Additional considerations
Overview
The following are aspects of security you need to consider only if you are using certain MQ function or base product extensions:
Queue manager clusters
A queue manager cluster is a network of queue managers that are logically associated in some way. A queue manager that is a member of a cluster is called a cluster queue manager.
A queue that belongs to a cluster queue manager can be made known to other queue managers in the cluster. Such a queue is called a cluster queue. Any queue manager in a cluster can send messages to cluster queues without needing any of the following:
- An explicit remote queue definition for each cluster queue
- Explicitly defined channels to and from each remote queue manager
- A separate transmission queue for each outbound channel
You can create a cluster in which two or more queue managers are clones. This means that they have instances of the same local queues, including any local queues declared as cluster queues, and can support instances of the same server applications.
When an application connected to a cluster queue manager sends a message to a cluster queue that has an instance on each of the cloned queue managers, MQ decides which queue manager to send it to. When many applications send messages to the cluster queue, MQ balances the workload across each of the queue managers that have an instance of the queue. If one of the systems hosting a cloned queue manager fails, MQ continues to balance the workload across the remaining queue managers until the system that failed is restarted.
If you are using queue manager clusters, you need to consider the following security issues:
- Allowing only selected queue managers to send messages to the queue manager
- Allowing only selected users of a remote queue manager to send messages to a queue on the queue manager
- Allowing applications connected to the queue manager to send messages only to selected remote queues
These considerations are relevant even if you are not using clusters, but they become more important if you are using clusters.
If an application can send messages to one cluster queue, it can send messages to any other cluster queue without needing additional remote queue definitions, transmission queues, or channels. It therefore becomes more important to consider whether you need to restrict access to the cluster queues on the queue manager, and to restrict the cluster queues to which the applications can send messages.
There are some additional security considerations, which are relevant only if you are using queue manager clusters:
- Allowing only selected queue managers to join a cluster
- Forcing unwanted queue managers to leave a cluster
MQSeries Publish/Subscribe
MQSeries Publish/Subscribe is a MQ base product extension that is supplied in SupportPac MA0C.
In a Publish/Subscribe system, there are two types of application: publisher and subscriber. Publishers supply information in the form of MQ messages. When a publisher publishes a message, it specifies a topic, which identifies the subject of the information inside the message.
Subscribers are the consumers of the information that is published. A subscriber specifies the topics it is interested in by sending a subscription request to a broker in the form of a MQ message.
The broker is an application supplied with MQSeries Publish/Subscribe. It receives published messages from publishers and subscription requests from subscribers, and routes the published messages to the subscribers. A subscriber is sent messages only on those topics to which it has subscribed.
There are additional security considerations if you are using MQSeries Publish/Subscribe. The user IDs associated with publishers and subscribers need authority to access the queues that they use to communicate with a broker. For more information, see the MQSeries Publish/Subscribe User's Guide.
MQ internet pass-thru
MQ internet pass-thru is a MQ base product extension that is supplied in SupportPac MS81.
MQ internet pass-thru enables two queue managers to exchange messages, or a MQ client application to connect to a queue manager, over the Internet without requiring a direct TCP/IP connection.
This is useful if a firewall prohibits a direct TCP/IP connection between two systems.
It makes the passage of MQ channel protocol flows into and out of a firewall simpler and more manageable by tunnelling the flows inside HTTP or by acting as a proxy. Using the SSL , it can also be used to encrypt and decrypt messages that are sent over the Internet.
For more information about MQ internet pass-thru, see the MQ internet pass-thru book.