Security for queue manager clusters

Though queue manager clusters can be convenient to use, you must pay special attention to their security.

A queue manager cluster is a network of queue managers that are logically associated in some way. A queue manager that is a member of a cluster is called a cluster queue manager.

A queue that belongs to a cluster queue manager can be made known to other queue managers in the cluster. Such a queue is called a cluster queue. Any queue manager in a cluster can send messages to cluster queues without needing any of the following:
  • An explicit remote queue definition for each cluster queue
  • Explicitly defined channels to and from each remote queue manager
  • A separate transmission queue for each outbound channel

You can create a cluster in which two or more queue managers are clones. This means that they have instances of the same local queues, including any local queues declared as cluster queues, and can support instances of the same server applications.

When an application connected to a cluster queue manager sends a message to a cluster queue that has an instance on each of the cloned queue managers, IBM® MQ decides which queue manager to send it to. When many applications send messages to the cluster queue, IBM MQ balances the workload across each of the queue managers that have an instance of the queue. If one of the systems hosting a cloned queue manager fails, IBM MQ continues to balance the workload across the remaining queue managers until the system that failed is restarted.

If you are using queue manager clusters, you need to consider the following security issues:
  • Allowing only selected queue managers to send messages to your queue manager
  • Allowing only selected users of a remote queue manager to send messages to a queue on your queue manager
  • Allowing applications connected to your queue manager to send messages only to selected remote queues
These considerations are relevant even if you are not using clusters, but they become more important if you are using clusters.

If an application can send messages to one cluster queue, it can send messages to any other cluster queue without needing additional remote queue definitions, transmission queues, or channels. It therefore becomes more important to consider whether you need to restrict access to the cluster queues on your queue manager, and to restrict the cluster queues to which your applications can send messages.

There are some additional security considerations, which are relevant only if you are using queue manager clusters:
  • Allowing only selected queue managers to join a cluster
  • Forcing unwanted queue managers to leave a cluster

For more information about all these considerations, see Keeping clusters secure. [z/OS]For considerations specific to IBM MQ for z/OS®, see Security in queue manager clusters on z/OS.