New IBM MQ 9.1.4 features for Multiplatforms
On AIX®, Linux® and Windows, IBM® MQ 9.1.4 delivers a number of new features that are available with base and advanced entitlement.
- Support for Transport Layer Security (TLS) 1.3
- TLS Handshake Transcript
- IBM MQ Internet Pass-Thru
- Enhancements to the administrative REST API
- Host header validation for the IBM MQ Console and REST API
- Automatic configuration of uniform clusters
- Simplified setup for uniform clusters
- Ability to balance .NET and XMS .NET applications across queue managers
- IBM MQ classes for .NET Standard and IBM MQ classes for XMS .NET Standard available from the NuGet repository
Support for Transport Layer Security (TLS) 1.3
- The server 'C' bindings
- The MQI client
IBM MQ 9.1.4 also provides an expanded set of alias CipherSpecs, adding to the existing ANY_TLS12 (available since IBM MQ 9.1.1). These alias CipherSpecs include ANY_TLS12_OR_HIGHER, and ANY_TLS13_OR_HIGHER among others, and are provided for ease of configuration and future migration. They are also described in Enabling CipherSpecs. (For a list of these CipherSpecs, see the Alias CipherSpecs section in Table 1.)
- All SSLv3 CipherSpecs
- All RC2 or RC4 CipherSpecs
- All CipherSpecs with an encryption key size of less than 112 bits
- IBM MQ classes for Java
- IBM MQ classes for JMS
- .NET
- It is also not yet available on IBM i or IBM Z.
To restore previous behavior, TLS 1.3 can be disabled as described in Using TLS 1.3 in IBM MQ.
TLS Handshake Transcript
IBM MQ 9.1.4 adds support for the TLS handshake transcript available from the IBM Global Security Kit (GSKit) cryptographic provider. This functionality is available on Distributed platforms that utilize GSKit both in the queue manager and client. To view the TLS handshake transcript, IBM MQ and GSKit trace must be enabled and a TLS handshake must fail. The transcript will then be collected and written out as part of the amqrmppa or client application trace file.
IBM MQ Internet Pass-Thru
IBM MQ Internet Pass-Thru (MQIPT) is a utility that can be used to implement messaging solutions between remote sites across the internet. In IBM MQ 9.1.4, MQIPT is a fully-supported optional component of IBM MQ that you can download from IBM Fix Central for IBM MQ. MQIPT has previously been available as support pack MS81.
- The supplied Java runtime environment (JRE) has been upgraded from Java 7 to Java 8, to match the JRE version supplied with IBM MQ.
- The SSL 3.0, TLS 1.0, and TLS 1.1 protocols are disabled by default. The only cryptographic protocol that is enabled by default is TLS 1.2. To enable protocols that are disabled, follow the procedure in Enabling deprecated protocols and CipherSuites.
- Support for IBM Network Dispatcher has been removed.
- The IPT Administration Client is deprecated. Current versions of the IPT Administration Client might not work with future versions of MQIPT. To configure and administer MQIPT, edit the mqipt.conf configuration file and use the mqiptAdmin script, as described in Administering MQIPT by using the command line.
- All sample files supplied with MQIPT are now located under a new directory called samples in the MQIPT installation directory.
- The CommandPort and RemoteShutDown properties have been removed from the sample configuration file mqiptSample.conf to improve security. This means that when using the sample configuration, MQIPT will not listen for commands issued by the mqiptAdmin script or the IPT Administration Client. To allow MQIPT to be administered using the mqiptAdmin script or the IPT Administration Client, change the configuration file to specify a value for the CommandPort property. Review the security considerations in Other security considerations before enabling the MQIPT command port or allowing remote shutdown.
See IBM MQ Internet Pass-Thru for more information.
Enhancements to the administrative REST API
- The following commands are now supported:
- DISPLAY CONN(connectionID) TYPE (HANDLE)
- DISPLAY CONN(connectionID) TYPE (*)
- DISPLAY CONN(connectionID) TYPE (ALL)
- Single quotation marks are automatically escaped. You no longer need to use an additional single quotation mark to specify a single quotation mark in an attribute value.
- In the SET POLICY command, the SIGNER and RECIP attributes are now list attributes. Instead of specifying a string value for these attributes, you now use a JSON array. This change enables you to specify multiple values for the SIGNER and RECIP within a single command.
- Enhanced MQSC syntax error checking is now available. When an MQSC syntax error is detected in the JSON input, instead of returning a 200 response and the MQSC error in the response body, a 400 response is returned with a new error message indicating where the syntax error occurred.
/admin/action/qmgr/{qmgrName}/mqsc
(JSON formatted command)Host header validation for the IBM MQ Console and REST API
You can configure the mqweb server to restrict access to the IBM MQ Console and REST API such that only requests that are sent with a host header that matches a specified allowlist are processed. An error is returned if a host header value that is not on the allowlist is used.
For more information, see Configuring host header validation for the IBM MQ Console and REST API.
Automatic configuration of uniform clusters
- Apply automatic configuration from an MQSC script at startup.
- Apply automatic configuration from an INI script at startup.
- Use additional qm.ini file stanzas to assist automatic cluster configuration.
- Provide an input file to runmqsc; see running MQSC commands from text files for more details.
Simplified setup for uniform clusters
From IBM MQ 9.1.4 you can use a simplified form of cluster setup and configuration.
See Creating a uniform cluster from IBM MQ 9.1.4 for further details.
Ability to balance .NET and XMS .NET applications across queue managers
IBM MQ 9.1.2 introduced a feature to improve the product's ability to balance C language application connections across multiple, different queue managers. IBM MQ 9.1.3 then extended this feature to include JMS applications.
From IBM MQ 9.1.4, IBM MQ .NET and XMS .NET managed applications are also able to automatically balance connections across clustered queue managers. Both the .NET Framework and .NET Standard libraries are supported.
For more information, see Uniform clusters and Automatic application balancing.
IBM MQ classes for .NET Standard and IBM MQ classes for XMS .NET Standard available from the NuGet repository
From IBM MQ 9.1.4, the IBM MQ classes for .NET Standard and IBM MQ classes for XMS .NET Standard libraries are available for downloading from the NuGet repository, so that they can be easily consumed by .NET Developers.
- IBMMQDotnetClient: IBM MQ classes for .NET Standard
- This package includes amqmdnetstd.dll only.
- IBMXMSDotnetClient: IBM MQ classes for XMS .NET Standard
- This package includes both amqmdnetstd.dll and amqmxmsstd.dll.
For more information, see Downloading IBM MQ classes for .NET Standard from the NuGet repository and Downloading IBM MQ classes for XMS .NET Standard from the NuGet repository.