Planning a disaster recovery system

You can pair a queue manager that is running on a local appliance with a queue manager that you create for the purpose on a recovery appliance in a remote location. This process provides a disaster recovery solution.

See Disaster recovery for an overview of the disaster recovery solution.

When you plan a disaster recovery implementation, consider the following points:
  • Appliances:
    • A disaster recovery configuration requires two IBM MQ Appliances.
    • Both appliances should be running the same level of appliance firmware. (Appliances can operate at different levels to allow time to upgrade the appliances separately, but you should avoid configuring DR queue managers during this period.)
    • You run a queue manager on the main appliance, with a back-up of that queue manager ready to run on the recovery appliance.
    • For optimal performance, use the same model appliance for both members in the DR pair (for example, two M2002 models). It is possible to pair older and newer appliances, but the pair will perform to the constraints of the older model.
  • Queue managers:
    • You specify that an existing queue manager is to be part of a disaster recovery configuration on the main appliance. You then run a command on the recovery appliance to create a secondary instance of that queue manager.
    • A queue manager can belong to a high availability group, and also belong to a disaster recovery configuration (see Disaster recovery for a high availability configuration).
    • If an event occurs that interrupts the operation of the main appliance, you can start the queue manager on the recovery appliance.
    • Messaging data can be replicated either asynchronously or synchronously between primary and secondary queue manager. When asynchronous replication is used and the secondary queue manager starts, some of the messaging data might be lost (because it has not been replicated before the main appliance failed). When synchronous replication is used, data loss is less likely to occur, but synchronous replication requires a better network between the two appliances.
      Note: Synchronous replication is not available where a queue manager belongs to a high availability group as well as a disaster recovery configuration.
  • Physical configuration:
    • The appliances in a disaster recovery configuration synchronize by transferring queue manager data across a 10 Gb Ethernet link.
  • Security
    • The link that is used to replicate queue manager data between the appliances is not subject to any secure encryption at the appliance level. As it is likely these connections will be wide area network connections that leave your secure enterprise network, it is important to make appropriate arrangements to encrypt these connections externally to the IBM MQ Appliance, for example, by using a hardware or software Virtual LAN product.
    • If a DR queue manager has an encrypted file system then the data is replicated in its encrypted form, otherwise the data sent across the replication link is not subject to any additional encryption beyond that which might be in place from using MQ AMS.