What's changed in IBM MQ 9.1.0 Long Term Support

The Long Term Support (LTS) release is a recommended product level for which support, including defect and security updates, is provided over a specified period of time.

LTS releases do not deliver new functional enhancements. They contain only defect fixes and security updates, and are made available at regular intervals. They are intended for systems that demand maximum stability over a long term deployment period.

For more information see IBM® MQ release types and IBM MQ FAQ for Long Term Support and Continuous Delivery releases.

For Long Term Support for IBM MQ 9.1.0 for Multiplatforms and IBM MQ Appliance, maintenance updates are provided as fix packs or cumulative security updates (CSUs).

Note: From 1Q 2023, for Multiplatforms, there are two types of maintenance:

Fix packs, which contain roll-ups of all defects fixed since the previous fix pack delivery (or GA). Fix packs are produced exclusively for Long Term Support (LTS) releases during their normal support lifecycle.
Cumulative security updates (CSUs), which are smaller updates and contain security patches released since the previous maintenance (GA). CSUs are produced for LTS releases (including releases in extended support), and also for the latest IBM MQ Continuous Delivery (CD) release, as required to deliver relevant security patches.

For maintenance releases in or after 1Q 2023, the fourth digit in the VRMF represents either a fix pack number or a CSU number. Both types of maintenance are mutually cumulative (that is, they contain everything included in older CSUs and fix packs), and both are installed using the same mechanisms for applying maintenance. Both types of maintenance update the F-digit of the VRMF to a higher number than any previous maintenance: fix packs use "F" values divisible by 5, CSUs use "F" values not divisible by 5.

For maintenance releases before 1Q 2023, the fourth digit in the VRMF always represents the fix pack level. For example, the first fix pack of the IBM MQ 9.1.0 LTS release is numbered 9.1.0.1.

For more information, see Changes to IBM MQ's maintenance delivery model.

[z/OS] For z/OS®, maintenance updates are provided as PTFs or cumulative security updates (CSUs). For Unix System Services features (that is, JMS and WEB UI, Connector Pack, and Managed File Transfer) the z/OS PTFs are aligned directly with the Multiplatforms fix packs. Other PTFs are made available as and when they are produced.

IBM MQ 9.1.0 CSU 36

New IBM MQ Console and REST API configuration property

For enhanced security, a new configuration property called ltpaKeysPassword is added. This property contains a password for securing the LTPA key store that is used by the WebSphere® Liberty mqweb server in which the IBM MQ Console and REST API are installed. A default value for this property is set when you install IBM MQ. You can change the value in a similar way to other LTPA token configuration, by running the following command:

setmqweb properties -k ltpaKeysPassword -v <new_password>

The ltpaKeysPassword value is used to generate an ltpa.keys authentication file when you start the IBM MQ Console or REST API. If you later change the value, you must regenerate the ltpa.keys file otherwise authentication fails and the following error is output to the IBM MQ Console log file:

[ERROR   ] CWWKS4106E: LTPA configuration error. Unable to create or read LTPA key file: /var/mqm/web/installations/Installation1/servers/mqweb/resources/security/ltpa.keys

To regenerate the ltpa.keys file, follow these steps:

Delete the ltpa.keys.
Restart the IBM MQ Console or REST API. A new ltpa.keys file is generated with the new password value, as confirmed by a CWWKS4104A message in the console log.

For more information about other LTPA configuration, see Configuring the LTPA token.

IBM MQ 9.1.0 CSU 34

Changes to supported signature algorithms when operating in FIPS mode

From IBM MQ 9.1.0 CSU 34, the IBM Java 8 JRE removes support for reading an RSA KeyPair with one security provider that has been generated by another security provider when operating in FIPS mode. Any attempt to do this will result in the following exception being thrown:

javax.net.ssl.SSLException: No supported signature algorithm for RSA  key

For more information, see APAR IJ53002.

This exception might be seen when using one of the following components:

AMQP server
Managed File Transfer (MFT)
IBM MQ Console
IBM MQ Explorer
IBM MQ REST API
IBM MQ Telemetry service

To resolve the issue, you should regenerate your certificates using the IBMJCEPlusFIPS provider.

Disabled CipherSuites

From IBM MQ 9.1.0 CSU 34, the IBM Java 8 JRE disables TLS_RSA CipherSuites by default. This affects the following components:

AMQP server
Managed File Transfer (MFT)
IBM MQ Console
IBM MQ Explorer
IBM MQ REST API
IBM MQ Telemetry service

If you are using one of these components with a TLS_RSA CipherSuite, you have two options:

Change the component to use a different CipherSuite.
Re-enable the CipherSuites by removing the entry:
```
TLS_RSA_*
```
from the jdk.tls.disabledAlgorithms property in the JRE's java.security file. The location of the file for each platform is shown in the following table:
Table 1. Location of the java.security file

Platform Directory

UNIX and Linux® MQ_INSTALLATION_PATH/java/jre/lib/security

Windows MQ_INSTALLATION_PATH\java\jre\lib\security

Table 1. Location of the java.security file
Platform	Directory
UNIX and Linux®	MQ_INSTALLATION_PATH/java/jre/lib/security
Windows	MQ_INSTALLATION_PATH\java\jre\lib\security

IBM MQ 9.1.0 CSU 31

Changes to IBM MQ classes for Java and IBM MQ classes for JMS

From IBM MQ 9.1.0 CSU 31, known issue (KI) DT434353 has added support for Java 17 and later to the IBM MQ classes for Java and IBM MQ classes for JMS. As a result of this, the finalize() method has been removed from the following classes in the IBM MQ classes for Java:

com.ibm.mq.MQDistributionList
com.ibm.mq.MQManagedObject
com.ibm.mq.MQQueueManager

and an internal class used by JMS connections, because the use of the finalize() method has been deprecated from Java 9 onwards.

This has implications for applications that do not explicitly close these objects once they have finished with them. Prior to the changes for the KI, the underlying Java Virtual Machine (JVM) would have called the finalize() method on them at some point after they had dropped out of scope. However, this will no longer happen and so applications that do not close the objects could end up leaking them and reporting java.lang.OutOfMemoryError exceptions after upgrading to a Fix Pack or Cumulative Security Update (CSU) that contains the fix for DT434353.

Changes to the IBM MQ Bridge to Salesforce

From IBM MQ 9.1.0 CSU 31, the IBM MQ Bridge to Salesforce has been updated to use Eclipse Jetty 12 and an IBM Semeru Runtime 17. The JRE is included as part of the MQSeriesSFBridge rpm, and can only be used to run the IBM MQ Bridge to Salesforce. Using it to run other applications is not supported.

Removal of the IBM MQ Bridge to blockchain

The IBM MQ Bridge to blockchain is deprecated across all releases from November 22 2022 (see US Announcement letter 222-341).

For Long Term Support, IBM MQ Bridge to blockchain is removed at IBM MQ 9.1.0 CSU 31.

IBM MQ 9.1.0 CSU 21

Removal of support for RSA key exchange when operating in FIPS mode

From IBM MQ 9.1.0 CSU 21, the IBM Java 8 JRE removes support for RSA key exchange when operating in FIPS mode. This removal applies to the following CipherSuites: