ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral DiscussionMQ client connection from external 3rd parties

Post new topicReply to topic
MQ client connection from external 3rd parties View previous topic :: View next topic
Author Message
zrux
PostPosted: Thu Dec 17, 2020 1:02 am Post subject: MQ client connection from external 3rd parties Reply with quote

Apprentice

Joined: 21 May 2006
Posts: 36
Location: UK

Just trying to get a opinion/poll around what your organisation practices around this area.

Do you allow MQ client connections from external companies /vendors

What would be some pros and cons to allow this?
So far I have always resisted the MQ client connections from external, but getting pressured to allow this.
Back to top
View user's profile Send private message
crashdog
PostPosted: Thu Dec 17, 2020 5:41 am Post subject: Reply with quote

Voyager

Joined: 02 Apr 2017
Posts: 77

As long as they connect with a secure network, valid certificates and strong ciphers, I don't see any issues.
But over an unsecured internet connection probably a no go.

The other question is how you administrate third parties. Active directory logins, Channel authentication and authentication records. Probably needs some more effort then internal connections. Also the third parties requirements on segregation of the data they might send needs to be considered.

Just my 2 cents.

Cheers,
Gerhard
_________________
You win again gravity !
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Dec 17, 2020 6:05 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

My 2 cents:

I don't allow it. You need too many openings in the firewall to make it work, and that kind of geographically distant connection can be wobbly.

I prefer one simple port open on my firewall with MQ handling the retry.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Dec 17, 2020 9:35 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9302
Location: US: west coast, almost. Otherwise, enroute.

My 0.016 Euro:

External (untrusted) clients should only connect to a qmgr in the DMZ, and only authenticated transaction should be forwarded to a qmgr inside your network.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
crashdog
PostPosted: Thu Dec 17, 2020 12:27 pm Post subject: Reply with quote

Voyager

Joined: 02 Apr 2017
Posts: 77

But isn't it some times a necessity to allow 3rd parties (partners and customers) to connect ? Do you differentiate between SVRCONN and SDR/RCVR connections ?
Geographical distance ? The 3rd party could be across the street...

I'm down to 1 cent now.

Cheers,
Gerhard
_________________
You win again gravity !
Back to top
View user's profile Send private message
bruce2359
PostPosted: Thu Dec 17, 2020 1:11 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9302
Location: US: west coast, almost. Otherwise, enroute.

crashdog wrote:
But isn't it some times a necessity to allow 3rd parties (partners and customers) to connect ?

Of course. Suppliers might need to inquire your inventory to see if you are running low on widgets.

crashdog wrote:
Do you differentiate between SVRCONN and SDR/RCVR connections ?
Geographical distance ? The 3rd party could be across the street...

I'm down to 1 cent now.

Cheers,
Gerhard

Given the speed of light and our broadband networks today, physical distance isn't much of an issue.

Regarding channels: who/what is at the other end is the concern. For SDR/RCVR channels it's another qmgr. For SVRCONN channels it's a client-bindings apps on platforms of dubious reliability and security. The issue for channels is one of trust. CHLAUTH records (rules) and SSL/TLS can dramatically improve security.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Thu Dec 17, 2020 2:31 pm Post subject: Re: MQ client connection from external 3rd parties Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2429
Location: Melbourne, Australia

zrux wrote:
Just trying to get a opinion/poll around what your organisation practices around this area.
Do you allow MQ client connections from external companies /vendors
What would be some pros and cons to allow this?
So far I have always resisted the MQ client connections from external, but getting pressured to allow this.

Yes. Should be via a dedicated link or VPN. Should use TLS authentication & encryption. Should connect to a dedicated gateway qmgr in your DMZ network segment to limit exposure.

We have both client and sender/receiver channels with external parties. Generally it is very reliable, except for the occasional network glitch.

Plug: Read chapters 2-7 and 10 of http://www.redbooks.ibm.com/abstracts/sg248069.html?Open

MQ is good at B2B, but we are gradually moving away from MQ for this purpose, to other B2B solutions that don't require MQ programming and transactionality, and are more suited to push/pull file payloads and EDI. It also means that the partner does not need MQ licensing.
_________________
Glenn
Back to top
View user's profile Send private message
crashdog
PostPosted: Fri Dec 18, 2020 1:27 am Post subject: Reply with quote

Voyager

Joined: 02 Apr 2017
Posts: 77

In finance / banking "know your customer" or KYC has been a subject for quite some time now. You usually don't let any unknown entity connect to your infrastructure.

For MQ clients you never had any license costs afaik. Or at least not since V7.

With a little imagination an adversary could simulate a qmgr and a sender channel and do just as much harm as an MQ client (maybe even more because it's connecting with the mqm user).

for a few cents more.

Cheers,
Gerhard
_________________
You win again gravity !
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Dec 18, 2020 6:57 pm Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7714

crashdog wrote:

With a little imagination an adversary could simulate a qmgr and a sender channel and do just as much harm as an MQ client (maybe even more because it's connecting with the mqm user).

MQ Clients can issue many more API calls than CLUSRCVR or RCVR channels.
Of course the MQ API calls MQ Clients can successfully execute against your QM can be controlled by AUTHRECs.

A channel from a remote QM is connecting as mqm only because you choose to allow that. Certainly not required or even desired.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Dec 18, 2020 6:59 pm Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7714

Some companies have a policy against data at rest in the DMZ.
A queue manager in the DMZ introduces the possibility of data at rest in the DMZ.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Dec 18, 2020 7:10 pm Post subject: Reply with quote

Poobah

Joined: 15 May 2001
Posts: 7714

bruce2359 wrote:
crashdog wrote:
But isn't it some times a necessity to allow 3rd parties (partners and customers) to connect ?

Of course. Suppliers might need to inquire your inventory to see if you are running low on widgets.

crashdog wrote:
Do you differentiate between SVRCONN and SDR/RCVR connections ?
Geographical distance ? The 3rd party could be across the street...

I'm down to 1 cent now.

Cheers,
Gerhard

Given the speed of light and our broadband networks today, physical distance isn't much of an issue.


I think its less about latency and more about stability of the network connection. I prefer to depend on the QM to QM channel architecture for restoring connectivity when our network and their network have a disagreement. Otherwise you rely on the reconnect logic (if any) by the developer of their MQ Client app, the developer who only cared about functionality of 1 transaction during the project and not reliability and resiliency for something they never planned to support past the day of the release.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
mounika380
PostPosted: Tue May 18, 2021 8:20 am Post subject: Reply with quote

Newbie

Joined: 18 May 2021
Posts: 3

I don't have any pressure to add MQ Clients. Here it's ok. I added many
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral DiscussionMQ client connection from external 3rd parties
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.