This topic is discussed in the WebSphere MQ Security book. The advice there is generally applicable to cluster channels, but you might want to give some special consideration to the following:
In a WebSphere MQ cluster a particular CLUSRCVR channel definition is frequently propagated to many other queue managers where it is transformed into an auto-defined CLUSSDR. Subsequently the auto-defined CLUSSDR is used to start a channel to the CLUSRCVR. If the CLUSRCVR is configured for SSL connectivity the following considerations apply:
For example, let us assume that all of the queue managers that will host CLUSSDRs which will connect to a particular CLUSRCVR, have certificates associated. Let us also assume that the distinguished names in all of these certificates define the country as UK, organization as IBM(R), the organization unit as WebSphere MQ Development, and all have common names in the form DEVT.QMxxx, where xxx is numeric.
In this case an SSLPEER value of C=UK, O=IBM, OU=WebSphere MQ Development, CN=DEVT.QM* on the CLUSRCVR will allow all the required CLUSSDRs to connect successfully, but will prevent unwanted CLUSSDRs from connecting.
An SSLCRLNL parameter applies to an individual queue manager and is not propagated to other queue managers within a cluster.
Notices |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
csq6866b |