VPN Cluster and Wildcard Certificate

Hi,
I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
cluster.domain.com
Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
vpn01.domain.com
or
vpn02.domain.com
or
vpn03.domain.com
Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
Any experience or recommendations?
BR,
/K

Hello Kenneth,
It was working for version before 9.
On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
Michal

Similar Messages

  • HTTP adapter, SSL and wildcard certificate

    Hi,
    I am developing a B2B integration solution using BizTalk Server. The protocol used to communicate with the partner’s server is HTTPS and so it uses SSL.
    The certificate the partner is using to establish SSL connections is provided by GeoTrust but it is a wildcard certificate, issued to *.*.*.company.com
    The server I am trying to contact to is on a domain of the form: a.b.c.company.com (which seems to match the wildcard).
    When I try to open an HTTPS connection to the server (either through Internet Explorer, a .Net Windows Application or BizTalk), the connection cannot be established because the certificate is said to not be trusted. For example, Internet Explorer shows a pop-up message saying that:
    - The certificate is issued from a valid CA
    - The certificate date is valid
    - The name of the certificate is NOT matching the name of the site. This means that the certificate is issued for a domain different that the one we are accessing to. So it seems that the wildcard system is not working for this certificate? Is that possible if they aquire a wrong type of certificate by mistake? or is multipart wildcard certificate (*.*.*) not supported?
    Anyway even if their certificate is not 100% valid, they refuse to change it as their other partners work with that and they won't change to a proper certificate just for us...
    In .Net 2.0 code, it is easy to circumvent any certificate validation by setting the delegate ServicePointManager.ServerCertificateValidationCallback to a callback method with something like:
    ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)  { return true; };
    Nevertheless, I need to achieve this sort of circumvention with BizTalk Server 2006 and I would like to know if anyone ever did that.
    I am aware that I can write my own custom HTTP Adapter but I need this urgently so I thought of asking this forum's community first. Maybe someone as a quicker way than writing a custom adapter such as some "hack" (registry keys, custom class... ) or knows of an existing custom adapter already doing the job.
    Thanks in advance,
    Best regards,
    Francois Malgreve

    The certificate needs to be installed as a explicitly trusted certificate in the store under the computer a/c on the BzTalk machine and then it'll work. Refer
    https://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/ for the steps.
    Regards.

  • Rdpsign and wildcard certificate

    Hi,
    All is working fine with rdp sign and I can sign file with thumbprint of our wildcard certificate, but when running file I still have a message "Do you trust the publisher of this remote connection?". It's not yellow with warning, but a warning
    anyway. I can see a message:
    Publisher: *.domain.com (our wildcard certificate)
    Remote computer: rds.domain.com
    Gateway server: rdg.domain.com
    Is this normal for rdg files signed with wildcard cert used for RDS deployment?
    Best,
    Marcin

    Hi Marcin,
    Do you need any other assistance?
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • ASA 8.0 VPN cluster with WEBVPN and Certificates

    I'm looking for advice from anyone who has implemented or tested ASA 8.0 in a VPN cluster using WebVPN and the AnyConnect client. I have a stand alone ASA configured with a public certificate for SSL as vpn.xxxx.org, which works fine.
    According to the config docs for 8.0, you can use a FQDN redirect for the cluster so that certificates match when a user is sent to another ASA.
    Has anyone done this? It looks like each box will need 2 certificates, the first being vpn.xxxx.org and the second being vpn1.xxxx.org or vpn2.xxxx.org depending on whether this is ASA1 or ASA2. I also need DNS forward and reverse entries, which is no problem.
    I'm assuming the client gets presented the appropriate certificate based on the http GET.
    Has anyone experienced any issues with this? Things to look out for migrating to a cluster? Any issues with replicating the configuration and certificate to a second ASA?
    Example: Assuming ASA1 is the current virtual cluster master and is also vpn1.xxxx.org. ASA 2 is vpn2.xxxx.org. A user browses to vpn.xxxx.org and terminates to ASA1, the current virtual master. ASA1 should present the vpn.xxxx.org certificate. ASA1 determines that it has the lowest load and redirects the user to vpn1.xxxx.org to terminate the WebVPN session. The user should now be presented a certificate that matches vpn1.xxxx.org. ASA2 should also have the certificate for vpn.xxxx.org in case it becomes the cluster master during a failure scenario.
    Thanks,
    Mark

    There is a bug associated with this issue: CSCsj38269. Apparently it is fixed in the iterim release 8.0.2.11, but when I upgraded to 8.0.3 this morning the bug is still there.
    Here are the details:
    Symptom:
    ========
    ASA 8.0 load balancing cluster with WEBVPN.
    When connecting using a web browser to the load balancing ip address or FQDN,
    the certifcate send to the browser is NOT the certificate from the trustpoint
    assigned for the load balancing using the
    "ssl trust-point vpnlb-ip" command.
    Instead its using the ssl trust-point certificate assigned to the interface.
    This will generate a certificate warning on the browser as the URL entered
    on the browser does not match the CN (common name) in the certificate.
    Other than the warning, there is no functional impact if the end user
    continues by accepting to proceed to the warning message.
    Condition:
    =========
    webvpn with load balancing is used
    Workaround:
    ===========
    1) downgrade to latest 7.2.2 interim (7.2.2.8 or later)
    Warning: configs are not backward compatible.
    2) upgrade to 8.0.2 interim (8.0.2.11 or later)

  • Installing wildcard certificate in a WLC (ver 7.0.240 and 7.5.102)

    Is it possible to install a widcard certificate for web auth in those versions?
    Is there any difference between this two versions.
    Are both of them versions supporting wildcards certificates?
    Here you have the log file resulting of installing the wildcart certificate in the wlc with v 7.0.240.
    *TransferTask: Nov 28 11:20:51.117: Memory overcommit policy changed from 0 to 1
    *TransferTask: Nov 28 11:20:51.319: Delete ramdisk for ap bunble
    *TransferTask: Nov 28 11:20:51.432: RESULT_STRING: TFTP Webauth cert transfer starting.
    *TransferTask: Nov 28 11:20:51.432: RESULT_CODE:1
    *TransferTask: Nov 28 11:20:55.434: Locking tftp semaphore, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
    *TransferTask: Nov 28 11:20:55.516: Semaphore locked, now unlocking, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
    *TransferTask: Nov 28 11:20:55.516: Semaphore successfully unlocked, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
    *TransferTask: Nov 28 11:20:55.517: TFTP: Binding to local=0.0.0.0 remote=10.16.50.63
    *TransferTask: Nov 28 11:20:55.588: TFP End: 1666 bytes transferred (0 retransmitted packets)
    *TransferTask: Nov 28 11:20:55.589: tftp rc=0, pHost=10.16.50.63 pFilename=/wild2013_priv.pem
         pLocalFilename=cert.p12
    *TransferTask: Nov 28 11:20:55.589: RESULT_STRING: TFTP receive complete... Installing Certificate.
    *TransferTask: Nov 28 11:20:55.589: RESULT_CODE:13
    *TransferTask: Nov 28 11:20:59.590: Adding cert (5 bytes) with certificate key password.
    *TransferTask: Nov 28 11:20:59.590: RESULT_STRING: Error installing certificate.
    *TransferTask: Nov 28 11:20:59.591: RESULT_CODE:12
    *TransferTask: Nov 28 11:20:59.591: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
    *TransferTask: Nov 28 11:20:59.624: finished umounting
    *TransferTask: Nov 28 11:20:59.903: Create ramdisk for ap bunble
    *TransferTask: Nov 28 11:20:59.904: start to create c1240 primary image
    *TransferTask: Nov 28 11:21:01.322: start to create c1240 backup image
    *TransferTask: Nov 28 11:21:02.750: Success to create the c1240 image
    *TransferTask: Nov 28 11:21:02.933: Memory overcommit policy restored from 1 to 0
    (Cisco Controller) >
    Would I have the same results in wlc with  v 7.5.102?
    Thank you.

    Hi Pdero,
    Please check out these docs:
    https://supportforums.cisco.com/thread/2052662
    http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
    https://supportforums.cisco.com/thread/2067781
    https://supportforums.cisco.com/thread/2024363
    https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc
    Regards
    Dont forget to rate helpful posts.

  • Wildcard Certificate and Wireless Lan Controller

    Hello,
    I'm working with wlc 5508 version 7.2.111.3 and I'm looking to use a wildcard certificate, I've just checked on the forum that there was a bug-id and it seems it's been closed with a workaround of not using wildcard certs, is it resolved now?
    If yes, could you indicate to me how can I proceed to install it quickly?
    Regards

    Hello,
    The bug was about bad behavior when the wildcard certificate is used. The status of the bug now is "Terminated". That means it was found that the root cause for this bug is not really a bug (bad description, normal behavior...etc).
    So, I think you can go with the wildcard certificat you have. The bug was opened on 5.2 version which is very old comparing to 7.2.
    Let us know how it goes.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

    Hi,
    we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
    in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
    Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
    server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
    I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
    If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
    Any help would be appreciate….

    Yes setting the EXPR value is most likely the cause of your issue.  When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
    Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).  
    So the only option would you have is to change all the URLs to be on *.xyz.com domain.  There's no need to change the domain the server actually resides on.  The other option would be to purchase a UCC Cert with all the names you need and apply
    to all your CAS servers and reset the EXPR value. 
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

  • Wildcard certificates and portal gateway

    Hi,
    I have configured our portal gateway as follows:
    hostname: gateway.domain.com
    supplier.domain.com --> gateway.domain.com/supplier
    employee.domain.com --> gateway.domain.com/employee
    In order to get rid of the warning messages while connecting with the gateway, we plan to install a server certificate signed by Thawte. Because we have multiple hostnames (supplier and employee) I decided to give it a go with a trial wildcard certificate. I got this certificate from the thawte website and installed it using certadmin.
    Everything works fine with IE6.5 but when I try to connect with the gateway with netscape communicator (4.5 and 4.7) i get the following error:
    ...improperly formatted DER-encoded message.
    Did anyone experience the same error? Is it a browser issue, or did I request the wrong certificate type?
    --regards, Jordi                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

    Seems to be more of a browser issue rather than a gateway issue, however try getting a cert like gateway.domain.com and see if that works fine instead of the wild character ..

  • Wildcard Certificats and 4400 WLC

    First, I know the 4400 has been EOS. I am planning on replacing this with a new controller next year as part of a larger project. In the meantime, the certificate we have setup on our guest network is due to expire soon.
    I am pretty familiar with how to get a new certificate setup, but was wondering if anyone has had any experience at using a "wildcard" type certificate, instead of the standard webserver style cert?  (http://www.digicert.com/wildcard-ssl-certificates.htm)
    Its my understanding that a wildcard certificate can be used for any type of server, but the server needs to support it.
    Thanks.

    All my recent install using a 3rd party certificate has been with installing a chained certificate.
    Here is a doc that shows you how to combine a chained certificate and install it on a wlc.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
    Sent from Cisco Technical Support iPhone App

  • Does the iphone support the use of a wildcard certificate?

    Does the iphone support the use of a wildcard certificate?
    Our exchange infrastructure utilises a wildcard (*.companyname certificate) from Godaddy.
    - Connects fine and authenticates
    - Can manually sync and pull emails
    - Can Send and Delete emails
    However server is not establishing the activesync connection and ping so mail can be pushed to the device.
    My guess is its a problem with the wildcard certificate that is used, WM5.0 devices didnt work with it, does anyone one know if the iPhone supports this?
    - I can get to OWA fine which uses the same wildcard cert.
    - WM6.0 devices push mail fine.
    Thanks.

    kfc01,
    The iPhone Deployment Guide (linked from http://www.apple.com/support/iphone/enterprise) says it does for VPN.
    Hope this helps,
    Nathan C.

  • Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))

    Hello
    I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
    Setup:
    We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR:  A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
    Configuration in regards to certificate:
    crypto key generate rsa label vpn.company.dk modulus 2048
    crypto ca trustpoint vpn.trustpoint
    keypair vpn.company.dk
    fqdn none
    subject-name CN=*.company.dk,C=DK
    !id-usage ssl-ipsec
    enrollment terminal
    crl configure
    crypto ca authenticate vpn.trustpoint
    ! <import intermediate certificate>
    crypto ca enroll vpn.trustpoint
    ! <send CSR to CA>
    crypto ca import vpn.trustpoint certificate
    ! <import SSL cert received back from CA>
    ssl trust-point vpn.trustpoint outside
    Problem:
    When I try to import the certificate I receive the following error:
    crypto ca import vpn.trustpoint certificate
    WARNING: The certificate enrollment is configured with an fqdn
    that differs from the system fqdn. If this certificate will be
    used for VPN authentication this may cause connection problems.
    Would you like to continue with this enrollment? [yes/no]: yes
    % The fully-qualified domain name will not be included in the certificate
    Enter the base 64 encoded certificate.
    End with the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    <certificate>
    -----END CERTIFICATE-----
    quit
    ERROR: Failed to parse or verify imported certificate
    Question:
    - Does any one of you have any pointers in regards to what is going wrong?
    - Especially in regards to fqdn and CN, I also have a question. My config
    fqdn none
    subject-name CN=*.company.dk,C=DK
    would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
    So do you have insight or pointers which might help me?
    Thank you in advance

    I also have a wildcard cert for my SSL VPN ASAs.
    When i import the cert I use ASDM instead of CLI...
    I import the wildcard as a *.pfx file and type in the password. works fine...
    Perhaps the format is incorrect?
    Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
    Not sure if this helps but give ASDM a try?

  • Installing wildcard certificate - error

    Hello guys,
    I'm not quite sure do I post within the right thread so please correct me if I'm wrong.
    Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is  8.2(2).
    I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.
    The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between Root CA and my certificate, within the same trustpoint as RootCA certificate.
    The second problem is the actuall problem however. When I try to install the wildcard certificate, using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)
    Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:
    I tried to debug crypto ca 255 but there is nothing interesting within the log file.
    If I try to add the Sub-ordinate certificate within the trustpoint where Root CA is installed, I got the following error:
    When I try to manually install the wildcard certificate from CLI (It's in BASE-64 format), I do receive the following error:
    CLI Issue
    vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here
    Enter the base 64 encoded pkcs12.
    End with the word "quit" on a line by itself:
    -----BEGIN CERTIFICATE-----
    MIIEhjCCA26gAwIBAgICekswDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
    [cut]
    RPg4gnOGlySGVA==
    -----END CERTIFICATE-----
    quit
    ERROR: Import PKCS12 operation failed
    Any thoughts, ideas, questions or whetever are more than welcome!

    Hi there,
    I just wanted to tell you that I have found the solution for this case. It appears that the wildcard certificate had been enrolled without State ("ST") attribute of x509.3 certificate. The issuer (GeoTrust) refused to enroll it again evethough we have supplied that information and it was completely their fault. Anyway, we changed the issuer and now everything is just fine.
    Sent from Cisco Technical Support iPad App

  • VPN concentrator and webVPN

    Hi,
    Trying to setup VPNc 3005 for WebVPN.
    The VPNc is configured with NTP server so
    the clock is fine. I installed SSL vpn
    client and SecureDesktop software onto the VPNc. Create a local account and
    group. When I perform https://vpnc/admin.html, I can manage the
    VPNc from the external interface so the
    certificate is good.
    When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
    to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
    it tells me that the vpn concentrator
    has a server certificate error. I've
    attached the screen shot. Anyone know
    what it is? Thanks.

    If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
    http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
    http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

  • Is it possible to configure the OS X Server VPN Service to use Certificates?

    I was attempting to set up the VPN Service on OS X Server 4.0.3 (Yosemite) to use certificates instead of a private shared key.  It does not appear that the VPN Server in OS X Server is designed to use anything other than a private shared key (on the server side).  I was wondering if I was missing something?  The VPN Server works fine using the PSK (L2TP or PPTP) - I just thought I would experiment with certificates - but every example I am finding shows the PSK being used - although some of the "how to" tuturials allude to the fact that VPN certificates are supported for L2TP - but they don't provide any detail on how that functionality would be configured.  I tried creating both a VPN Server and VPN Client certificate - however - the certificates show up in the login keychain and do not appear in the certificate window in the Server app.  I was hoping that maybe the presence of a VPN Server Certificate would possibly enable an option to use it when configuring the VPN.
    ~Scott

    No unfortunately the 'official' Apple VPN service does not have this ability, furthermore as Apple use a heavily customised version of Racoon you cannot cheat by trying to do this via the command line.
    You will have to use a completely different VPN server, Mac and iOS clients can do this but not the Mac server side. I use StrongSwan running in a Linux virtual machine.

  • JMQ cluster and unstable connections

    Hello all.
    I have a few architectural questions about building an OpenMQ message-passing infrastructure between multiple offices which do not always have on-line internet connections. We also need to distribute the MQ mesh configuration info.
    From the scale of my questions it seems, that I or our developers don't fully understand MQ, because I think that many of our problems and/or solution ideas (below) should already be implemented within the MQ middleware, and not by us from outside it.
    The potential client currently has a (relatively ugly) working solution which they wanted to revise for simplification, if possible, but this matter is not urgent and answers are welcome at any timeframe :)
    I'd welcome any insights, ideas and pointers as to why our described approach may be plain wrong :)
    To sum this post up, here's my short questionnaire:
    1) What is a good/best way to distribute MQ mesh config when not all nodes are available simultaneously?
    2) What are the limitations on number of brokers and queues in one logical mesh?
    3) Should we aim for separate "internal" and "external" MQ networks, or can they be combined into one large net?
    4) Should we aim for partial solution external to OpenMQ (such as integration with SMTP for messaging, or SVN for config distribution), or can this quest be solved within OpenMQ functionality?
    5) Can a clustered broker be forced to fully start without available master broker connection?
    6) Are broker clusters inherently local-network, or is there some standard solution (pattern) for geographically disperse MQ clusters?
    7) How to enforce pushing of the messages from one broker to another? Are any priority assignments available for certain brokers and "their" queues?
    Detailed rumblings follow below...
    We are thinking about implementing JMQ in a geographically disperse project, where it will be used for asynchronous communications to connect application servers in different branch offices with a central office. The problematic part is, that the central and especially branch offices are not expected to be always on-line, hence the MQ - whenever a connection is available, queued messages (requests, responses, etc.) are to be pushed to the other side's MQ broker. And if all goes well with the project, there may eventually be hundreds of such branch offices and more than one central office for failover, and a mesh of interconnection MQ agreements.
    The basic idea is simple: an end-user of the app server in a branch generates a request, this request is passed via message queue to another branch or to a central office, then another app server processes it to generate a response and the answer is queued back to the requesting app server. At some time after the initial request, the end-user would see in his web-page that the request's status has been updated with a response value. A branch office's app server and MQ broker may be an appliance-server distributed as a relatively unmaintained "black box".
    During the POC we configured several JMQ broker instances in this manner and it worked. From what I gather from our developers, each branch office's request and response queues are separate destinations in the system, and requests (from a certain branch) may be subscribed by any node, and responces (to a certain branch) may be submitted by any node. This may be restricted by passwords and/or certificate-based SSL tunnel channels, for example (suggestions welcome, though).
    However, we also wanted to simplify spreading the configuration of the MQ nodes' network by designating "master brokers" (as per JMQ docs) which keep track of the config and each other broker downloads the cluster config from its master. Perhaps it was wrong on our side, and a better idea is available to avoid manual reconfiguration of each MQ broker whenever another broker or a queue destination is added?
    Problem here is: it seems an "MQ cluster" is a local-network oriented concept. When we have a master broker in a central office, and the inter-connection is not up, branch offices loop indefinitely waiting for connection to a master, and reject client connections (published JMS port remains 0, and appropriate comments in the log files). In this case the branch office can not function until its JMQ broker connects to a central office, updates the MQ config, and permits client connections to itself.
    Also we are not certain (and it seems to be a popular question on Google, too) how to enforce a queued message to be pushed to another side - to a broker "nearest" to the target app server? Can this be done within OpenMQ config, or does this require an MQ client application to read and manipulate such messages somehow? For example, when a branch office's "request" queue has a message, and a connection to central office comes online, this request data should end up in the central office's broker. Apparently, a message which physically remains in the branch office broker when the interconnection goes offline, is of little use to the central appserver...
    I was thinking along the lines of different-priority brokers for a certain destinations, so that messages would automatically flow from further brokers to neares ones - like water flows from higher ground to lower ground in an aqueduct. It would then be possible to easily implement transparent routing between branch offices (available at non-intersecting times) via central office (always up).
    How many brokers and destination can be interconnected at all (practically or theoretically/hardcoded)?
    Possibly, there are other means to do some or all of this?
    Ideas we've discussed internally include:
    * Multiple networks of MQ brokers:
    Have an "internal" broker (cluster) in each branch office which talks to the app server, and a separate "external" broker which is clustered with the central office's "master broker". Some branch office application transfers messages between two brokers local to its branch. Thus the local appserver works okay, and remote queuing works whenever network is available.
    Possibly, the central office should also have separate internal and external broker setups?
    * Multi-tiered net of MQ brokers:
    Perhaps there can be "clusters of clusters" - with "external" tier-1 brokers being directly master brokers for local "internal" tier-2 clusters? Otherwise the idea of "miltiple networks of MQ brokers" above, without an extra app to relay messages between MQ brokers local to this app.
    * Multi-protocol implementation of MQ+SMTP(+POP3/IMAP)
    Many of our questions are solvable by SMTP. That is, we can send messages to a mailbox residing on a specific server (local in each office), and local appserver clients retrieve them by POP3 from the local mailbox server, and then submit responses over SMTP. This is approximately how the client currently solves this task now.
    We don't really want to invent a bicycle, but maybe this approach can also be applied to JMQ (asynch traffic not over MQ protocol, but over SMTP like in SOAP-SMTP vs. SOAP-HTTP webservices)?
    * HTTP/RCS-based config file:
    The OpenMQ config allows for the detailed configuration file to be available in local filesystem or on a web server. It is possible to fetch the config file from a central office whenever the connection is up (wget, svn/cvs/etc.) and restart the branch broker.
    Why is this approach good or bad? Advocates welcome :)
    Thanks for reading up to the end,
    and thanks in advance for any replies,
    //Jim Klimov

    Hello all.
    I have a few architectural questions about building an OpenMQ message-passing infrastructure between multiple offices which do not always have on-line internet connections. We also need to distribute the MQ mesh configuration info.
    From the scale of my questions it seems, that I or our developers don't fully understand MQ, because I think that many of our problems and/or solution ideas (below) should already be implemented within the MQ middleware, and not by us from outside it.
    The potential client currently has a (relatively ugly) working solution which they wanted to revise for simplification, if possible, but this matter is not urgent and answers are welcome at any timeframe :)
    I'd welcome any insights, ideas and pointers as to why our described approach may be plain wrong :)
    To sum this post up, here's my short questionnaire:
    1) What is a good/best way to distribute MQ mesh config when not all nodes are available simultaneously?
    2) What are the limitations on number of brokers and queues in one logical mesh?
    3) Should we aim for separate "internal" and "external" MQ networks, or can they be combined into one large net?
    4) Should we aim for partial solution external to OpenMQ (such as integration with SMTP for messaging, or SVN for config distribution), or can this quest be solved within OpenMQ functionality?
    5) Can a clustered broker be forced to fully start without available master broker connection?
    6) Are broker clusters inherently local-network, or is there some standard solution (pattern) for geographically disperse MQ clusters?
    7) How to enforce pushing of the messages from one broker to another? Are any priority assignments available for certain brokers and "their" queues?
    Detailed rumblings follow below...
    We are thinking about implementing JMQ in a geographically disperse project, where it will be used for asynchronous communications to connect application servers in different branch offices with a central office. The problematic part is, that the central and especially branch offices are not expected to be always on-line, hence the MQ - whenever a connection is available, queued messages (requests, responses, etc.) are to be pushed to the other side's MQ broker. And if all goes well with the project, there may eventually be hundreds of such branch offices and more than one central office for failover, and a mesh of interconnection MQ agreements.
    The basic idea is simple: an end-user of the app server in a branch generates a request, this request is passed via message queue to another branch or to a central office, then another app server processes it to generate a response and the answer is queued back to the requesting app server. At some time after the initial request, the end-user would see in his web-page that the request's status has been updated with a response value. A branch office's app server and MQ broker may be an appliance-server distributed as a relatively unmaintained "black box".
    During the POC we configured several JMQ broker instances in this manner and it worked. From what I gather from our developers, each branch office's request and response queues are separate destinations in the system, and requests (from a certain branch) may be subscribed by any node, and responces (to a certain branch) may be submitted by any node. This may be restricted by passwords and/or certificate-based SSL tunnel channels, for example (suggestions welcome, though).
    However, we also wanted to simplify spreading the configuration of the MQ nodes' network by designating "master brokers" (as per JMQ docs) which keep track of the config and each other broker downloads the cluster config from its master. Perhaps it was wrong on our side, and a better idea is available to avoid manual reconfiguration of each MQ broker whenever another broker or a queue destination is added?
    Problem here is: it seems an "MQ cluster" is a local-network oriented concept. When we have a master broker in a central office, and the inter-connection is not up, branch offices loop indefinitely waiting for connection to a master, and reject client connections (published JMS port remains 0, and appropriate comments in the log files). In this case the branch office can not function until its JMQ broker connects to a central office, updates the MQ config, and permits client connections to itself.
    Also we are not certain (and it seems to be a popular question on Google, too) how to enforce a queued message to be pushed to another side - to a broker "nearest" to the target app server? Can this be done within OpenMQ config, or does this require an MQ client application to read and manipulate such messages somehow? For example, when a branch office's "request" queue has a message, and a connection to central office comes online, this request data should end up in the central office's broker. Apparently, a message which physically remains in the branch office broker when the interconnection goes offline, is of little use to the central appserver...
    I was thinking along the lines of different-priority brokers for a certain destinations, so that messages would automatically flow from further brokers to neares ones - like water flows from higher ground to lower ground in an aqueduct. It would then be possible to easily implement transparent routing between branch offices (available at non-intersecting times) via central office (always up).
    How many brokers and destination can be interconnected at all (practically or theoretically/hardcoded)?
    Possibly, there are other means to do some or all of this?
    Ideas we've discussed internally include:
    * Multiple networks of MQ brokers:
    Have an "internal" broker (cluster) in each branch office which talks to the app server, and a separate "external" broker which is clustered with the central office's "master broker". Some branch office application transfers messages between two brokers local to its branch. Thus the local appserver works okay, and remote queuing works whenever network is available.
    Possibly, the central office should also have separate internal and external broker setups?
    * Multi-tiered net of MQ brokers:
    Perhaps there can be "clusters of clusters" - with "external" tier-1 brokers being directly master brokers for local "internal" tier-2 clusters? Otherwise the idea of "miltiple networks of MQ brokers" above, without an extra app to relay messages between MQ brokers local to this app.
    * Multi-protocol implementation of MQ+SMTP(+POP3/IMAP)
    Many of our questions are solvable by SMTP. That is, we can send messages to a mailbox residing on a specific server (local in each office), and local appserver clients retrieve them by POP3 from the local mailbox server, and then submit responses over SMTP. This is approximately how the client currently solves this task now.
    We don't really want to invent a bicycle, but maybe this approach can also be applied to JMQ (asynch traffic not over MQ protocol, but over SMTP like in SOAP-SMTP vs. SOAP-HTTP webservices)?
    * HTTP/RCS-based config file:
    The OpenMQ config allows for the detailed configuration file to be available in local filesystem or on a web server. It is possible to fetch the config file from a central office whenever the connection is up (wget, svn/cvs/etc.) and restart the branch broker.
    Why is this approach good or bad? Advocates welcome :)
    Thanks for reading up to the end,
    and thanks in advance for any replies,
    //Jim Klimov

Maybe you are looking for

  • Can I move Photoshop from my old to my new computer?

    I purchased a new computer. Can I uninstall Photoshop from my old and install it on my new computer?

  • URGENT - Oracle Reports errors

    Hi All, I have two serious problems which are giving me a massive headache. We have a forms 10g application which calls Reports 10.1.2.0.2 reports in a pdf format. 1) When reports are called by say User A, the reports generated in the browser are for

  • "connection timed out" when connecting to outside wireless networks

    I have had trouble connecting to some wireless networks. I have no problem at home, at various cafes and such, nor at work. Some hotels or friends' houses that I've tried to connect to give me the message, "connection timed out" after I've entered th

  • Vendor needs to be debited with Bank Charges along with payment amount

    Hi, I am paying advance to vendor. Vendor needs to be paid Rs.10000. I am incurring Rs.100 as DD Charges which needs to be debited to Vendor. So my actual outflow from bank will be Rs.9900. At present entry posted: In F-48, when i tried to pass entry

  • Camera not detected

    When I connect my iphone to my PC, i get a message "Camera not Detected - check connecting cable and retry" My itunes does not automatically load up. I have to do it manually. I then synchronize photos on to my PC. It creates a folder called "iPod Ph