HATCHER JETER, LLC. Hatcher H Jeter, Jr Owner Telephone: (804) 897-6198 Mobile: (804) 334-4750 Email: [email protected]
Feature Service Packages I. Holistic Health Check Assessment
Engagement Duration: 2-3 week range - WebSphere MQ 3-4 week range - WebSphere Message Broker / WebSphere MQ 2-3 week range - WebSphere MQ / MQ FTE
Deliverables: System Review Assessment Report documenting the status of the identified areas and recommends to help mitigate the identified exposure
Review / Asses the following area: 1) IBM WebSphere MQ MQ Topology
o Point to Point
o MQ Clustering
MQ Naming Standards
Best Practices
High Availability
Backup and Recovery
Staffing
MQ Security Risk Assessment
MQ System Administration Practices
MQ Coding Reviewing (sample subset of Applications)
Performance and Tuning
o Memory and CPU
o Kernel Setting
o Data and Log Placement
o Log sizing o Logging Type
Maintenance Methodology
2) IBM WebSphere MQ / WebSphere Message Broker Message Broker Topology
Message Flow Deployment
MQ Topology
o Point to Point
o MQ Clustering
MQ and Message Broker System Administration Practices
Message Broker / MQ Coding Reviewing (sample subset of Applications)
Best Practices
Naming Standards
Staffing
High Availability
Security Risk Assessment
Performance and Tuning
o Memory and CPU
o Kernel Setting
o Data and Log Placement
o Log sizing
o Logging Type
Maintenance Methodology
3) IBM WebSphere MQ / WebSphere MQ FTE
MQ FTE Security Risk HATCHER JETER, LLC. Hatcher H Jeter, Jr Owner Telephone: (804) 897-6198 Mobile: (804) 334-4750 Email: [email protected]
MQ FTE Topology
MQ Topology
o Point to Point
o MQ Clustering
Staffing
Best Practices
Naming Standards
High Availability
Security Risk Assessment
Performance and Tuning
o Memory and CPU
o Kernel Setting
o Data and Log Placement
o Log sizing
o Logging Type
Maintenance Methodology II. Customer Support Services
Engagement Type(s): Single Instance Installation1 Multiple Instance Installation HA Configuration (Active / Passive and Active/Active)2 WebSphere MQ Clustering3
Engagement Duration: 2-3 week range - WebSphere MQ 3-4 week range - WebSphere Message Broker / WebSphere MQ 2-3 week range - WebSphere MQ / MQ FTE
Deliverables: System Installation Guide
System Review Assessment Report documenting the status of the identified areas and recommends to help mitigate the exposure
Possible Task to include: 1) IBM WebSphere MQ Installation, Configuration, and Customization
Staff Mentoring
Staffing Review / Assessment
Naming Standards Review / Assessment
Best Practices Review / Assessment
High Availability position assessment
Backup and Recovery position assessment
MQ Security Risk Assessment
MQ System Administration Practices Assessment
1 A Single Instance Installation depending of the operating system can be one week
2 HA – May increase the duration beyond the 4 week upper limit
3 MQ Clustering is a total engagement in itself HATCHER JETER, LLC. Hatcher H Jeter, Jr Owner Telephone: (804) 897-6198 Mobile: (804) 334-4750 Email: [email protected]
2) IBM WebSphere MQ / WebSphere Message Broker Message Broker Topology assessment
Message Flow Deployment methodology assessment
MQ Topology
MQ and Message Broker System Administration Practices
Best Practices Assessment
Naming Standards assessment
High Availability
Security Risk Assessment
3) IBM WebSphere MQ / WebSphere MQ FTE
MQ FTE Security Risk
MQ FTE Topology
MQ Topology
Best Practices
Naming Standards
High Availability
Security Risk Assessment
4) IBM WebSphere MQ Clustering or High Availability Implementation
MQ Topology
Best Practices
Naming Standards
Application / Queue Affinity Assessment High Availability Implementation
Security Risk Assessment HATCHER JETER, LLC. Hatcher H Jeter, Jr Owner Telephone: (804) 897-6198 Mobile: (804) 334-4750 Email: [email protected]
The following is an estimated installation/configuration of a Single Instance Environment Installation / Configuration Operating System Estimated Time Assumptions WebSphere MQ Windows 4 hours Domain MQ Account setup before start
AIX 6 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start Solaris 6 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start Linux 6 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start I5/OS 8 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start z\OS 32 hours Does not include RACF / ACF2 Security policy creation Does not include Shared Queues / CF / DB2 implementation WebSphere Message Broker 4 Windows 24 hours Domain MQ Account setup before start
AIX 32 hours Mqm and MQBRKR group and Userids setup before start Data and log filesystems created and mounted before start Solaris 32 hours Mqm group and MQBRKR and userid setup before start Data and log filesystems created and mounted before start Linux 32 hours Mqm group and MQBRKR and userid setup before start Data and log filesystems created and mounted before start I5/OS 32 hours Mqm group and MQBRKR and userid setup before start Data and log filesystems created and mounted before start z\OS 80 hours Does not include RACF / ACF2 Security policy creation Does not include Shared Queues / CF / DB2 implementation WebSphere MQ FTE Windows 6 hours Domain MQ Account setup before start
AIX 8 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start Solaris 8 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start Linux 8 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start I5/OS 8 hours Mqm group and userid setup before start Data and log filesystems created and mounted before start z\OS unknown
4 WebSphere Message Broker installation includes the base product, WebSphere Message Broker Toolkit, MQ / MB Explorer, Eclipse 3.3 and MQ Installation Manager components Sample Report:
XYZ WebSphere MQ / WebSphere Message Broker
Review and Recommends During a review of the XYZ WebSphere MQ / WebSphere Message Broker environments, several observations were noted. These are outlined below and recommendations made to help mitigate the risk to the environments. These observations have been assigned both a “Business Risk” rating, the potential effect on the business by the condition, and an “Effort to Address” rating is provided. HATCHER JETER, LLC. Hatcher H Jeter, Jr Owner Telephone: (804) 897-6198 Mobile: (804) 334-4750 Email: [email protected]
Business Effort to Description Risk Address
1 WebSphere MQ Object Authority Management (OAM) configuration EXTREME MED Observation / Recommendation: XYZ has a major exposure to the operational stability of the environments. With the current configuration of the Server Connection MCAUser being set to ‘mqm’ is allowing everyone who connects via MQ Explorer, JMS application or any other client application to a queue manager the abilities to create, alter, delete any objects. Seeing that XYZ have promoted the use the SYSTEM.ADMIN.SVRCONN for the non-mqm support staff, XYZ should create a new channel for the MQ Administrations staff, establish the use of the mqm group OAM permissions, and hard the open SYSTEM.ADMIN.SVRCONN channel to allow only read-only operations.
2 AIX Ulimit Settings for WebSphere MQ and WebSphere Message Broker HIGH LOW Observation / Recommendation: During a review of the servers, I noted that none of the preserver / Ulimit configuration was performed. WebSphere MQ requires the server limits be x at a minimal Set the system resource limits for data segment, stack segment, soft limit for file descriptors, hard limit for file descriptors to unlimited and increase the process limit for the number of file descriptors to the following attributes: ulimit -d unlimited ulimit -s unlimited ulimit –Sf unlimited ulimit –Hf unlimited alter the nofiles attribute in /etc/security/limits to 10,000 for the mqm user id Once these server changes have been applied, the Queue Managers and Brokers (if necessary) should be recycled to pick up the changes
3 WebSphere MQ / WebSphere Message Broker Disaster Recovery HIGH MED Observation / Recommendation: During conversations with management, it was noted that there is no formal Disaster Recovery Plan. XYZ should invest the time to develop and execute a DR plan for continuity of business in case of data center disaster. DR exercises should be held at least bi-yearly to ensure that XYZ can recover and resume business in case of disaster. It is important to note here that DR is not just in case of the Data Center loss, but if a server crashes, how would you recover the lost MQ and Message Broker configurations? Operational backup and recovery procedures are essential to every business continuity process.
4 WebSphere MQ mqs.ini and qm.ini parameters configuration HIGH MED Observation / Recommendation: XYZ currently has a basic mqs.ini and qm.ini configuration with very few best practices implemented. XYZ should revise all of the mqs.ini and qm.ini files to include the Operational TCP, Channel, and Tuning parameters. Note that in the MaxChannels and MaxActiveChannels, I always set to 5000 because of the MQ Listener is now multi-threaded and capable of handling the number of connections. These parameters establish the maximum number of connections available and will not affect the integrity or stability of the operational environment. Additionally, XYZ should monitor the number of connects so that when they reach 75 to 80% of the maximum limit, they can review the environment to determine the cause of the number of connections and increase limits if necessary to prevent any interruption of