seems that you got the problem solved. Anyways, here is link that might be useful if you are using LB with IBM MQ:
Original Message:
Sent: Tue October 06, 2020 03:42 AM
From: Kristjan Voolaid
Subject: MQ behind Load Balancer
Thanks for the answer again.
Although I found a solution - I needed to add load balancer SSLCIPH to my "TEST" channel. This would activate SSL connection from MQ Server-> Load Balancer. Anyway, thanks for the replays. I am pretty new with IBM so any explanation is very useful!
------------------------------
Kristjan Voolaid
Original Message:
Sent: Tue October 06, 2020 12:22 AM
From: Morag Hughson
Subject: MQ behind Load Balancer
So this is not MQClient -> Load Balancer -> Queue Manager
It is Partner Queue Manager -> Load Balancer -> Queue Manager - is that correct?
One thing to be very careful of here is to ensure that your "Load Balancer" does not do any actual load balancing! The channel from queue manager to queue manager must always go to the correct queue manager.
You haven't said what this load balancer is, nor how it breaks the connection between your partners and your own queue manager to meet your security requirement. Clearly it is a very important part of the picture. You say when you test without the load balancer it works fine, but with the load balancer in the picture you get "Invalid data". What kind of invalid data? (The FDC will show the data)? Is the load balancer not passing on the connection data exactly as is?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Original Message:
Sent: Mon October 05, 2020 07:04 AM
From: Kristjan Voolaid
Subject: MQ behind Load Balancer
Thanks for the response.
Will try to explain my set up in more detailed way.
Currently I have IBM MQ v9.1.5 installed on Linux server
I have couple of partners who will need to send us messages (MQ server to MQ server.) Due to our security policy, I cant let partners connect straight to our MQ server. So MQ Server sits behind Load balancer, where SSL is enabled and have wildcard certificate. From LB, connection is directed to MQ server.
I was testing the connection with "TEST QMGR", which is installed to the same instance. I've added our LB DNS to test channel CONNAME but unable to get the connection up.
FYI, with nc and telnet, I am able to connect to instance through LB. Logs are showing that the connection reached the instance.
Is it even possible, where client will connect straight from server to our Load balancer, where SSL is enabled?
Thanks
------------------------------
Kristjan Voolaid
Original Message:
Sent: Mon October 05, 2020 05:18 AM
From: Morag Hughson
Subject: MQ behind Load Balancer
It is not completely clear from your description exactly what your setup is. It sounds like you have MQ Clients -> Load Balancer -> Queue Manager. However, you mention testing the connection using curl which would not be able to successfully connect to a queue manager since the queue manager doesn't use HTTP. Are you running the MQ Web Server in front of the queue manager for connecting HTTP clients to perhaps? If not, could you expand on your set up so we can understand the problem properly.
If you connect an HTTP connection to a queue manager listener, you will get "Invalid Data". What you describe sounds like you get "Invalid data" whether using SSL or not, only first the SSL handshake completes, which is to be expected. There is nothing MQ specific about the SSL Handshake.
If your MQ Client is using SSL, the MQ Svrconn on the queue manager will also expect SSL.
How is the load balancer breaking the connection between clients and queue manager - this is not explained either.
Hopefully if we can understand your setup better, we can help you solve the problem.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Original Message:
Sent: Mon October 05, 2020 04:37 AM
From: Kristjan Voolaid
Subject: MQ behind Load Balancer
Hello!
I've set up MQ, generated certificates, configured channels, queues and so on. Due to my company's security policy, I cant let clients to connect straight to our MQ server. We are using load balancer with wildcard certificate and MQ server sits behind that.
I have problems with setting up connection with clients and actually for local testing also.
When I run curl command from linux cli (local machine where MQ is installed) -
with https, the connection is successful. Server receives "invalid data".
without https, curls says it gets connected but MQ server doesnt receive any connecton.
When I configure my "TEST" queue manager (also installed on the same server) with the same CONNAMEs -
with https (CONNAME('https://my.server.com(1414)')),Code: | AMQ9202E: Remote host not available, retry later. |
RCVR qmgr doesnt receive any connection.
without https (CONNAME('my.server.com(1414)')), LOGS:Code: | An error occurred receiving data from 'x.x.x.x(1414)' over TCP/IP. The connection to the remote host has unexpectedly terminated. |
RCVR qmgr doesnt receive any connection.
Why does curl command with HTTPS works, but with channel it doesnt?
Also, when I test with channel side SSL enabled without Load balancer, everything works. But as Load Balancer requires SSL enabled, I dont see a reason why I need to use SSL also on channels.
Does anybody have experience with this type of set up? Like I mentioned, I cant let clients connect straight to our MQ Server.
Any response & information would be useful |
|
Back to top | |
------------------------------
Kristjan Voolaid
------------------------------