acts as a bridge between unrelated companies thru your company - the liability implications are something to think about.
Especially when you are limited to the features of the base MQ product, there is a level of trust implied between members of the same cluster. And when you overlap clusters, between all members of all clusters. To my knowledge, the base MQ product simply doesn't offer a way to control on the sending clustered queue manager what the receiving clustered queue manager can advertise and be sent. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
|
gbaddeley |
Posted: Tue Oct 02, 2018 3:52 pm Post subject: Re: MQPut to Cluster queue of a specific cluster only |
|
|
Jedi Knight
Joined: 25 Mar 2003 Posts: 2527 Location: Melbourne, Australia
|
lamtbs wrote: |
Dear,
In an overlapping cluster, is there a way to put to cluster-queues of a specific cluster ONLY?
Say my QM is participating in CL1, CL2, CL3, where Q1 is a clustered queue defined in all 3 clusters, would it be possible to MQPut to Q1 in CL1, and NOT to CL2, CL3?
I have simplified the question for easier discussion, the underlying issue is Q1 is supposed to be used by CL1 only. However, by mistake or by fraud, CL2 and CL3 is also defining Q1 to steal message from CL1. What are some ways around such issue?
Thank you! |
As with most things, MQ configuration relies on the honesty and integrity of the administrators. There are approaches to minimise mistakes or fraud. I guess you are looking for this.
When putting to a queue, the destination queue name (and optional queue manager) can be specified, but the cluster can't be specified.
You should be using a hierarchical naming standard for queues, so that their home cluster can be easily identified. It is then possible to run regular reporting to identify rogue queues. The mistake can then be rectified, investigate the root cause, and take appropriate preventative action. _________________ Glenn |
|
Back to top |
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|