| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL/TLS implementation in subset of cluster channels |
« View previous topic :: View next topic » |
| Author |
Message
|
| adireddy123 |
 Posted: Tue Mar 05, 2019 3:24 am Post subject: SSL/TLS implementation in subset of cluster channels |
 |
|
Newbie
Joined: 20 Sep 2011
Posts: 9
|
QMA and QMB qmgrs are in my cluster setup.MQ cluster setup is already in place.
QMA - Full Repo queue manager and Cluster Channel -TO.QMA and TO.QMB
QMB - Full Repo queue manager and Cluster Channel-TO.QMB and TO.QMA
Two different customers queue managers are joined in my cluster setup as Partial repo queue manager
Customer-1:
Queue Manager: Cl_QMC
Customer-2
Queue Manager: C2_QMD
I am new to MQ SSL.
Now Customer-1 ( C1_QMC) want to implement SSL/TLS between my qmgrs(QMA/QMB) and C1_QMC.
I have implemented SSL/TLS between QMA &QMB <-> C1_QMC and it’s impacted C2_QMD channels (Customer-2) as common cluster receiver channel (TO.QMA and TO QMB) for Customer-1 and Customer-2
Is it possible implement SSL/TLS setup without impacting Customer-2?
Do i need to define new Gateway queue manager and new setup of cluster for SSL/TLS implementation for Customer-1 ?
Is it not possible with cluster setup and implement with P2P channels only using GW queue manager to avoid impact to Customer-2?
Appreciate - if you point me in the right direction.
Please let me know if you need more info
Thank You. |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue Mar 05, 2019 6:58 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
You have correctly deduced that it is not possible to implement SSL/TLS on a cluster channel without impacting all other users of that channel, since it is a shared definition.
It is possible to create an channel autodefinition exit to turn it on or off where needed, but that is a complex task.
You could have two pairs of channels, with NETPRTY set to cause the SSL one to be used in preference where it works, but that is not ideal.
You are correct that a GW queue manager could be used to isolate customer-2 from these changes to your cluster, and in fairness, most people have GW QMgrs rather than allowing other organisations to directly join their cluster.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| adireddy123 |
| Posted: Wed Mar 06, 2019 4:52 am Post subject: |
|
|
Newbie
Joined: 20 Sep 2011
Posts: 9
|
Thank You Morag.
There are no SSL/TLS errors on Customer-2 queue manager after we have made the following changes
1. Alter cluster receiver channel SSLCAUTH as OPTIONAL in TO.QMA and TO.QMB channels on QMA and QMB queue managers
2. Added QMA and QMB SSL certs on Customer-2 queue manager ( Not added SSL at Customer-2 cluster sender/receiver channels)
Is it right direction?
If we go with GateWay queue manager's concept, Can we set only SSL at P2P channel level between GW qmgr and Customer-1 qmgr?
or Can we set SSL at cluster channel level with GateWay queue manager? |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Mar 06, 2019 12:51 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
| adireddy123 wrote: |
There are no SSL/TLS errors on Customer-2 queue manager after we have made the following changes
1. Alter cluster receiver channel SSLCAUTH as OPTIONAL in TO.QMA and TO.QMB channels on QMA and QMB queue managers
2. Added QMA and QMB SSL certs on Customer-2 queue manager ( Not added SSL at Customer-2 cluster sender/receiver channels) |
So you are using one SSL/TLS channel and one non-SSL/TLS channel on Customer-2 then?
You appear to have an anonymous SSL/TLS channel from Customer-2 to QMA and to QMB (because although you haven't changed the cluster-sender channel at Customer-2, you are using the attributes defined in the cluster-receiver channels on QMA and QMB.
Your channel into the queue manager on Customer-2 is not using SSL/TLS because you haven't changes the cluster-receiver on that queue manager.
Is this what you intended? SSL/TLS on one channel and not on the other?
Given that you have gone this far, why not make a certificate for Customer-2 as well and finish it off?
P.S. Think about using CA-signed certificates rather than self-signed ones as you have described.
| adireddy123 wrote: |
If we go with GateWay queue manager's concept, Can we set only SSL at P2P channel level between GW qmgr and Customer-1 qmgr?
or Can we set SSL at cluster channel level with GateWay queue manager? |
The point of the GW solution, is that all members of the cluster use SSL/TLS, so the cluster channels to the GW necessarily are using SSL/TLS. The P2P channels from GW to external customer can have an independent decision made about SSL/TLS - the independence being the whole point?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
