Preventing queue managers joining a cluster
If a rogue queue manager joins a cluster it is difficult to prevent it receiving messages you do not want it to receive.
Procedure
If you want to ensure that only certain authorized queue managers join a cluster you have a choice of three techniques:
- Using channel authentication records you can block the cluster channel connection based on: the remote IP address, the remote queue manager name, or the TLS Distinguished Name provided by the remote system.
- Write an exit program to prevent unauthorized queue managers from writing to
SYSTEM.CLUSTER.COMMAND.QUEUE. Do not restrict access toSYSTEM.CLUSTER.COMMAND.QUEUEsuch that no queue manager can write to it, or you would prevent any queue manager from joining the cluster. - A security exit program on the
CLUSRCVRchannel definition.