What's changed in IBM MQ 9.4.0 Long Term Support

The Long Term Support (LTS) release is a recommended product level for which support, including defect and security updates, is provided over a specified period of time.

LTS releases do not deliver new functional enhancements. They contain only defect fixes and security updates, and are made available at regular intervals. They are intended for systems that demand maximum stability over a long term deployment period.

For more information see IBM® MQ release types and versioning and IBM MQ FAQ for Long Term Support and Continuous Delivery releases.

For Long Term Support, maintenance updates for IBM MQ 9.4.0 for Multiplatforms and IBM MQ Appliance are provided as fix packs or cumulative security updates (CSUs).

Note: From 1Q 2023, for Multiplatforms, there are two types of maintenance:

Fix packs, which contain roll-ups of all defects fixed since the previous fix pack delivery (or GA). Fix packs are produced exclusively for Long Term Support (LTS) releases during their normal support lifecycle.
Cumulative security updates (CSUs), which are smaller updates and contain security patches released since the previous maintenance (GA). CSUs are produced for LTS releases (including releases in extended support), and also for the latest IBM MQ Continuous Delivery (CD) release, as required to deliver relevant security patches.

For maintenance releases in or after 1Q 2023, the fourth digit in the VRMF represents either a fix pack number or a CSU number. Both types of maintenance are mutually cumulative (that is, they contain everything included in older CSUs and fix packs), and both are installed using the same mechanisms for applying maintenance. Both types of maintenance update the F-digit of the VRMF to a higher number than any previous maintenance: fix packs use "F" values divisible by 5, CSUs use "F" values not divisible by 5.

For maintenance releases before 1Q 2023, the fourth digit in the VRMF always represents the fix pack level. For example, the first fix pack of the IBM MQ 9.3.0 LTS release is numbered 9.3.0.1.

For more information, see Changes to IBM MQ's maintenance delivery model.

[z/OS] For z/OS®, maintenance updates are provided as Program Temporary Fixes (PTFs) or cumulative security updates (CSUs). For z/OS UNIX System Services features (that is, JMS, REST API and IBM MQ Console, and Managed File Transfer) the z/OS PTFs are aligned directly with the Multiplatforms fix packs. Other PTFs are made available as and when they are produced.

IBM MQ 9.4.0 CSU 21

New IBM MQ Console and REST API configuration property

For enhanced security, a new configuration property called ltpaKeysPassword is added. This property contains a password for securing the LTPA key store that is used by the WebSphere® Liberty mqweb server in which the IBM MQ Console and REST API are installed. A default value for this property is set when you install IBM MQ. You can change the value in a similar way to other LTPA token configuration, by running the following command:

setmqweb properties -k ltpaKeysPassword -v <new_password>

The ltpaKeysPassword value is used to generate an ltpa.keys authentication file when you start the IBM MQ Console or REST API. If you later change the value, you must regenerate the ltpa.keys file otherwise authentication fails and the following error is output to the IBM MQ Console log file:

[ERROR   ] CWWKS4106E: LTPA configuration error. Unable to create or read LTPA key file: /var/mqm/web/installations/Installation1/servers/mqweb/resources/security/ltpa.keys

To regenerate the ltpa.keys file, follow these steps:

Delete the ltpa.keys.
Restart the IBM MQ Console or REST API. A new ltpa.keys file is generated with the new password value, as confirmed by a CWWKS4104A message in the console log.

For more information about other LTPA configuration, see Configuring the LTPA token.

IBM MQ 9.4.0 Fix Pack 20

Configuring TLS client authentication in MQIPT

From IBM MQ 9.4.0 Fix Pack 20, the SSLServerClientAuth property can be used to configure whether client authentication is required for a IBM MQ Internet Pass-Thru (MQIPT) SSL/TLS server route. If required, this new property can be used to prevent MQIPT from requesting a certificate from the SSL/TLS client. The new SSLServerClientAuth property overrides the existing SSLServerAskClientAuth property, if both properties are specified.

For more information about the SSLServerClientAuth property, see SSLServerClientAuth.

Changes to supported signature algorithms when operating in FIPS mode

From IBM MQ 9.4.0 Fix Pack 20, the IBM SDK, Java Technology Edition 8 JRE removes support for reading an RSA KeyPair with one security provider that has been generated by another security provider when operating in FIPS mode. Any attempt to do this will result in the following exception being thrown:

javax.net.ssl.SSLException: No supported signature algorithm for RSA  key

For more information, see APAR IJ53002.

This exception might be seen when using one of the following components:

AMQP server
Managed File Transfer (MFT)
IBM MQ Console
IBM MQ Explorer
IBM MQ REST API
IBM MQ Telemetry service

To resolve the issue, you should regenerate your certificates using the IBMJCEPlusFIPS provider.

Disabled CipherSuites

From IBM MQ 9.4.0 Fix Pack 20, the IBM SDK, Java Technology Edition 8 JRE disables TLS_RSA CipherSuites by default. This affects the following components:

AMQP server
Managed File Transfer (MFT)
IBM MQ Console
IBM MQ Explorer
IBM MQ Internet Pass-Thru
IBM MQ REST API
IBM MQ Telemetry service

If you are using one of these components with a TLS_RSA CipherSuite, you have two options:

Change the component to use a different CipherSuite.
Re-enable the CipherSuites by removing the entry:
```
TLS_RSA_*
```
from the jdk.tls.disabledAlgorithms property in the JRE's java.security file. The location of the file for each platform is shown in the following table:
Table 1. Location of the java.security file

Platform Directory

AIX® and Linux® MQ_INSTALLATION_PATH/java/jre/lib/security

Windows MQ_INSTALLATION_PATH\java\jre\lib\security

Table 1. Location of the java.security file
Platform	Directory
AIX® and Linux®	MQ_INSTALLATION_PATH/java/jre/lib/security
Windows	MQ_INSTALLATION_PATH\java\jre\lib\security

IBM MQ 9.4.0 Fix Pack 15

Changes to operating system authentication for the IBM MQ Console and REST API: To resolve issues with only the user primary group being reported when verifying group membership for access or authorisation, from IBM MQ 9.4.0 Fix Pack 15, the IBM MQ Console and REST API allow operating system authentication to be done in a similar way to the queue manager. To enable this behavior, you must set the MQS_GETGROUPLIST_API environment variable before starting the mqweb server hosting the IBM MQ Console.
For more information, see Solving certain group membership problems on Linux.

IBM MQ 9.4.0 Fix Pack 10

Performance monitoring enhancements

From IBM MQ 9.4.0 Fix Pack 10, you can use the mqperfck command to generate an HTML report containing performance metrics for specified queues or channels over a set time period. The report shows key system and queue manager metrics such as CPU load and IO rate, as well as metrics for the object(s) under observation such as lock contention, MQI counts, selector and match-option mismatches, and network time. The report allows customers and IBM Support to review and compare workload between normal and problematic time periods or performant and non-performant environments. It is intended to gain insight into workload patterns during times of performance sensitivity without the need to capture IBM MQ trace. For more information, see mqperfck (MQ performance check) and Metrics published on the system topics.

You can suppress the publication of the new statistics and their metadata by setting the AMQ_NO_MQPERFCK_STATS environment variable to any value before starting the queue manager.

Addition of a toString() method to the TransferExitResult class to output the attributes of the current object

When customizing Managed File Transfer (MFT) with user exits, TransferExitResult objects are used to store the result code returned by an exit, along with an optional string containing an explanatory message. From IBM MQ 9.4.0 Fix Pack 10, the TransferExitResult class has been updated to include a toString() method which outputs the result code stored in the object, along with the optional explanatory message if it is present. For example:

[CANCEL_TRANSFER, FileFilterExit: NullPointerException]

For more information, see FileTransferResult.java interface.

Disabled CipherSuites in MQIPT

From IBM MQ 9.4.0 Fix Pack 10, SSL_ECDH CipherSuites are disabled by default in IBM MQ Internet Pass-Thru (MQIPT).

For more information about the CipherSuites that MQIPT supports, see CipherSuites supported by MQIPT.

Changes to allow IBM MQ Java client properties com.ibm.mq.cfg.TCP.ClntRcvBuffSize and com.ibm.mq.cfg.TCP.ClntSndBuffSize to be set to zero

From IBM MQ 9.4.0 Fix Pack 10, if the value of either the com.ibm.mq.cfg.TCP.ClntRcvBuffSize or the com.ibm.mq.cfg.TCP.ClntSndBuffSize property is set as zero for an IBM MQ Java client, the Java Message Queuing Interface (JMQI) uses the buffer size provided by the network layer. This resolves a previous issue where setting the properties to zero would incorrectly result in the JMQI using TCP/IP send and/or receive buffers of size 32K when communicating with a queue manager.

For more information, see TCP stanza of the client configuration file.

New DNSResolutionOrder attribute of TCP stanza

From IBM MQ 9.4.0 Fix Pack 10, the DNSResolutionOrder attribute specifies the order in which IBM MQ looks up host names in mixed IPv6 and IPv4 environments. If the AMQ_NO_IPV6 environment variable is set, IBM MQ acts as if DNSResolutionOrder=IPV4 is set, no matter what value is configured.

For more information, see TCP stanza of the qm.ini file and TCP stanza of the client configuration file.

IBM MQ 9.4.0 Fix Pack 5

New return code 2491: IBM MQ 9.4.0 Fix Pack 5 adds a new return code (2491) that can appear in messages that are moved to the dead letter queue. For more information, see 2491 0x000009bb MQRC_MSG_LENGTH_ERROR.