mq v8004 summary

© 2015 IBM Corporation

IBM Software Group WebSphere Software

IBM Confidential

IBM MQ Version 8.0.0.4

for Distributed platforms

Summary

Mark Taylor

Overview – "Continuous Delivery"

V8.0.0.3 FixPack released June 18 for all distributed platforms

– New function alongside the usual APARs

Some function automatically enabled, some needs specific configuration

– Often gated by CMDLEVEL (similar to NEWFUNC on z/OS)

– Use of all V8.0.0.3 function requires setting CMDLEVEL to 802

V8.0.0.4 FixPack released October 2015

– More new function

– Various RFEs satisfied

– No new CMDLEVEL needed to use new function

Message Expiry Cap

An attribute that enforces an expiry limit for messages

Allows administrators to override application behaviour

– If app asks for too large (or unlimited) expiry value, it is set to the cap

Initial implementation using CUSTOM on queues and topics

– ALTER QL(X) CUSTOM('CAPEXPRY(nnn)')

– ALTER TOPIC(X) CUSTOM('CAPEXPRY(ASPARENT)')

"CUSTOM" is another mechanism for new features in service stream

– Any future MQ version would migrate the function to a real attribute

– May change spellings, details when made first-class attribute

RFE 21984, 37837

Event formatting sample program

No sample ever shipped to format "standard" events

– Authorisation, queue full, service interval, command/config etc

– Other samples are available for acct/stats, activity reports

– Several SupportPacs but product only has out-of-date source code in the KC

New sample amqsevt formats events into readable English-ish text

– Option to stay with full MQI constant name instead of making it look nice

– Uses MQCB to read from multiple event queues. No polling required

– Can connect as client to any remote queue manager including z/OS

– Source code included

Examples

**** Message #1 (320 Bytes) on Queue SYSTEM.ADMIN.QMGR.EVENT ****

Event Type : Queue Mgr Event [44]

Reason : Unknown Alias Base Queue [2082]

Event created : 2015/07/07 10:54:51.17 GMT

Queue Mgr Name : V8003_A

Queue Name : EVT.NO.BASE.QUEUE

Base Object Name : EVT.NOT.DEFINED

Appl Type : Unix

Appl Name : amqsput

Base Type : Queue

**** Message #4 (300 Bytes) on Queue SYSTEM.ADMIN.QMGR.EVENT ****

Event Type : Queue Mgr Event[44]

Reason : Not Authorized [2035]


Queue Mgr Name : V8003_A

Reason Qualifier : Open Not Authorized

Queue Name : EVT.NO.PUT

Open Options : 0x00002010 [ fiq out ]

User Identifier : db2inst1

Appl Type : Unix

Appl Name : amqsput

MQI string formatting assistance

C header file now included to help convert MQI numbers to strings

Many developers have MQI strerror-like functions

– The hard work is now done for you

– The new cmqstrc .h is automatically updated (300+ new verbs!)

Similar to Java MQConstants.lookup() capability for all sets of constants

printf("Error is %s\n",MQRC_STR(2035));

printf("Completion Code is %s\n",MQCC_STR(CompCode));

printf("%s is %s\n",

MQIA_STR(MQIA_PLATFORM),MQPL_STR(MQPL_UNIX));

will show

MQRC_NOT_AUTHORIZED

MQCC_OK

MQIA_PLATFORM is MQPL_UNIX

Command/Configuration Events for security changes

Configuration events give an audit trail of object changes

• Reports complete set of object attributes

Command events are "who did what, how"

– Show which parameters were used in the command

Existing command events for MQSC SET AUTHREC and PCF

equivalent

– Not for setmqaut

No config events for any of these operations

V8.0.0.4 adds command events for setmqaut

Also adds configuration events for all mechanisms

RFE 53559

Example

**** Message #1 (324 Bytes) on Queue SYSTEM.ADMIN.COMMAND.EVENT ****

Event Type : Command Event

Reason : Command MQSC


Correlation Id : 414D5120563830335F41202020202CC001F03

COMMAND CONTEXT

Event User Id : metaylor

Event Origin : Console

Event Queue Mgr : V8003_A

Command : Set Auth Rec

COMMAND DATA

Auth Profile Name : self

Object Type : Queue Mgr

Principal Entity Names : db2inst1

Auth Add Auths : Connect

$ setmqaut -m V8003_A -t qmgr -p db2inst1 +connect

The setmqaut command completed successfully.

**** Message #2 (316 Bytes) on Queue SYSTEM.ADMIN.CONFIG.EVENT ****

Event Type : Config Event

Reason : Config Change Object

Object state : Before Change






Object Type : Auth Rec


Auth Rec Type : Queue Mgr

Entity Name : db2inst1

Entity Type : Principal

Authorization List : None

**** Message #3 (316 Bytes) on Queue SYSTEM.ADMIN.CONFIG.EVENT ****

Event Type : Config Event

Reason : Config Change Object

Object state : After Change






Object Type : Auth Rec


Auth Rec Type : Queue Mgr

Entity Name : db2inst1

Entity Type : Principal

Authorization List : Connect

Certificate expiry made easier to parse

New option for runmqakm to print dates in a standard format

$ ./runmqakm -cert -list -db ./key.kdb –pw passw0rd –expiry –rfc3339

Certificates found

* default, - personal, ! trusted, # secret key

! "Entrust.net Certification Authority (2048)"

Not After : 2019-12-24T18:20:51Z

! "Entrust.net Client Certification Authority"

Not After : 2019-10-12T19:54:30Z

! "Entrust.net Global Client Certification Authority"

Not After : 2020-02-07T16:46:40Z

RFE 65496

$ ./runmqakm -cert -list -db ./key.kdb -pw passw0rd –expiry

Certificates found

* default, - personal, ! trusted, # secret key

! "Entrust.net Certification Authority (2048)"

Not After : 24 December 2019 18:20:51 GMT

! "Entrust.net Client Certification Authority"

Not After : 12 October 2019 20:54:30 GMT+01:00

! "Entrust.net Global Client Certification Authority"

Not After : 7 February 2020 16:46:40 GMT

MQLight integration

Next delivery phase of support for MQLight client connections to an MQ

queue manager

– V8.0.0.2 and V8.0.0.3 provided changes in MQ (eg to define AMQP channels)

– Had separate Tech Preview download for the channel "listener" service

V8.0.0.4 removes need for the Tech Preview download

MQLight integration becomes part of standard MQ installation

– "AMQP Service" is selectable component during install

– All Unix/Linux platforms and Windows

– Change to fileset component list forces a manufacturing refresh

– PPA downloads then give an install image already at V8.0.0.4

– This will not be available in V8.0.0.4 fixpack from FixCentral

– But V8.0.0.5 will go on top of earlier versions, no matter how you got there (will

not update a non-existent AMQP component)

XA Configuration

When MQ is a transaction manager, XAOpenString in qm.ini defines

how to connect to a resource manager (database)

– String can contain connection credentials

Long-lived requirement not to have plain-text passwords in the file

– Most people have used OS authentication (ie which id is running the program)

with no need to provide additional credentials

– Sample exits have shown how to solve this but you had to write some code

V8.0.0.4 includes an official solution

New command setmqxacred to define id/password for DB connection

– XAOpenString now can refer to ++USERID++, ++PASSWORD++ and have

variables replaced

– Separate file contains obfuscated password similar to mqccred channel exit

RFE 53133

SSL/TLS Configuration verification

SupportPac MH03 provides a tool to validate SSL/TLS configurations

Checks include

– Missing files

– Incorrect SSLKEYR queue manager attribute

– Password settings

– Certificate labels, expiry dates and trust chains

– Validate queue manager and client certificates against each other

– Verifies SSLCAUTH/SSLPEER settings with queue manager

MH03 does not work with current MQ versions – built on old toolkits

Now part of MQ product

– Renamed to mqcertck

– Updated to work with current MQ versions and recognise new features such

as per-channel certificates

Relocatable/redistributable client

Shipping client as a simple tar/zip image removing need to install

– Application users do not need OS admin privileges to install MQ code

– Developers will still need a properly-installed SDK for header files

Windows and Linux x64 for now

– Additional platforms would be considered based on demand

License changes make it legal to embed client image with applications

Includes C, C++, COBOL, Java and .Net libraries

Client images still also available in traditional format

RFE 26670, 38765, 26671, 30697 etc

And for the future

Continue to plan for more frequent delivery of new function

Incremental changes instead of releases containing large amounts