Preventing queue managers joining a cluster

 

If you want to ensure that only certain authorized queue managers attempt to join a cluster, either use a security exit program on the cluster-receiver channel, or write an exit program to prevent unauthorized queue managers from writing to SYSTEM.CLUSTER.COMMAND.QUEUE. Do not restrict access to SYSTEM.CLUSTER.COMMAND.QUEUE such that no queue manager can write to it, or you would prevent any queue manager from joining the cluster.

It is difficult to stop a queue manager that is a member of a cluster from defining a queue. Therefore, there is a danger that a rogue queue manager can join a cluster, learn what queues are in it, define its own instance of one of those queues, and so receive messages that it should not be authorized to receive.

To prevent a queue manager receiving messages that it should not, you can write:

  • A channel exit program on each cluster-sender channel, which uses the connection name to determine the suitability of the destination queue manager to be sent the messages. By using SSL on the cluster-receiver of the full repository queue managers you can control which other queue managers can join the cluster.

  • A cluster workload exit program, which uses the destination records to determine the suitability of the destination queue and queue manager to be sent the messages

  • A channel auto-definition exit program, which uses the connection name to determine the suitability of defining channels to the destination queue manager

 

Using security exits on cluster channels

When a cluster-sender channel is first started, it uses attributes defined manually by a system administrator. When the channel is stopped and restarted, it picks up the attributes from the corresponding cluster-receiver channel definition. The original cluster-sender channel definition is overwritten with the new attributes, including the SecurityExit attribute. Note the following:

  1. You must define a security exit on both the cluster-sender end and the cluster-receiver end of a channel, in order for it to be effective. Even though the security exit name is sent over from the cluster-receiver definition, the initial connection must be made with a security-exit handshake.

  2. In addition to the normal security-message handshake, the security exit must validate the PartnerName in the MQCXP structure. The exit must allow the channel to start only if the partner queue manager is authorized.

  3. Design the security exit on the cluster-receiver definition to be receiver initiated. If you design it as sender initiated, an unauthorized queue manager without a security exit can join the cluster because no security checks are performed. Not until the channel is stopped and restarted can the SCYEXIT name be sent over from the cluster-receiver definition and full security checks made. Refer to the WebSphere MQ Intercommunication book for information about sender-initiated and receiver-initiated security exits.

  4. To view the cluster-sender channel definition that is currently in use, use the command: 
    DISPLAY CLUSQMGR(queue manager) ALL

    This displays the attributes that have been sent across from the cluster-receiver definition. To view the original definition, use the command: 

    DISPLAY CHANNEL(channel name) ALL

  5. If the queue managers are on different platforms, you might need to define a channel auto-definition exit on the cluster-sender queue manager to set the SecurityExit attribute. This is because the format of the exit name in the SecurityExit attribute is different for different platforms. For example, on z/OS the format is SCYEXIT('SECEXIT'), whereas on Windows it is SCYEXIT('C:/path/SECEXIT(function)'). Therefore, although the initial handshake can be accomplished successfully, when the attribute is passed from the cluster-receiver definition on one platform to the cluster-sender definition on another platform, it will have the wrong format. This results in an error saying that the user exit is not valid. To avoid this error, write a channel auto-definition exit to define the correctly-formatted security exit name on the remote queue manager.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.