Learn about the responsibilities you have when you use IBM® MQ on IBM Cloud®.
For overall terms of use, see Cloud Services terms
Overview of shared responsibilities
IBM MQ on IBM Cloud is a managed service in the IBM Cloud shared responsibility model. Review the following
table of who is responsible for particular cloud resources when using IBM MQ on IBM Cloud. Then,
you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by
area.
| Resource |
Incident and operations management |
Change management |
Identity and access management |
Security and regulation compliance |
Disaster recovery |
| Data |
You |
You |
You |
You |
You |
| Applicatons |
You |
You |
You |
You |
You |
| Observability |
Shared |
IBM |
Shared |
IBM |
IBM |
| Queue manager |
Shared |
Shared |
Shared |
Shared |
Shared |
| Certificates |
Shared |
IBM |
IBM |
IBM |
IBM |
| App networking |
IBM |
IBM |
IBM |
IBM |
IBM |
| Cluster networking |
IBM |
IBM |
IBM |
IBM |
IBM |
| Cluster version |
IBM |
IBM |
IBM |
IBM |
IBM |
| Worker nodes |
IBM |
IBM |
IBM |
IBM |
IBM |
| Master |
IBM |
IBM |
IBM |
IBM |
IBM |
| Service |
IBM |
IBM |
IBM |
IBM |
IBM |
| Virtual storage |
IBM |
IBM |
IBM |
IBM |
IBM |
| Virtual network |
IBM |
IBM |
IBM |
IBM |
IBM |
| Hypervisor |
IBM |
IBM |
IBM |
IBM |
IBM |
| Physical servers and memory |
IBM |
IBM |
IBM |
IBM |
IBM |
| Physical storage |
IBM |
IBM |
IBM |
IBM |
IBM |
| Physical network and devices |
IBM |
IBM |
IBM |
IBM |
IBM |
| Facilities and Data Centers |
IBM |
IBM |
IBM |
IBM |
IBM |
Tasks for shared responsibility by area
After reviewing the Overview of shared responsibilities, see what tasks you and IBM share responsibility for
each area and resource when you use IBM MQ on IBM Cloud.
- Incident and operations management
- You and IBM share responsibilities for the set up and maintenance of your IBM MQ on IBM Cloud
environment. You are responsible for incident and operations management of your application
data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Observability |
- Provide Log Analysis and Monitoring as managed add-ons to enable observability of your IBM MQ on IBM Cloud.
Maintenance is simplified for you because IBM provides the installation and updates for the managed
add-ons.
- Provide integration with Activity Tracker and send IBM MQ on IBM Cloud API events for auditability.
|
|
| Queue manager |
- Provide a highly available queue manager deployment
- Configure channels and queues for testing purposes
- Monitoring of queue manager availability
|
- Select the queue manager size based on messaging requirements, see Queue manager sizes - IBM Cloud.
- Monitor IBM Cloud status for planned maintenance
- Configuring and monitoring queue depth to ensure storage requirements do not exceed limits
- Monitoring open connections to ensure they do need exceed limits
- Configure multiple queue managers in different regions to provide additional high availability,
see High availability and disaster recovery
|
| Certificates |
- Provide Let's Encrypt signed certificates
- Refresh provided certificates before expiry
|
- Optionally import user-defined certificate chains
- Ensure that user provided certificates do not expire
- Configure certificate usage on queue manager channels
|
- Change management
- You and IBM share responsibilities for managing queue manager changes in the IBM MQ on IBM Cloud
environment. You are responsible for change management of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue manager |
- Automatic upgrade to the latest revision
|
- Managing queue manager configuration
- Optional: manually upgrade queue managers to the latest revision before automatic upgrade
|
- Identity and access management
- You and IBM share responsibilities for controlling access to the IBM MQ on IBM Cloud
environment. You are responsible for identity and access management of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Observability |
- Provide the ability to integrate IBM Cloud Activity
Tracker to audit the actions that users take in IBM MQ on
IBM Cloud.
|
- Set up IBM Cloud Activity Tracker or other
capabilities to track user activity.
|
| Queue Manager |
- Configure specified IBM Cloud users and applications
with the required IAM policies
- Provide API keys for user and applications to authenticate
|
- Define the users and applications that have access to queue managers
- Configure authority records for queue manager specific resources
|
- Security and regulation compliance
- IBM is responsible for the security and compliance of the IBM MQ on IBM Cloud
service. You and IBM share responsibilities for the security and compliance of the queue managers.
You are responsible for security and regulation compliance of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue Manager |
- Maintain controls to meet industry compliance standards such as ISO27k
- Provide default queue manager resources that are TLS enabled
- Monitor, isolate, and recover the queue manager
- Automatically apply security patch updates
- Disable certain insecure actions such as channel exits
- Continuously monitor queue manager images to detect vulnerability and security compliance
issue
|
- Configure queue manager security such as TLS and AMS on queue manager resources
- Configure authority records for queue manager resources to limit access to only required users
and applications
|
- Disaster recovery
- You and IBM share responsibilities for the set up and maintenance of your IBM MQ on IBM Cloud
environment. You are responsible for disaster recovery of your application data.
| Resource |
IBM responsibilities |
Your responsibilities |
| Queue Manager |
- Backup queue manager configuration daily
- Recover required infrastructure
- Provision new infrastructure in a backup availability zone, if recovery is not possible
- Redeploy queue managers to new availability zone
- Restore queue manager configuration from previous backup
|
- Reset channel sequence numbers so that channels will successfully communicate
|
- Applications and data
- You are completely responsible for the applications and data that you use with IBM MQ on IBM Cloud.
However, IBM provides various tools to help you set up, manage, secure, integrate and optimize your
apps as described in the following table.
| Resource |
How IBM helps |
What you can do |
| Applications |
- Provide default queue manager configuration to allow applications to connect securely
- Provide sample applications such as MQ JMS client
- Generate an API key that is used to access queue managers
- Provide application connection configuration in JSON CCDT format
|
- Maintain responsibility for your apps, data, and their complete lifecycle
- Configure applications for high availability
- Manage open connections to ensure the maximum queue manager limit is not exceeded
|
| Data |
- Provide encrypted persistent storage for persistent messages
- Separation of storage from queue manager runtime allowing queue managers to recover within an
availability zone with no data loss
|
- Maintain responsibility for your data and how your apps consume the data
- Control queue sizes to prevent storage limits being exceeded
- Encrypt message payload in transit and at rest using Advanced Message Security (AMS)
|