| Author |
Message
|
| mca |
 Posted: Tue Mar 29, 2016 12:19 pm Post subject: Restricting Broker Incoming traffic |
 |
|
Disciple
Joined: 09 Mar 2005
Posts: 196
|
Need some suggestion regarding project architecture. We are in development phase on a project that takes web service request to Datapower -> Message Broker -> IMS (backend).
The business users want the message broker code to only accept requests from Datapower and reject the rest on UAT and Prod. Any suggestions on how to accomplish this? |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Tue Mar 29, 2016 3:17 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
How is the data getting from DataPower to WMB?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| mca |
| Posted: Tue Mar 29, 2016 5:17 pm Post subject: |
|
|
Disciple
Joined: 09 Mar 2005
Posts: 196
|
| It is a we service request that is getting to a SOAP input node listening on a port. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Mar 29, 2016 11:44 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
If that is the case then the source IP address is contained the the data available to the message flow.
It is a simple job to restrict the number of IP's that are allowed through in the flow itself.
Then issue and appropriate (say 401 or 403 or 503) response back to the caller
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 30, 2016 5:09 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So, what you're saying is - you want to use IIB to replicate the function of a firewall?
Why?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Mar 30, 2016 5:25 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I don't think they want to emulate a firewall.
They want to restrict the use of the Service to just the flow of data coming from Datapower.
Any webservice can be used by anyone if they know the URL, the WSDL Service, the XSD and the auth credentials (if implemented).
Going the next step and limiting the valid operation to a set of IP's is nothing really different to setting up rules in MQ to limit access to MQ resources to requests from valid IP's.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 30, 2016 5:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| smdavies99 wrote: |
I don't think they want to emulate a firewall.
They want to restrict the use of the Service to just the flow of data coming from Datapower.
Any webservice can be used by anyone if they know the URL, the WSDL Service, the XSD and the auth credentials (if implemented).
Going the next step and limiting the valid operation to a set of IP's is nothing really different to setting up rules in MQ to limit access to MQ resources to requests from valid IP's. |
"I want to block all network traffic to a machine, except from a single network address".
This is a firewall rule.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| mca |
| Posted: Wed Mar 30, 2016 6:03 am Post subject: |
|
|
Disciple
Joined: 09 Mar 2005
Posts: 196
|
The linux server also hosts other flows which are not part of this restriction. So, we need just one flow running on an Execution group & ;listening on a port by itself to have this limitation of accepting the incoming message only from datapower.
So, how can we do this at firewall / system level ? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 30, 2016 6:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| mca wrote: |
The linux server also hosts other flows which are not part of this restriction. So, we need just one flow running on an Execution group & ;listening on a port by itself to have this limitation of accepting the incoming message only from datapower.
So, how can we do this at firewall / system level ? |
The EG listener will have it's own port.
Your firewall might be able to block specific parts of the url, instead of just the port.
Otherwise, put the flow in it's own EG.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| mca |
| Posted: Wed Mar 30, 2016 6:22 am Post subject: |
|
|
Disciple
Joined: 09 Mar 2005
Posts: 196
|
| The flow will be by itself on the EG which has port assigned, nothing else running on that EG. Now, is it suggested to do at port level or firewall level ? |
|
| Back to top |
|
|
| wbi_telecom |
| Posted: Thu Mar 31, 2016 4:16 am Post subject: |
|
|
Disciple
Joined: 15 Feb 2006
Posts: 188
Location: Harrisburg, PA
|
Do you have multiple brokers in same environment? In which case you will use a load balancer like F5 which can enforce the rule you are looking for. If you do not have a load balancer its a good idea to have one because other than load balancing, it will also abstract the server name in the URL that you have in your webservice WSDL so your customers are agnostic to the server changes if any even in case of a single server.
Cheers, |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Mar 31, 2016 4:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
| mca wrote: |
| The flow will be by itself on the EG which has port assigned, nothing else running on that EG. Now, is it suggested to do at port level or firewall level ? |
Usually this is eine at the SSL level allowing only the dp certs for the broker.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Mar 31, 2016 4:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fjb_saper wrote: |
| mca wrote: |
| The flow will be by itself on the EG which has port assigned, nothing else running on that EG. Now, is it suggested to do at port level or firewall level ? |
Usually this is eine at the SSL level allowing only the dp certs for the broker. |
You do have to be careful about trusting the CA chain.
And there's no reason not to do a firewall rule, either way.
Mca - talk to your network team.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Mar 31, 2016 6:51 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
| wbi_telecom wrote: |
Do you have multiple brokers in same environment? In which case you will use a load balancer like F5 which can enforce the rule you are looking for. If you do not have a load balancer its a good idea to have one because other than load balancing, it will also abstract the server name in the URL that you have in your webservice WSDL so your customers are agnostic to the server changes if any even in case of a single server.
Cheers, |
A Load Balancer alone can't stop someone from hitting the broker directly.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| wbi_telecom |
| Posted: Fri Apr 01, 2016 5:50 am Post subject: |
|
|
Disciple
Joined: 15 Feb 2006
Posts: 188
Location: Harrisburg, PA
|
The F5 is a firewall that load balances or vice versa.
Cheers, |
|
| Back to top |
|
|
|
|
