[V9.1.4 Dec 2019][UNIX, Linux, Windows, IBM i]

New IBM MQ 9.1.4 features for Multiplatforms

On AIX®, Linux® and Windows, IBM® MQ 9.1.4 delivers a number of new features that are available with base and advanced entitlement.

Support for Transport Layer Security (TLS) 1.3

IBM MQ 9.1.4 supports the new TLS 1.3 security protocol on AIX, Linux and Windows. This functionality is provided in:
  • The server 'C' bindings
  • The MQI client
The new CipherSpecs for TLS 1.3 that IBM MQ 9.1.4 provides are described in Enabling CipherSpecs. (For a list of these CipherSpecs, see the TLS 1.3 CipherSpecs section in Table 1.) All the new CipherSpecs work both with RSA and Elliptic Curve certificates.

IBM MQ 9.1.4 also provides an expanded set of alias CipherSpecs, adding to the existing ANY_TLS12 (available since IBM MQ 9.1.1). These alias CipherSpecs include ANY_TLS12_OR_HIGHER, and ANY_TLS13_OR_HIGHER among others, and are provided for ease of configuration and future migration. They are also described in Enabling CipherSpecs. (For a list of these CipherSpecs, see the Alias CipherSpecs section in Table 1.)

Note: When using earlier CipherSpecs on a queue manager that has TLS 1.3 enabled through a server qm.ini property or a client mqclient.ini property, which is the default setting on a new queue manager, there are some changes that you should be aware of.
In accordance with the TLS 1.3 specification, many earlier CipherSpecs are disabled and cannot be enabled by use of the existing configuration options. These include:
  • All SSLv3 CipherSpecs
  • All RC2 or RC4 CipherSpecs
  • All CipherSpecs with an encryption key size of less than 112 bits
In IBM MQ 9.1.4, which is a Continuous Delivery release, TLS 1.3 is not yet available when using:
  • IBM MQ classes for Java
  • IBM MQ classes for JMS
  • .NET
  • It is also not yet available on IBM i or IBM Z.

To restore previous behavior, TLS 1.3 can be disabled as described in Using TLS 1.3 in IBM MQ.

TLS Handshake Transcript

IBM MQ 9.1.4 adds support for the TLS handshake transcript available from the IBM Global Security Kit (GSKit) cryptographic provider. This functionality is available on Distributed platforms that utilize GSKit both in the queue manager and client. To view the TLS handshake transcript, IBM MQ and GSKit trace must be enabled and a TLS handshake must fail. The transcript will then be collected and written out as part of the amqrmppa or client application trace file.

IBM MQ Internet Pass-Thru

IBM MQ Internet Pass-Thru (MQIPT) is a utility that can be used to implement messaging solutions between remote sites across the internet. In IBM MQ 9.1.4, MQIPT is a fully-supported optional component of IBM MQ that you can download from IBM Fix Central for IBM MQ. MQIPT has previously been available as support pack MS81.

The following changes have been made to MQIPT since version 2.1 of the support pack:
  • The supplied Java runtime environment (JRE) has been upgraded from Java 7 to Java 8, to match the JRE version supplied with IBM MQ.
  • The SSL 3.0, TLS 1.0, and TLS 1.1 protocols are disabled by default. The only cryptographic protocol that is enabled by default is TLS 1.2. To enable protocols that are disabled, follow the procedure in Enabling deprecated protocols and CipherSuites.
  • Support for IBM Network Dispatcher has been removed.
  • The IPT Administration Client is deprecated. Current versions of the IPT Administration Client might not work with future versions of MQIPT. To configure and administer MQIPT, edit the mqipt.conf configuration file and use the mqiptAdmin script, as described in Administering MQIPT by using the command line.
  • All sample files supplied with MQIPT are now located under a new directory called samples in the MQIPT installation directory.
  • The CommandPort and RemoteShutDown properties have been removed from the sample configuration file mqiptSample.conf to improve security. This means that when using the sample configuration, MQIPT will not listen for commands issued by the mqiptAdmin script or the IPT Administration Client. To allow MQIPT to be administered using the mqiptAdmin script or the IPT Administration Client, change the configuration file to specify a value for the CommandPort property. Review the security considerations in Other security considerations before enabling the MQIPT command port or allowing remote shutdown.

See IBM MQ Internet Pass-Thru for more information.

Enhancements to the administrative REST API

From IBM MQ 9.1.4, the following enhancements are available with the JSON format MQSC REST API:
  • The following commands are now supported:
    • DISPLAY CONN(connectionID) TYPE (HANDLE)
    • DISPLAY CONN(connectionID) TYPE (*)
    • DISPLAY CONN(connectionID) TYPE (ALL)
  • Single quotation marks are automatically escaped. You no longer need to use an additional single quotation mark to specify a single quotation mark in an attribute value.
  • In the SET POLICY command, the SIGNER and RECIP attributes are now list attributes. Instead of specifying a string value for these attributes, you now use a JSON array. This change enables you to specify multiple values for the SIGNER and RECIP within a single command.
  • Enhanced MQSC syntax error checking is now available. When an MQSC syntax error is detected in the JSON input, instead of returning a 200 response and the MQSC error in the response body, a 400 response is returned with a new error message indicating where the syntax error occurred.
For more information, see POST /admin/action/qmgr/{qmgrName}/mqsc (JSON formatted command)

Host header validation for the IBM MQ Console and REST API

You can configure the mqweb server to restrict access to the IBM MQ Console and REST API such that only requests that are sent with a host header that matches a specified allowlist are processed. An error is returned if a host header value that is not on the allowlist is used.

For more information, see Configuring host header validation for the IBM MQ Console and REST API.

Automatic configuration of uniform clusters

From IBM MQ 9.1.4, you have various options to help you configure uniform clusters. You can:

Simplified setup for uniform clusters

From IBM MQ 9.1.4 you can use a simplified form of cluster setup and configuration.

See Creating a uniform cluster from IBM MQ 9.1.4 for further details.

Ability to balance .NET and XMS .NET applications across queue managers

IBM MQ 9.1.2 introduced a feature to improve the product's ability to balance C language application connections across multiple, different queue managers. IBM MQ 9.1.3 then extended this feature to include JMS applications.

From IBM MQ 9.1.4, IBM MQ .NET and XMS .NET managed applications are also able to automatically balance connections across clustered queue managers. Both the .NET Framework and .NET Standard libraries are supported.

For more information, see Uniform clusters and Automatic application balancing.

IBM MQ classes for .NET Standard and IBM MQ classes for XMS .NET Standard available from the NuGet repository

From IBM MQ 9.1.4, the IBM MQ classes for .NET Standard and IBM MQ classes for XMS .NET Standard libraries are available for downloading from the NuGet repository, so that they can be easily consumed by .NET Developers.

The following two NuGet packages are available:
IBMMQDotnetClient: IBM MQ classes for .NET Standard
This package includes amqmdnetstd.dll only.
IBMXMSDotnetClient: IBM MQ classes for XMS .NET Standard
This package includes both amqmdnetstd.dll and amqmxmsstd.dll.

For more information, see Downloading IBM MQ classes for .NET Standard from the NuGet repository and Downloading IBM MQ classes for XMS .NET Standard from the NuGet repository.