Enterprise Server Farm (ESF)

WebSphere MQ (Version 5.3)

Rules of Engagement

Application Management Team

Version 1.7
March 4, 2011

SECURITY WARNING
The information contained herein is proprietary to the Commonwealth of Pennsylvania and must not be
disclosed to un-authorized personnel. The recipient of this document, by its retention and use, agrees to
protect the information contained herein. Readers are advised that this document may be subject to the
terms of a non-disclosure agreement.
DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION FROM
THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

Version History
Date

Version

Modified By / Approved By

Section(s)

Comment

4/05/2007

1.0

K. Will (Editor)

All

Initial Version

9/12/2007

1.1

C. Reber (Editor)

All

Updated format to new template design. Made other

formatting changes and updated verbiage to clarify steps.

9/26/2007

1.2

C. Reber

All

Changed Agency Account Manager (AAM) to Service

Coordinator (SC) in section 1.

9/27/2007

Updated to enhanced template design (combined sections)

10/31/2007

Update URLs.
02/25/2008

1.3

Scott White

1.2

Updated flow in 1.2 per .S. White.

C. Reber
11/06/2008

1.4

C. Reber

Cover page

Insert new OA logo onto cover page

04//01/200
9

1.5

C. Reber

All

Update URLs

07/15/2009

1.6

C Reber

1.1

Update ECSA to reflect new CA2 designation. Update

URLs for the deployment process.

03/04/2010

1.7

C Reber

3.5

Remove references to MOM

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 2 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

Table of Contents
1

ESF OVERVIEW & ESF INFRASTRUCTURE.............................................................................4

1.1 ESF OVERVIEW................................................................................................................................4

1.1.1
ESF Engagement Process......................................................................................................4
1.1.2
ESF Deployment Process.......................................................................................................4
1.1.3
Commonwealth Application Certification and Accreditation (CA 2).......................................4
1.2 ESF INFRASTRUCTURE.....................................................................................................................5
1.2.1
External DMZ Security Zone.................................................................................................5
1.2.2
Internal Services Security Zone.............................................................................................5
1.2.3
Internal DMZ Security Zone..................................................................................................5
2 WEBSPHERE MQ IMPLEMENTATION.......................................................................................6
2.1 PURPOSE / OVERVIEW......................................................................................................................6
2.2 ASSUMPTIONS..................................................................................................................................6
2.3 SCHEMATIC DIAGRAM......................................................................................................................6
2.4 PREREQUISITES................................................................................................................................7
2.5 IMPLEMENTATION DETAILS..............................................................................................................7
3 WEBSPHERE MQ RULES OF ENGAGEMENT...........................................................................8
3.1 RULES OF ENGAGEMENT OVERVIEW...............................................................................................8
3.2 NAMING CONVENTIONS...................................................................................................................8
3.3 SERVICES..........................................................................................................................................8
3.4 ROLES AND RESPONSIBILITIES.........................................................................................................9
3.4.1
WebSphere MQ Clustering.....................................................................................................9
3.4.2
Third Party Software..............................................................................................................9
3.5 MONITORING....................................................................................................................................9
3.6 BACKUP AND RECOVERY.................................................................................................................9
3.7 CHANGE MANAGEMENT..................................................................................................................9
3.8 SECURITY.........................................................................................................................................9
3.8.1
Authentication........................................................................................................................9
3.9 MAINTENANCE...............................................................................................................................10
4 ADDITIONAL RESOURCES AND REFERENCES.....................................................................11
5

APPENDIX A .................................................................................................................................12

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 3 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

1 ESF Overview & ESF Infrastructure

This section contains standard information that is included in all ROE documents.

1.1

ESF OVERVIEW

The Commonwealth of Pennsylvanias Enterprise Server Farm (ESF) provides Hosting Services for
Agency Web-Based and Agency Specific applications. Its mission is to maintain a high level of security,
availability, reliability, and management of the Commonwealth of Pennsylvania's mission critical web
applications.
Refer to Enterprise Server Farm, for a full description of the ESF and all hosting and service offerings.
1.1.1

ESF Engagement Process

If your agency is considering deploying applications in the ESF, examine the ESF web site to understand
the ESF Services Portfolio, and then contact your Service Coordinator (SC). SCs are liaisons between
agencies and the ESF. They answer preliminary questions and coordinate meetings with ESF personnel to
ensure consistent communication on simple or complex projects.
Refer to ESF Getting Started, for an overview of the benefits, services, and options for hosting your
application at the CTC ESF.
Refer to ESF Services Coordinator, to identify your agency Service Coordinator.
1.1.2

ESF Deployment Process

The ESF follows a well-defined deployment process for all application deployments. Application
development is performed at the agency or contractor location while the ESF houses both a staging and a
production environment, which are mirror images of each other. This structured deployment and testing
process ensures a stable application in production. Prior to entering the ESF, every new application is
required to undergo a security assessment.
Refer to Deploying in Managed Services to review MS deployment process documents
Refer to Deploying in Managed Services Lite to review MSL deployment process documents.
1.1.3

Commonwealth Application Certification and Accreditation (CA2)

Refer to Commonwealth Policy ITB-SEC005 regarding "Commonwealth Application Certification and

Accreditation"
Click https://www.sqca.state.pa.us to initiate the Commonwealth Application Certification and
Accreditation (CA2) Process.

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 4 OF 12

COMMONWEALTH OF PENNSYLVANIA

1.2

ENTERPRISE SERVER FARM

ESF INFRASTRUCTURE

The ESF Web Farm architecture is segmented into security zones that are isolated from each other via
firewalls. The ESF Network contains the External DMZ security zone, the Internal Services security zone,
and the Internal DMZ security zone. These three primary networks are either, physically or logically,
connected to one another.

1.2.1

External DMZ Security Zone

The External DMZ security zone contains Internet-facing servers that are connected to the Enterprise
DMZ. ESF-managed web servers (such as Managed Services) and Agency-managed servers (such as CoLocation servers) both exist in the External DMZ Security zone. Managed Services and Co-Location
servers are on separate subnets secured by either firewalls or Access Control Lists (ACLs).
1.2.2

Internal Services Security Zone

The Internal Services security zone contains Managed Services database servers and other application
servers from which dynamic content is obtained by web servers.
1.2.3

Internal DMZ Security Zone

The Internal DMZ security zone contains the Managed Web and application servers that need to be
accessible only from the Commonwealth Metropolitan Area Network (MAN). This Security Zone also
contains internal Co-Location databases and web and application servers that are isolated from the
Managed Services servers.
When ESF Domain Controllers intercommunicate in a security zone, all communications use standard
RPC and do not require IPSEC encryption or authentication. Domain Controller-to-Domain Controller
communications between security zones only use IPSEC with Authentication Headers (AH).
Other host-to-AD Component communication in the Managed Services portion of the Enterprise Server
Farm does not require IPSEC. However, IPSEC is required for all communications between entities
outside the Managed Services and ESF AD components.
ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 5 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

2 WebSphere MQ Implementation
2.1

PURPOSE / OVERVIEW

WebSphere MQ messaging products enable application integration by helping business applications to

exchange information across different platforms, sending, and receiving data as messages. They take care
of network interfaces, assure once and once only delivery of messages, deal with communications
protocols, dynamically distribute workload across available resources, handle recovery after system
problems, and help make programs portable.
WebSphere MQ provides a consistent multi-platform application-programming interface. Timeindependent processing deals with messages promptly, even if one or more recipients are temporarily
unavailable. Secure Sockets Layer (SSL) provides additional security.
WebSphere MQ 5.3 is compatible with the previous release of IBM MQSeries 5.2.

2.2

ASSUMPTIONS

This document assumes that the reader has a basic understanding of message queuing and WebSphere
MQ and a good understanding of the operating system and associated utilities.

2.3

SCHEMATIC DIAGRAM

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 6 OF 12

COMMONWEALTH OF PENNSYLVANIA

2.4

ENTERPRISE SERVER FARM

PREREQUISITES

For an application to use WebSphere MQ in the ESF, WebSphere MQ must reside in the External Active
Directory Forest, which trusts the internal CWOPA domain. This trust facilitates the Single Sign-On
security model whereby user accounts in CWOPA can grant access to the applications in the ESF. The
Application Management Team (AMT) has full administrative access over the External Active Directory
Forest.

2.5

IMPLEMENTATION DETAILS

The ESF hosts WebSphere MQ 5.3 to deliver messages reliably for applications in the ESF. WebSphere
MQ 5.3 is deployed on a single server located in the internal DMZ zone to ensure that it is only accessible
from internal applications and users, but can send messages to any location. Version 5.3 binaries and
CSD07 (FixPack 7) are installed for the most up-to-date security and feature availability possible.
WebSphere MQ 5.3 is installed in both the Staging and Production environments. The staging server
belongs to the BETAAPPS domain while the Production server resides in the APPS domain. Both servers
physically reside in the Managed Services Internal DMZ.

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 7 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

3 WebSphere MQ Rules of Engagement

3.1

RULES OF ENGAGEMENT OVERVIEW

The foundation of WebSphere security is physical and logical isolation. ESF servers are in a physically
protected location (locked and conditioned Server Farm). WebSphere MQ is installed in a secure zone of
the Commonwealth intranet, and the servers are never directly connected to the Internet. The ESF backs
up all data regularly and stores copies in a secure off-site location.

3.2

NAMING CONVENTIONS

Naming conventions provide a standard approach to naming different objects and help to troubleshoot and
locate objects. All objects also need a detailed description of use. Naming conventions are as follows:
ESF requires these naming standards for WebSphere MQ:
For QMGR, the naming standard is XXApplicationName, where:
XX is the two-digit agency code
ApplicationName is the name of the application that is using WebSphere MQ
IBM has three main queue types:
Local
Remote Definition
Transmit
To make queue names intuitive for users, include the ApplicationName incremented by pipeline and
followed by an ESF-approved suffix. An incremental system based on the pipeline provides ease of
administration. ESF-approved suffixes are:
.QUEUE for local queues (receiving or worker)
.REMOTEQ for remote definition queues
.XMITQ for transmission queues
For example, if a remote definition queue points to a transmission queue, the remote queue is named
ApplicationName01.REMOTEQ and the transmission queue is named ApplicationName01.XMITQ.
Since a transmission queue sends messages to a channel to send to the next destination, the pipeline ends.
However, if the application is supposed to post a response back to a local queue for this pipeline, it retains
the same pipeline designation. For example, a local queue that captures responses is named
ApplicationName01.QUEUE.
Due to the way WebSphere MQ works, channel names must be the same on both the sending and
receiving QMGR. The naming standard for channel names is X_QMGR##.Y_QMGR##, where X and Y
can be local or remote. For example:
LOCAL_QMGR##.REMOTE_QMGR## is a sender channel
REMOTE_QMGR##.LOCAL_QMGR## is a receiving channel
This standard permits multiple channels within one QMGR for multiple purposes and allows the agency
to align with the pipeline number.

3.3

SERVICES

Four default installed services run automatically at WebSphere MQ start-up:

Queue Manager
Command Server
Channel Initiator
Listener Port

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 8 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

The Listener port service requires minor manual configuration of the QMGR access ports. Each QMGR
requires its own port to listen on and send from. IBMs default port value is TCP_1414, which is widely
known and used in the industry. Since the ESF is a shared environment, it uses a port range from
TCP_4001-4010.
The ESF port is not related to the sending partys port. The Listener port is configured for the QMGR to
receive messages and for remote administrative control. The sending party may send from any available
client port to this specific server port.

3.4
3.4.1

ROLES AND RESPONSIBILITIES

WebSphere MQ Clustering

WebSphere MQ provides native application level clustering for high availability. Clustering provides
redundancy and process offloading to less utilized MQ servers. The ESF does not currently support a high
availability configuration with WebSphere MQ clustering. If your application requires a high availability
configuration, please contact your AAM to engage ESF.
3.4.2

Third Party Software

To maintain reliability and availability for all applications, ESF does not install third party software or
custom applications on the shared WebSphere MQ server. This server is dedicated to sending and
receiving messages through WebSphere MQ. Additional applications are not supported on the WebSphere
MQ servers.

3.5

MONITORING

ESF operations deliver an enterprise-class solution for operations management and monitoring of
Windows servers and Windows infrastructure including Active Directory, Internet Information Services
(IIS), and SQL server.
Events are monitored so possible service outages or configuration problems are detected so the ESF can
quickly take corrective or preventive actions. The ESF manages critical functions to ensure that services
are operational and performing at a high degree of reliability.
The ESF requests that agencies provide monitoring requirements in ESF documentation so that they can
configure proactive monitoring.

3.6

BACKUP AND RECOVERY

The ESF performs a full backup of Managed Services servers nightly, Monday through Friday, and
incremental backups on Sundays. The ESF sends tapes to an off-site facility weekly and maintains a
weekly, monthly, and yearly tape archive. Daily and weekly tapes are redeployed in the rotation scheme
while yearly backups are retained for seven years.

3.7

CHANGE MANAGEMENT

Standard ESF Change Management procedures are in place.

3.8
3.8.1

SECURITY
Authentication

Applications should use a least privileged account to connect to WebSphere MQ. WebSphere MQ uses
the local system account as the default account unless a requirement exists for the administrator to submit
records to the queues directly. If a user resides outside of ESF and requires direct access to the channel,
use a service account. However, if an incoming service is responsible for submitting to the Queue
Manager (QMGR), use a default account. Remote QMGR viewing is not supported, as it requires
administrative rights to the WebSphere MQ server.
ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 9 OF 12

COMMONWEALTH OF PENNSYLVANIA

3.9

ENTERPRISE SERVER FARM

MAINTENANCE

To perform periodic maintenance jobs, the ESF follows the standard Enterprise Maintenance window for
maintenances that affect a large number of applications. This window is from Sunday at 11 PM to
Monday at 4 AM. The weekly maintenance window is reserved for system and network level changes.
Agencies should not schedule tasks during this window since many of these changes require low
utilization, user lockout, or server reboots.
The ESF coordinates maintenance schedules that affect individual agencies or applications with agency
contacts. To learn more about Enterprise Network maintenance scheduling, see ESF and OA/OIT
Calendars.

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 10 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

4 Additional Resources and References

This section summarizes important WebSphere MQ resources.
WebSphere MQ for Windows
http://www-01.ibm.com/software/integration/wmq
WebSphere MQ for Windows, Version 5.3 Product Announcement
http://www-306.ibm.com/fcgi-bin/common/ssi/ssialias?
infotype=an&subtype=ca&appname=Demonstration&htmlfid=897/ENUS202-074
Note: Numerous resources and papers are available from the IBM WebSphereMQ web site at http://www306.ibm.com/software/integration/wmq/.

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 11 OF 12

COMMONWEALTH OF PENNSYLVANIA

ENTERPRISE SERVER FARM

5 Appendix A
Provide supplementary material, if available. If there are multiple appendices, add section additions (i.e.,
Section 5, Section 6, etc.) as required.

ESF WEBSPHERE MQ RULES OF ENGAGEMENT

PAGE 12 OF 12