Preventing queue managers joining a cluster
If a rogue queue manager joins a cluster it is difficult to prevent it receiving messages we do not want it to receive.
Procedure
To ensure that only certain authorized queue managers join a cluster you have a choice of three techniques:- Use channel authentication records we can block the cluster channel connection based on: the remote IP address, the remote queue manager name, or the TLS Distinguished Name provided by the remote system.
- Write an exit program to prevent unauthorized queue managers from writing to SYSTEM.CLUSTER.COMMAND.QUEUE. Do not restrict access to SYSTEM.CLUSTER.COMMAND.QUEUE such that no queue manager can write to it, or you would prevent any queue manager from joining the cluster.
- A security exit program on the CLUSRCVR channel definition.
- Security exits on cluster channels
Extra considerations when using security exits on cluster channels.
Parent topic: Keeping clusters secure