What's new in IBM MQ 9.4.0 for Multiplatforms - base and Advanced entitlement

Installation and migration

New method for applying maintenance on Windows and Linux®

From IBM MQ 9.4.0, you apply maintenance to your IBM MQ installations on Windows and Linux by upgrading IBM MQ. This new method simplifies the process to apply maintenance, and removes the need for files from older fix packs to be stored on the system. As these older files are not stored on the system, less disk space is required, and the files do not exist to get flagged by vulnerability scanning tools.

For more information about applying maintenance on Linux, see Applying and removing maintenance on Linux.

For more information about applying maintenance on Windows, see Applying and removing maintenance on Windows.

Security

JSON Web Token (JWT) support and token based authentication

• From IBM MQ 9.4.0, a new method for authentication and authorization with tokens is added, improving security and centralizing identity management. Queue managers that run on AIX® or Linux are configured to accept tokens during connection. If the token contains a user claim, this identity can also be adopted for subsequent authority checks.

  To take advantage of this functionality, the application must be written in C or in Java, and connect to the queue manager by using client bindings. All IBM MQ 9.4 client platforms support token based authentication. For more information, see Working with authentication tokens, Configuring a queue manager to accept authentication tokens using a JWKS endpoint, and Using authentication tokens in an application.

  To avoid application code changes, both IBM MQ MQI clients and Java clients can alternatively use channel security exits to inject authentication tokens during connection processing.

• From IBM MQ 9.4.0, applications can use the JMS client API to directly provide JWT credentials.

  For more information, see Using authentication tokens in an application.

• From IBM MQ 9.4.0, the administration of token based authentication is significantly simplified with support for JWKS key management. JWKS documents are the standard way to share the public keys that are needed to validate authentication tokens. Your OIDC or OAUTH2.0 compliant authentication service already exposes such an endpoint. By directing the queue manager to automatically fetch keys as required, it is no longer necessary to manually install or maintain a local keystore for this purpose.  This is particularly valuable for ensuring that as validation keys age out and expire they are seamlessly updated with no further IBM MQ administrator intervention.

  For more information, see Configuring a queue manager to accept authentication tokens using a JWKS endpoint, HTTPSKeyStore, JWKS stanza of the qm.ini file, and the additional return codes in Token authentication error codes.

New property to set the user context that is used for authorization in the messaging REST API

From IBM MQ 9.4.0, you can simplify your security configuration for the messaging REST API by configuring what user context is used for authorization when you are using the messaging REST API to send, receive, browse, or publish a message. By default, all requests are authorized to use IBM MQ objects based on the user ID that is logged in to the messaging REST API. Therefore, each user that exists as a messaging REST API user must also exist as an IBM MQ user and be authorized to access the appropriate IBM MQ objects.

From IBM MQ 9.4.0, you can configure what user context is used for authorization when you are using the messaging REST API. That is, you can configure the messaging REST API such that each request is authorized to access IBM MQ objects based on the user that started the mqweb server instead of the user that is logged in to the messaging REST API. Therefore, each user that exists as a messaging REST API user does not need to exist as an IBM MQ user. Only the user that starts the mqweb server needs authorization to access the IBM MQ objects. For more information, see Configuring the user context that is used for authorization in the messaging REST API.

Changes to MQCSP password protection in MQIPT

From IBM MQ 9.4.0, IBM MQ Internet Pass-Thru (MQIPT) can add or remove protection for passwords in MQCSP structures to maintain compatibility between the client and queue manager for MQIPT routes that add or remove TLS encryption. MQCSP password protection is not supported in earlier versions of MQIPT, for routes that add or remove TLS encryption.

From IBM MQ 9.4.0, the default value of the new PasswordProtection route property allows MQIPT to add, but not remove, MQCSP password protection. Connections to a MQIPT route that adds TLS encryption that previously worked, might fail with reason code MQRC_PASSWORD_PROTECTION_ERROR. To resolve this issue, set the value of the PasswordProtection property to compatible in the MQIPT route configuration. For more information about MQCSP password protection, see MQCSP password protection.

Support for TLS1.3 on managed .NET clients

From IBM MQ 9.4.0, support is added for TLS1.3 on managed .NET clients, if the operating system supports TLS1.3.

For more information, see Support for TLS1.3 on managed .NET clients.

New TLS skip validation mode for IBM MQ client applications on C and JMS

IBM MQ 9.4.0 adds a mode for TLS communication that skips TLS server certificate validation for use by C and JMS client applications. This mode allows applications to connect to a TLS-secured endpoint without the need for a truststore or pre-exchanged certificate chain.

• In C, the new option NONE is added for the existing CertificateValPolicy attribute. For more information, see Configuring certificate validation policies in IBM MQ.
• In JMS, new certificate validation properties have been implemented with options ANY and NONE. You can configure these properties on clients by using CERTVALPO or the CERTIFICATE_VALIDATION_POLICY JMS property. For more information, see Configuring certificate validation policies in IBM MQ.

New property to specify the protocols that MQIPT routes accept

From IBM MQ 9.4.0, the protocols that IBM MQ Internet Pass-Thru (MQIPT) routes accept can be specified by using the property AllowedProtocols. This property improves security as MQIPT rejects connections that use a protocol that the route is not configured to accept.

If the new property is not specified, MQIPT routes accept only connections that use the IBM MQ protocol. If MQIPT is used to accept HTTP connections from another instance of MQIPT, use the AllowedProtocols property to configure the route to accept HTTP connections before you migrate to MQIPT in IBM MQ 9.4.0.

For more information, see AllowedProtocols.

New commands to manage keys, certificates, and certificate requests

From IBM MQ 9.4.0, the runmqktool command can be used to manage keys, certificates, and certificate requests in key repositories that are used by IBM MQ on AIX, Linux, and Windows. This command replaces the runmqckm command that is available in earlier versions of IBM MQ.

For more information about the commands that can be used to manage key repositories, see runmqakm and runmqktool commands on AIX, Linux, and Windows.

New command to manage keystores and certificates that are used by MQIPT

From IBM MQ 9.4.0, the mqiptKeytool command can be used to keystores and certificates that are used by IBM MQ Internet Pass-Thru (MQIPT) uses. This command replaces the mqiptKeycmd command that is available in earlier versions of MQIPT.

For more information about the mqiptKeytool command, see mqiptKeytool (manage certificates). For more information about managing MQIPT keystores, see Managing MQIPT keystores.

Administration

Enhancements to the IBM MQ Console

From IBM MQ 9.4.0, the IBM MQ Console has a new layout at the queue manager view level. For more information about the new layout and the following enhancements, see Quick tour of the IBM MQ Console.

• The Overview tab displays various information about a queue manager and the resources that it is using. This tab makes it easier to see at a glance what the overall state of the queue manager is, and any problems that might need to be investigated. Some of the information is derived from monitoring system topics. This monitoring can be disabled, if required, see setmqweb properties.
• A new feature on the Queues tab provides a view of the IBM MQ objects that are associated with a queue. For more information, see IBM MQ Console: Working with queues.
• The Applications Overview tab displays several tiles that give a quick view of applications that are connected to the queue manager that is being viewed. You can then drill down to see more details. For more information, see IBM MQ Console: Working with applications.
• The MQ Network Overview tab displays several tiles that give a quick view of the queue manager to queue manager communication for the queue manager that is being viewed.
• The timestamps that are associated with queue managers are now displayed in the time zone where the queue manager is running, rather than the time zone of the IBM MQ Console.

Stand-alone IBM MQ Web Server

From IBM MQ 9.4.0, you can run the IBM MQ Console and messaging REST API in a stand-alone IBM MQ Web Server installation. The stand-alone IBM MQ Web Server is supported only on Linux, and can run on systems that are separate to your IBM MQ installations.

Installing a stand-alone IBM MQ Web Server gives greater flexibility as to which systems, and the number of systems, that you choose to run the IBM MQ Console and messaging REST API on. Several instances of the stand-alone IBM MQ Web Server can be installed on different systems to provide the scalability and availability that you need.

For more information about the installation options for the IBM MQ component that runs the IBM MQ Console and REST API, see The IBM MQ Console and REST API.

New CAPEXPRY attribute

From IBM MQ 9.4.0, CAPEXPRY becomes a separate attribute, replacing the text-based attribute in the CUSTOM field.

For more information, see CAPEXPRY in the ALTER QUEUES command and CAPEXPRY: Limit message expiry time.

Media image scheduling - linear logging

From IBM MQ 9.4.0, how the scheduling of media images is calculated has changed. Where automatic media imaging is enabled, the IMGLOGLN and IMGINTVL queue manager parameters control the frequency with which media images are taken. Now, even when IMGINTVL specifies that it is time for an image to be taken, if no significant amount of work has been performed since the last image was taken, then no new image is taken. This change prevents the unnecessary use of computing time on writing to logs when little or no information has changed.

For more information, see Managing log files and ALTER QMGR (alter queue manager settings).

Extension of queue manager status attributes

From IBM MQ 9.4.0, the DISPLAY QMSTATUS command and the response from the MQCMD_INQUIRE_Q_MGR_STATUS PCF command include new attributes. The new attributes report a range of additional information about queue managers and help with administration and troubleshooting.

For more information, see DISPLAY QMSTATUS, MQCMD_INQUIRE_Q_MGR_STATUS (Inquire Queue Manager Status) on Multiplatforms, and MQCMD_INQUIRE_Q_MGR_STATUS (Inquire Queue Manager Status) Response on Multiplatforms.

Addition of Native HA status attributes

From IBM MQ 9.4.0, the DISPLAY QMSTATUS command and the response from the MQCMD_INQUIRE_Q_MGR_STATUS PCF command include new attributes that are specific to Native HA. These attributes report additional information about Native HA configurations and help with administration and troubleshooting.

For more information, see DISPLAY QMSTATUS, MQCMD_INQUIRE_Q_MGR_STATUS (Inquire Queue Manager Status) on Multiplatforms, and MQCMD_INQUIRE_Q_MGR_STATUS (Inquire Queue Manager Status) Response on Multiplatforms.

dspmqver command now reports release type

From IBM MQ 9.4.0, the dspmqver command is extended to include the release type, which makes it easy to see whether the release is Continuous Delivery or Long Term Support. The release type that is reported can be one of Long Term Support (LTS), Continuous Delivery(CD), or Long Term Support(LTS)and Continuous Delivery(CD).

For more information, see dspmqver (display version information).

Environment variables for tuning I/O operations that take too long

From IBM MQ 9.4.0, three new environment variables are added to increase or decrease the threshold at which a warning message is written to the queue manager log if a slow read/write time is detected. Fine tuning with these environment variables can help with diagnosing operating system or storage system issues and reduce the number of errors that are written to the log.

For more information, see AMQ_IODELAY, AMQ_IODELAY_INMS and AMQ_IODELAY_FFST.

MQIPT trace file configuration enhancements

From IBM MQ 9.4.0, the maximum size of the trace files that are produced by IBM MQ Internet Pass-Thru (MQIPT), and the number of trace files that are kept, can be configured by using the new TraceFileSize and TraceFileCount properties in the MQIPT configuration file.

For more information about enabling trace in MQIPT, see Tracing errors in IBM MQ Internet Pass-Thru.

OpenTelemetry tracing

From IBM MQ 9.4.0, IBM MQ provides a tracing service that allows you to integrate with an OpenTelemetry tracing system.

For more information, see OpenTelemetry tracing.

Enabling JSON formatted logs for AMQP and MQTT

IBM MQ 9.4.0 adds support for JSON formatted logs in AMQP and MQTT.

JSON formatted logs in AMQP and MQTT are optional, and you need to enable them manually. For more information, see Enabling JSON formatted logs for AMQP and Enabling JSON formatted logs for MQTT.

LZ4 compression is now available for channels

LZ4 compression can now be specified to implement a fast, lossless algorithm to compress data being that is sent on a network. You can choose to prioritize speed or compression when you specify LZ4 compression. These options are available as values for COMPMSG when working with channels (for example, see DEFINE CHANNEL).

Application development

Support for AIX compiler IBM Open XL C/C++ for AIX 17.1.0

From IBM MQ 9.4.0, you can compile AIX programs by using the IBM Open XL C/C++ for AIX 17 compiler alongside the existing IBM XL C/C++ for AIX 16 compiler.

For more information, see External library and control command links to primary installation on AIX and Linux for details of the additional library names, and Building C++ programs on AIX and Preparing C programs in AIX for examples of the additional commands.

Performance improvements for processing of AMQP message acknowledgments

If an AMQP application is using QOS_AT_LEAST_ONCE(1) message delivery, the AMQP service waits for an acknowledgment from the application before it discards the copy of a message that it keeps after it sends that message to the application. Before IBM MQ 9.4.0, each message that is acknowledged is removed from the queue individually. From IBM MQ 9.4.0 messages are removed in batches, which improves performance.

For more information, see Removing acknowledged AMQP messages from the queue in batches.

Enhancements for IBM MQ .NET and XMS .NET

• IBM MQ 9.4.0 provides a new set of .NET 6 libraries for IBM MQ .NET (amqmdnetstd.dll) and XMS .NET (amqmxmsstd.dll), that is libraries that are built against .NET 6 as the target framework. The naming convention for these libraries remains the same as for the IBM MQ .NET Standard libraries, that is amqmdnetstd.dll for IBM MQ .NET and amqmxmsstd.dll for XMS .NET. Keeping the same naming convention makes migration easier and means that you do not need to rebuild your .NET Core or .NET applications. For more information, see Installing IBM MQ classes for .NET and Installing IBM MQ classes for XMS .NET.
• From IBM MQ 9.4.0, you can enable and disable tracing for the IBM MQ .NET and XMS .NET client libraries without needing to restart the application. You can use the mqclient.ini file to enable traces for the IBM MQ .NET and XMS .NET client libraries (.NET Standard, .NET Framework, and .NET 6). You can also enable and disable tracing dynamically. When the application is running, if the mqclient.ini file is modified, created, or deleted, the IBM MQ .NET and XMS .NET client reads the properties of the trace section again and then enables or disables the trace, so that restart of the application is not needed. For more information, see Trace stanza of the client configuration file, Tracing IBM MQ .NET applications with mqclient.ini, and Tracing XMS .NET applications with mqclient.ini.
• From IBM MQ 9.4.0, the IBM MQ .NET and XMS .NET clients provide improved and more meaningful information about SSL enabled connection failures, helping you understand an issue and resolve this type of issue more quickly. Improvements made to the IBM MQ .NET and XMS .NET client libraries (amqmdnetstd.dll) and (amqmxmsstd.dll) provide a more specific exception mechanism for SSL-related issues. The MQRC reason codes are in line with the other .NET client libraries, such as C. For more information, see Common SSL error codes thrown by IBM MQ .NET client libraries and Common SSL error codes thrown by XMS .NET client libraries.
• From IBM MQ 9.4.0, IBM MQ supports .NET 8 applications using IBM MQ classes for .NET and IBM MQ classes for XMS .NET. If you are using a .NET 6 application, you can run this application without any recompilation being required by making a small edit in the runtimeconfig file to set the targetframeworkversion to "net8.0". For more information, see Installing IBM MQ classes for .NET and Installing IBM MQ classes for XMS .NET.

Enhancements to IBM MQ classes for JMS and IBM MQ classes for Jakarta Messaging for sharing TCP/IP connections and using modular applications

• From IBM MQ 9.4.0, for applications that use IBM MQ classes for JMS or IBM MQ classes for Jakarta Messaging, you can now choose a strategy for sharing TCP/IP connections between JMS objects. You can choose one of the following strategies:
  • The GLOBAL strategy. The GLOBAL strategy minimizes the number of open sockets at the expense of a longer connect time. This strategy is the default strategy for nonreconnectable applications.
  • The CONNECTION strategy. The CONNECTION strategy minimizes the connect time at the expense of higher socket usage. This strategy is always used for reconnectable applications. You can enable this strategy for nonreconnectable applications on an application-wide basis by setting the system property com.ibm.mq.jms.channel.sharing to the value CONNECTION

  For more information, see Sharing a TCP/IP connection in IBM MQ classes for JMS.

• From IBM MQ 9.4.0, when you develop modular applications you can configure your applications to use IBM MQ classes for JMS and IBM MQ classes for Jakarta Messaging. Each of the JAR files now includes modular names, and the JAR files are provided in directories that contain only the JAR files that are needed, with no duplication of packages between the JARs. Therefore, you can include the IBM MQ classes for JMS and IBM MQ classes for Jakarta Messaging in your application in a modular manner by requiring the appropriate module within your application, and including the appropriate directory in the module-path. This support is available within the JAR files that are provided with your IBM MQ installation and is also available in the redistributable client images. For more information, see Configuring your modular application to use IBM MQ classes for JMS or IBM MQ classes for Jakarta Messaging.

Application rebalancing support for IBM MQ classes for JMS

From IBM MQ 9.4.0, application rebalancing support is extended to include support for JMS applications.

For more information, see Influencing application re-balancing in IBM MQ classes for JMS.

Remote messaging with the messaging REST API

From IBM MQ 9.4.0, you can use the messaging REST API to connect to remote queue managers for messaging. Remote queue managers can be queue managers within another installation, or on another system. Therefore, you can now use a single installation to run the mqweb server and connect to any queue manager with the messaging REST API.

For more information about remote messaging with the messaging REST API, see Setting up a remote queue manager to use with the messaging REST API.

Containers non-install image added for Linux ARM64 / Apple Silicon

You can use the makefiles supplied in the mq-container GitHub repository to build your own development container image. This image works along with a set of non-install (unzippable) IBM MQ images that help you build a container image that can run under the OpenShift® anyuid Security Context Constraint. From IBM MQ 9.4.0, the set of non-install images includes an image that works with the Linux ARM64 and Apple Silicon platforms.

For more information, see Building a sample base IBM MQ queue manager image.