Preventing queue managers joining a cluster
If a rogue queue manager joins a cluster it is difficult to prevent it receiving messages you do not want it to receive.
Procedure
If you want to ensure that only certain authorized queue managers join a cluster you have a choice of three techniques:
- Using channel authentication records you can block the cluster channel connection based on: the remote IP address, the remote queue manager name, or the TLS Distinguished Name provided by the remote system.
- Write an exit program to prevent unauthorized queue managers from writing to
SYSTEM.CLUSTER.COMMAND.QUEUE
. Do not restrict access toSYSTEM.CLUSTER.COMMAND.QUEUE
such that no queue manager can write to it, or you would prevent any queue manager from joining the cluster. - A security exit program on the
CLUSRCVR
channel definition.