What's new and changed in release 9.2.0

This topic describes new and changed features in version 9.2.0 of the appliance firmware.

Features that are new to continuous delivery users are identified by a light blue version flag, features that are new to long term service users are identified by a dark blue version flag.

Features new to CD and LTS users

The following features are new at version 9.2.0 to both continuous delivery (CD) and long term service (LTS) users of the IBM® MQ Appliance.

The following features are new for version 9.2.0:
  • You can now configure a certificate monitor to periodically check that queue manager certificates have not expired, and log a warning if they are about to expire. See Certificate monitor.
  • A new parameter for the ping and traceroute commands enable you to specify a local address to use when testing connectivity to a remote system. This enhancement enables network routing and firewall rules to be verified for a secondary IP address, such as a high availability floating IP address. See ping and traceroute.
  • When you configure IBM MQ diagnostic message services to send IBM MQ error messages to appliance log targets, inserts are now added to include the variable information associated with particular instances of an error. You can disable this behavior if required. See Format of IBM MQ logs sent to log targets and IBM MQ diagnostic message services.
  • There is a new web console for IBM MQ, with a new look and feel. See Quick tour of the New Web Console.
  • A new procedure makes it possible to replace a node in an HA group while the continuing to run the HA queue managers on the other node in the group. See Replacing a node in a high availability group.
  • TLS client and TLS server profiles can now be configured to enable or disable TLS version 1.3 (TLSv1.3) protocol support. TLS server profiles can be used to secure web UI and REST remote management interfaces (see Configuring certificates for IBM MQ Appliance web UI and Configuring certificates for the REST management interface) TLS client profiles can be used to secure LDAP connections used by RBM (see User authentication with LDAP).
    TLS client profiles
    In addition to enabling and disabling TLSv1.3 and controlling the TLSv1.3 cipher suites, you can control whether to enable middlebox compatibility with TLSv1.3. When enabled, dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3 but appear similar to TLSv1.2. The effect is that middleboxes that do not understand TLSv1.3 do not drop connections. Regardless of this setting, CCS messages from peers are ignored in TLSv1.3. Middlebox compatibility is enabled by default. See enable-tls13-compat.
    TLS server profiles
    In addition to enabling and disabling TLSv1.3 and controlling the TLSv1.3 cipher suites, you can control whether the server prioritizes the ChaCha20-Poly1305 cipher suite when this cipher suite is at the top of the client list. This control is used when you prefer server cipher suites over client cipher suites during negotiation. By default, the prioritization of the ChaCha20-Poly1305 cipher suite is disabled. See prioritize-chacha.
  • You have the entitlement to download and install an IBM Aspera fasp.io Gateway on a Red Hat or Ubuntu Linux®, or Windows machine. You can then configure appliance queue managers to connect to the Aspera gateway, which can significantly improve network throughput. See Configuring an Aspera gateway connection.

Features that are changed for CD and LTS users

The following features are changed at version 9.2.0 for both continuous delivery (CD) and long term service (LTS) users of the IBM MQ Appliance.

  • The syslog-ng log target type is no longer available, use the syslog-tcp log target type instead. See type.
  • The default DNS load balancing algorithm has changed from round robin to first alive. This change only applies to new configurations (the currently configured value is preserved when migrating to version 9.2). See load-balance.
  • The names of system object types and properties in the web UI now use the term TLS instead of the term SSL. For example, the object type TLS server profile is now displayed instead of SSL server profile.
  • The suppression of identical events for a defined duration by log targets is now deprecated. See Log target commands.

Features new to LTS users

The following features are new at version 9.2.0 to long term service (LTS) users of the IBM MQ Appliance. (The features have been available to CD users in version 9.1.X CD releases.)

  • Queue manager error log enhancements, including support for:
    • Configuring the error log size
    • Excluding and suppressing messages
    • File-based diagnostic message services, including JSON formatted logs
    • Appliance log target integration, which provides support for streaming queue manager error log messages to a remote syslog server.
    See IBM MQ appliance logs.
  • The IBM MQ level name is now reported by the show version and show firmware-version appliance commands, see show version and show firmware-version.
  • The firmware version information and the CLI login message now identify whether the firmware delivery type is long-term support (LTS) or continuous delivery (CD).
  • A controlled shutdown is now performed for queue managers during shutdown or reboot of the appliance.
  • Status notifications are now issued when HA and DR queue managers, and the HA group, changes state. You can use these notifications to track the health of the HA or DR configuration. See Monitoring the health of high availability and disaster recovery configurations for details.
  • Support has been added for converting between CCSIDs 37 and 500 on the appliance.
  • You can now discover the operational mode of the appliance (for example, M2002A, M2002B, M2002B+) by using the show system command or by using a REST API command to show system settings. See Appliance modes for M2001 appliances and Installation considerations for M2002 appliances.
  • IBM MQ events are now recorded in the appliance audit and CLI logs, see Appliance audit logs.
  • A new parameter for the test tcp-connection command enables you to specify a local address to use when testing connectivity to a remote system. This enhancement enables network routing and firewall rules to be verified for a secondary IP address, such as a high availability floating IP address. See test tcp-connection.
  • New parameters have been added to the crtmqm, setmqini, and runmqsc commands to support the automatic configuration of queue managers that are members of uniform clusters. See Configuring uniform clusters - appliance-specific considerations.
  • You can now write appliance error reports to the mqdiag directory on the RAID disk. See Appliance error reports.
  • There is a new timeout feature to use when specifying an ntp service for the appliance to use. The timeout specifies the time that connection to the NTP server is attempted for. See Configuring NTP service settings by using the IBM MQ Appliance web UI and Configuring NTP service settings by using the command line.
  • A new command, reset-ssh-keys, can be used to delete old SSH keys, see reset-ssh-keys.
  • The dspmqtrc command can now be run on the appliance to format trace files. See dspmqtrc (display formatted trace).
  • You can now control the size of queue files. You have the option of configuring and monitoring queues that can support substantially more than the two terabyte default limit used in releases of before IBM MQ 9.1.5. You also have the option of reducing the size a queue file can grow to. To enable you to configure queues, there is an additional attribute on local and model queues, MAXFSIZE, and to monitor queues there are two additional queue status attribute, CURFSIZE and CUR|AXFS. See Modifying IBM MQ queue files in the main IBM MQ documentation.

Features that are changed for LTS users

The following features are changed at version 9.2.0 for long term service (LTS) users of the IBM MQ Appliance. (The features have been available to CD users in version 9.1.X CD releases.)

  • Block non-management traffic feature removed. By default, the appliance previously blocked non-management traffic on all network interfaces when it detected that one such interface was not correctly configured. It was recommended that you cleared that feature, particularly if you were configuring high availability. From version 9.1.1 the block non-management traffic feature is removed so no action needs to be taken.
  • The configuration scripts run by the exec command can now include mqcli commands. Note that the configuration file flow logic (implemented with the if/endif statements) is not available for mqcli commands.
  • The default values for some log target properties have changed. The default log target type has changed from cache to file, and the default timestamp format has changed from syslog to ISO Coordinated Universal Time (UTC) format (zulu).
  • The maximum SSH banner length (before truncation) has increased from 1023 characters to 4096 characters.
  • In the CLI, the IBM MQ administration mode (mqcli) is now also available within the global configuration command shell (config) in addition to the initial login shell. See IBM MQ commands.
  • The REST URI for the show firmware command has changed from /mgmt/status/default/FirmwareStatus to /mgmt/status/default/FirmwareStatus2. The previous REST URI is still available, but is now deprecated. See /mgmt/status/default/FirmwareStatus2.
  • The REST URI for the show firmware-version command has changed from /mgmt/status/default/FirmwareVersion2 to /mgmt/status/default/FirmwareVersion3. The previous REST URI is available, but is now deprecated. See /mgmt/status/default/FirmwareVersion3.
  • Public certificates are no longer provided in the pubcert: directory. You should request and upload any public certificates that you require. See Uploading certificates to the appliance.
  • HA Queue managers in the primary role or secondary role are now reported as having the role none when an appliance is suspended. See HA notification examples.
  • You can now configure a disaster recovery solution for a high availability group without specifying a floating IP address. This removes the requirement for both HA appliances being in the same subnet for configuring disaster recovery. See Configuring disaster recovery for a high availability queue manager by using the command line.