Tuesday, 26 November 2013

MQ Cluster - Quick reference for understanding


Concept
If we define a queue as Cluster queue,then the MQ will automatically create the Remote Queue definitions in other cluster queue managers as well.
In a cluster,we need not create transmission queue.Its automatically created by MQ for routing messages. This single transmission queue can be used to carry messages to any other queue manager in the cluster.
All the queue managers that join a cluster agree to work in this way. They send out information about themselves and about the queues they host, and they receive information about the other members of the cluster.
This information is stored in repositories. Most queue managers retain only the information that they need, that is, information about queues and queue managers with which they need to communicate. Each queue manager keeps the information in a partial repository. Some designated queue managers retain a full repository of all the information about all queue managers in the cluster.
When a new Queue manager joins a cluster,we need to manually create cluster sender channel and cluster receiver channel.All other channels required for communication are automatically created.
Queues that are accessible by any other queue manager in the cluster is called ‘Cluster queues’.

Just like Distributed queueing,
From an external application we can put messages from any queuemanager in the cluster.But we can only get messages from the queuemanager which hosts the queue.

Queue manager joining a cluster should have cluster sender channel and cluster receiver channel.
QM3 joins cluster CLUSTEST.It has 2 full repositories,QM1 and QM2.
(Channel name should always be w.r.t. receiver side)
Then QM3 cluster sender channel to QM1 is CLUSTEST.QM1.and this is the channel name at receiver side for QM1.
QM3 cluster receiver channel from QM1 is CLUSTEST.QM3.And this is the sender channel for QM1.
If we introduce a Queue manager to one of the Full repositories,it is sufficient.The cluster channels carry message s in the clusters as well the information about clusters.
How cluster works?
When a Queue manager newly gets added to cluster,first a cluster sender channel is manually created,to introduce itself to one of the full repositories of the cluster.The full repository queue manager then automatically creates cluster sender channel to the newly joined queue manager and sends information about the cluster.

SYSTEM.CLUSTER.TRANSMISSION.QUEUE is the cluster transmission queue used by queue managers in cluster.
SYSTEM.CLUSTER.REPOSITORY.QUEUE is the queue which holds repository information of the cluster

Using Cluster we can achieve,
1)Work load balancing(If same queue is defined in more than 1 queue managers in a cluster)
 Cluster Workload algorithm
Cluster Workload exits

To achieve this,we need to define the same Cluster queue in more than one Cluster Queue managers.
2)High availability (by creating multiple queues in cluster in queue managers)
To achieve this,it is enough if we create Cluster queue in one Queue manager.Even if that Queue manager is down,the application can send messages to that queue via other Queue managers in the Cluster.But MQGet is not possible unless and until the Cluster Queue is defined in all the Cluster Queue manager.



Tuesday, 5 November 2013

SSL configurations in Message Broker

I created a document about my POCs on SSL One-way and Two-way ...I am presenting the document for you ..Hope this helps for those who are working with SSL in WMB

1.    Objective

To execute SSL One-way and Two-way authentication in Message broker.
This document focus only on the SSL configurations and execution.This document will not talk about the Webservices and WSDL configurations.

2.    Assumptions

We are simulating SSL Client and Server One-way and Two-way authentications by having two flows deployed in two execution groups.
All the properties set for the Client and Server flow should use Execution group wide properties and should not use broker-wide properties.This helps to easily differentiate between the SSL client and SSL server.
We are going to use Selfsigned certificate for Testing purpose.
For Production,use CA signed certificate only.
default is the SSL Server Execution group
TestSSLis the SSL Client Execution group

3.    Prerequisite Requirements

We need to develop two message flows.One acting as SSL server and the other acting as SSL client.

3.1.        SSL Server

SOAP Input node -> Compute node -> SOAP Reply node
SOAPInput node -Properties
Use HTTPS -Checked

3.2.        SSL Client

MQ Input node ->SOAP Request node ->MQOutput node
SOAPRequest node-Properties
Web service URL – eg:   https://localhost:7800/Calculator
Protocol                 - SSL

4.    SSL One-way Configurations

Client authenticates the Server.

Server has Keystore.Client has Truststore,where the Server’s certificate in Truststore will be verified during SSL handshake for authentication.

4.1.        Service side configurations


Create keystore for Server
keytool -genkey -alias selfsigned2 -keyalg RSA -keypasspassoneway4  -keystore keystore2.jks -storepasspassoneway4
Export certificate to keystore
keytool -export -file myselfsigned2.cert  -keypasspassoneway4  -keystore keystore2.jks  -storepasspassoneway4  -alias selfsigned2
Certificate and KeystoreVerifications
keytool -list -v -keystore  keystore2.jks -storepasspassoneway4
keytool -printcert -file myselfsigned2.cert
keytool -list -v -keystore Truststore2.jks -storepasspassoneway4
Execution group configurations
mqsichangepropertiesBroker1  -e default -o ComIbmJVMManager -n keystoreFile  -v D:\SSL\keystore2.jks
mqsisetdbparmsBroker1     -n Keystore2::passoneway4   -u ignore   -p passoneway4
mqsichangepropertiesBroker1    -e default  -o ComIbmJVMManager -n keystorePass   -v Keystore2::passoneway4
mqsichangepropertiesBroker1   -e default -o ComIbmJVMManager -n truststoreFile -v “”
mqsichangepropertiesBroker1   -e default -o ComIbmJVMManager -n truststoreType -v “”
mqsichangepropertiesBroker1   -e default -o ComIbmJVMManager -n truststorePass -v “”

mqsichangepropertiesBroker1    -e default -o HTTPSConnector   -n sslProtocol -v SSL
Verifications
mqsireportpropertiesBroker1    -e default -o ComIbmJVMManager –r
mqsireportpropertiesBroker1   -e default -o HTTPSConnector -r

4.2.        Client side configurations


Import certificate to Truststore
keytool -importcert -alias selfsigned2 -file myselfsigned2.cert  -keystore Truststore2.jks

Execution group configurations

mqsichangepropertiesBroker1     -e TestSSL -o ComIbmJVMManager -n truststoreFile   -v D:\SSL\Truststore2.jks

mqsichangepropertiesBroker1    -e TestSSL -o HTTPSConnector   -n sslProtocol -v SSL

mqsisetdbparmsBroker1     -n Truststore2::passoneway4   -u ignore   -p passoneway4

mqsichangepropertiesBroker1     -e TestSSL  -o ComIbmJVMManager -n truststorePass   -v Truststore2::passoneway4

mqsireportpropertiesBroker1    -e TestSSL -o ComIbmJVMManager –r

mqsireportpropertiesBroker1   -e TestSSL -o HTTPSConnector–r

4.3.        Testing

When you test SSL client and SSL server flows,you will be getting the response without any issues.
4.4.        Debugging
If you are not getting any response,checkfor specific errors in Debug mode and also in <Broker Work path>/components/<Brokername>/<EG uuid>/console file.

5.    SSL Two-way configurations


Client authenticates the Server.And also Server authenticates the Client.

Server has Keystore.Client has Truststore,where the Server’s certificate in Truststore will be verified during SSL handshake for authentication.
Similarly Client has keystore.Server has Truststore ,where the Client’s certificate in Truststore will be verified during SSL handshake for authentication.
Hence this is called as Mutual authentication.

5.1.        Service side configurations


Create keystore for Server
keytool -genkey -alias selfsigned2 -keyalg RSA -keypasspassoneway4  -keystore keystore2.jks -storepasspassoneway4
Export certificate to keystore
keytool -export -file myselfsigned2.cert  -keypasspassoneway4  -keystore keystore2.jks  -storepasspassoneway4  -alias selfsigned2
Import certificate to Truststore
keytool -importcert -alias selfsigned3 -file myselfsigned3.cert  -keystore Truststore3.jks
Certificate and KeystoreVerifications
keytool -list -v -keystore  keystore2.jks -storepasspassoneway4
keytool -printcert -file myselfsigned2.cert
keytool -list -v -keystore Truststore2.jks -storepasspassoneway4
Execution group configurations
mqsichangeproperties  Broker1    -e default -o ComIbmJVMManager -n keystoreFile  -v D:\SSL\keystore2.jks
mqsisetdbparms Broker1     -n Keystore2::passoneway4   -u ignore   -p passoneway4
mqsichangeproperties Broker1    -e default  -o ComIbmJVMManager -n keystorePass   -v Keystore2::passoneway4
mqsisetdbparmsBroker1     -n Truststore3::passtwoway4   -u ignore   -p passtwoway4

mqsichangepropertiesBroker1    -e default  -o ComIbmJVMManager -n truststorePass   -v Truststore3::passtwoway4
mqsichangepropertiesBroker1   -e default -o ComIbmJVMManager -n truststoreFile -v D:\SSL\Truststore3.jks
mqsichangepropertiesBroker1   -e default -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangepropertiesBroker1   -e default -o ComIbmJVMManager -n truststorePass -v Truststore3::passtwoway4
mqsichangepropertiesBroker1    -e default -o HTTPSConnector   -n sslProtocol -v SSL
mqsichangepropertiesBroker1    -e default  -o HTTPSConnector -n clientAuth -v true
Verifications
mqsireportproperties Broker1    -e default -o ComIbmJVMManager –r
mqsireportproperties Broker1   -e default -o HTTPSConnector -r

5.2.        Client side configurations


Create keystore for Server
keytool -genkey -alias selfsigned3 -keyalg RSA -keypasspasstwoway4  -keystore keystore3.jks -storepasspasstwoway4

export certificate  to keystore
keytool -export -file myselfsigned3.cert  -keypasspasstwoway4  -keystore keystore3.jks  -storepasspasstwoway4  -alias selfsigned3

Import certificate to Truststore
keytool -importcert -alias selfsigned2 -file myselfsigned2.cert  -keystore Truststore2.jks

Execution group configurations

mqsichangeproperties Broker1     -e TestSSL -o ComIbmJVMManager -n truststoreFile   -vD:\SSL\Truststore2.jks
mqsichangeproperties Broker1    -e TestSSL -o HTTPSConnector   -n sslProtocol -v SSL
mqsisetdbparms Broker1     -n Truststore2::passoneway4   -u ignore   -p passoneway4
mqsichangeproperties Broker1     -e TestSSL  -o ComIbmJVMManager -n truststorePass   -v Truststore2::passoneway4
mqsichangepropertiesBroker1  -e TestSSL -o ComIbmJVMManager -n keystoreFile  -v D:\SSL\keystore3.jks
mqsichangepropertiesBroker1    -e TestSSL -o HTTPSConnector   -n sslProtocol -v SSL
mqsisetdbparmsBroker1     -n Keystore3::passtwoway4   -u ignore   -p passtwoway4
mqsichangepropertiesBroker1    -e TestSSL -o ComIbmJVMManager -n keystorePass   -v Keystore3::passtwoway4
mqsireportpropertiesBroker1    -e TestSSL -o ComIbmJVMManager –r
mqsireportpropertiesBroker1   -e TestSSL -o HTTPSConnector -r

5.3.        Testing

When you test SSL client and SSL server flows,you will be getting the response without any issues.
5.4.        Debugging
If you are not getting any response,checkfor specific errors in Debug mode and also in <Broker Work path>/components/<Brokername>/<EG uuid>/console file.