![[MQ 9.4.0 Jun 2024]](ng940.gif)
![[MQ 9.4.0 Jun 2024]](ng940cd.gif)
What's changed in IBM MQ 9.4.0
Before upgrading your queue managers to the latest product version, review these changes to functions and resources since IBM® MQ 9.3.0 and decide whether you must plan to make changes to existing applications, scripts, and procedures before starting to migrate your systems.
- Changes that are new to Long Term Support (LTS) users at IBM MQ 9.4.0 are indicated by a dark blue icon
- Changes that are new to Continuous Delivery (CD) users at IBM MQ 9.4.0 are indicated by a light blue icon
- License entitlement, installation and migration
- The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
- Security
- The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
- Administration
- The following changes first appeared in IBM MQ 9.3.x
Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
Changed return code for endmqm
runmqdlq tool default permissions change
Changes to the RECOVER CFSTRUCT command
Changes to the output of the MFT fteDisplayVersion command
Changes to entries in the connection log for connections to MQIPT TLS server routes that close without sending any data
Changes to the way the CSQ1LOGP EXTRACT function handles messages with message properties
Changes to zHyperWrite
- Application development
The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
- Containers
The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
License entitlement, installation and migration
Change to nonprod entitlement option of setmqinst command
- From IBM MQ 9.4.0, the nonprod option of the -l parameter of the setmqinst command sets the entitlement to IBM MQ (Non-Production) or IBM MQ Advanced (Non-Production), depending on whether the installation is IBM MQ Advanced or not. For more information about the setmqinst command, see setmqinst (set IBM MQ installation).
Changes to the features that are supplied with the mqweb server
- The mqweb server is a WebSphere® Liberty server that is used to support the IBM MQ Console and REST API. From IBM MQ 9.4.0, the WebSphere Liberty features that are supplied with the mqweb server are reduced to only those that are required to run, secure, and monitor the IBM MQ Console and REST API. This significantly reduces the size of the installation files for the mqweb server.
Migration considerations relating to IBM MQ Bridge to Salesforce removal
- The IBM MQ Bridge to Salesforce is removed from the product at IBM MQ 9.4.0. Salesforce connectivity can be achieved with IBM App Connect Enterprise. Salesforce Input and Salesforce Request nodes can be used to interact with Salesforce applications. For more information, see Using Salesforce with IBM App Connect Enterprise.
IBM Aspera® faspio Gateway version upgraded
- IBM MQ Advanced for Multiplatforms 9.4.0, IBM MQ Advanced 9.4.0, IBM MQ Advanced for z/OS® Value Unit Edition 9.4.0, and IBM MQ Advanced for z/OS 9.4.0 upgrade the version of the IBM Aspera faspio Gateway to 1.3.4.
Name change from Long Term Support (LTS) to Support Cycle 2 (SC2) for IBM MQ in containers
- From IBM MQ Operator channel v3.2, Long Term Support (LTS) is renamed to Support Cycle 2 (SC2). This is because the only available LTS path for IBM MQ in containers is two years support under IBM Cloud Pak® for Integration entitlement, and IBM Cloud Pak for Integration has adopted the term SC2.
Security
Changes to Security Policy attribute of the Service stanza of the qm.ini file
- From IBM MQ 9.4.0, changes are made to the SecurityPolicy attribute of the Service stanza of the qm.ini file when the queue manager is configured to accept authentication tokens. To allow users that are not known to the queue manager to be used for authentication and authorization, the queue manager is put in UserExternal mode when the AuthToken stanza is added to the qm.ini file. This does not automatically happen if the SecurityPolicy attribute of the Service stanza of the qm.ini file is already set to group. If you want to use authentication tokens, change the setting from group to UserExternal and restart your queue manager. For more information, see SecurityPolicy and AuthToken stanza of the qm.ini file.
Change to SSLCIPH property for AMQP channels
- From IBM MQ 9.4.0, AMQP channels support ANY* generic CipherSpecs. For more information, see Configuring AMQP clients with TLS and Enabling CipherSpecs.
AMQP channel no longer supports CMS keystores
- From IBM MQ 9.4.0, the AMQP channel no longer supports CMS keystores. If your queue manager is currently configured with a CMS keystore (that is, a .kdb keystore), and you are using an SSL/TLS channel for AMQP, the channel will fail to start. To utilize AMQP SSL channels, you must convert your CMS keystore to a PKCS12 keystore. For more information on how to perform this conversion, see SSL/TLS support in Securing AMQP Clients.
Removal of support for RSA key exchange when operating in FIPS mode
- From IBM MQ 9.4.0, the IBM
Java 8 JRE removes support for RSA key exchange when
operating in FIPS mode. This removal applies to the following CipherSuites:
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
Changes to MQIPT certificate management commands
- From IBM MQ 9.4.0, the following commands to manage
certificates in MQIPT keystores are removed:
- mqiptKeycmd
- mqiptKeyman
Changes to IBM MQ certificate management commands
- From IBM MQ 9.4.0, the following commands to manage
certificates in key repositories that are used by IBM MQ
are removed:
- runmqckm
- strmqikm
Managed File Transfer support for secure ciphers extended
- From IBM MQ 9.4.0, Managed File Transfer has increased the number of secure ciphers supported by
the product.
In addition, the default values for the cipherList and the SFTP server specific attributes have changed from the IBM MQ 9.4.0 release. You are likely to see message BFGBR0127E after you have migrated to IBM MQ 9.4.0.
See Protocol bridge properties file format for details of the additions to the ciphers, and the Important note on how you can resolve the BFGBR0127E error.
MQIPT rejects HTTP connections by default
- From IBM MQ 9.4.0, MQIPT routes accept only connections that use the IBM MQ protocol by default. If MQIPT is used to accept HTTP connections from another instance of MQIPT, use the new AllowedProtocols property to configure the route to accept HTTP connections before migrating to MQIPT in IBM MQ 9.4.0.
Administration
Changed return code for endmqm
- If an endmqm command was issued to a queue manager that was in the process of starting up, the generic code 71 'unexpected error' was returned. From IBM MQ 9.4.0, an attempt to end a queue manager that is starting up now returns the code 4 ' Queue manager is being started'. For more information, see endmqm (end queue manager).
runmqdlq tool default permissions change
- From IBM MQ 9.4.0, the default permissions of runmqdlq have been changed to remove the setuid bit. When running runmqdlq, the tool now runs under the context of the user that invokes the command. This change brings runmqdlq in line with other tools that support client connection functionality. For more information about runmqdlq, see runmqdlq (run dead-letter queue handler).
Changes to the RECOVER CFSTRUCT command
- From IBM MQ 9.4.0, RECOVER CFSTRUCT processing has been changed to make use of 64 bit storage instead of 31 bit storage. If you are likely to issue the command for structures that contain more than a few million messages you should increase the MEMLIMIT parameter in the relevant queue manager's JCL by 500MB. For more information, see Queue manager storage configuration.
Changes to the output of the MFT fteDisplayVersion command
- Before IBM MQ 9.4.0, the output from the fteDisplayVersion command included components that Managed File Transfer does not use. From IBM MQ 9.4.0, these components are no longer included in the output. For more information, see fteDisplayVersion (display installed version of MFT).
Changes to entries in the connection log for connections to MQIPT TLS server routes that close without sending any data
- From IBM MQ 9.4.0, connections to IBM MQ Internet Pass-Thru (MQIPT)
routes that close before any data is sent are not logged as errors. This change affects routes that
are defined with
SSLServer=true
andSSLPlainConnections=false
. Changes to the way the CSQ1LOGP EXTRACT function handles messages with message properties
- From
IBM MQ 9.4.0, the CSQ1LOGP EXTRACT function is changed so
that a message with message properties has the properties converted into MQRFH2 in the output
record.Attention:
- The utility no longer produces MQPUTPRP records.
- The CSQ1LOGP EXTRACT function requires thlqual.SCSQAUTH to be included in STEPLIB.
Changes to zHyperWrite
- From IBM MQ 9.4.0, the zHyperWrite behavior has changed, so that when ZHYWRITE(YES) is set, active log writes attempt to use zHyperWrite regardless of whether the log data sets are enabled for zHyperWrite. Previously active log writes would attempt to use zHyperWrite only if the log data sets were enabled for zHyperWrite. For more information, see Using zHyperWrite with IBM MQ active logs.
RHEL 7 no longer supported for RDQM
- From IBM MQ 9.4.0, RDQM on RHEL 7 is no longer supported. You must move to RHEL 8 or RHEL 9 when migrating your RDQM configuration, see Migrating replicated data queue managers.
Change to the start of the AMQP Service
- From IBM MQ 9.4.0, the default behavior of the setting of the CONTROL attribute for starting the AMQP service has changed. When creating and starting a new queue manager, the AMQP service does not automatically start as part of the queue manager startup process. For more information, see AMQP Service does not start automatically on queue manager startup.
Application development
Changes to Bouncy Castle JAR file names
- From IBM MQ 9.4.0, the names of the Bouncy Castle JAR files bundled with the product have changed. For example, bcprov-jdk15to18.jar has changed to bcprov-jdk18on.jar. For more information, see IBM MQ classes for JMS/Jakarta Messaging relocatable JAR files and IBM MQ classes for Java relocatable JAR files.
com.ibm.mq.cfg.useIBMCipherMappings no longer needed for configuring mappings
- From IBM MQ 9.4.0, a Cipher can be defined as either the CipherSpec or CipherSuite name and is then handled correctly by IBM MQ.
Error message improvements for security exit failures when a .NET client is connecting to IBM MQ
- A security exit program is used to verify that the partner at the other end of a channel is genuine. This is also known as authentication. To specify that a channel must use a security exit, you can specify the exit name in the SCYEXIT field of the channel definition.
Use of separately downloadable IBM Semeru Java runtime for IBM MQ client applications
-
From IBM MQ 9.4.0, you should use a separately downloadable IBM Semeru Java runtime for IBM MQ client applications instead of using the Java runtime packaged with IBM MQ. IBM MQ supports the IBM Semeru runtime via IBM MQ product entitlement when used for the purpose of running IBM MQ Java/JMS applications. The Java runtime packaged with the IBM MQ product is expected to be updated more often which might result in breaking changes for applications depending on it.
Removal of IBM MQ .NET Standard client libraries
- The IBM MQ
.NET client libraries built using .NET Standard 2.0, which were deprecated at IBM MQ 9.3.1, have been removed from the product from IBM MQ 9.4.0. This means that you will no longer see the folder
netstandard2.0 and the libraries that it contained, that is,
amqmdnetstd.dll and amqmxmsstd.dll, in the following locations:
MQ_INSTALLATION_PATH\bin\netstandard2.0
MQ_INSTALLATION_PATH\lib64\netstandard2.0
Changes to how C sample programs with authentication capabilities are built
- The C sample programs that allow users to connect to a queue manager with credentials have been altered so that authentication is only enabled when a new compile flag, SAMPLE_AUTH_ENABLED, is defined. Clients that build the shipped source sample files will need to define this compile flag if they wish to use authentication. For more information on how to build samples with and without authentication, see Preparing and running the sample programs.
Containers
Changed environment variables for the IBM MQ Advanced for Developers container image
- Three new environment variables are added:
- MQ_LOGGING_CONSOLE_SOURCE
- MQ_LOGGING_CONSOLE_FORMAT (which supersedes LOG_FORMAT)
- MQ_LOGGING_CONSOLE_EXCLUDE_ID
For more information, see IBM MQ Advanced for Developers container image.
For use in containers, a certificate must have a unique Subject Distinguished Name
- Queue manager certificates with the same Subject Distinguished Name (DN) as the issuer (CA) certificate are not supported for use with IBM MQ containers. The product now checks for this condition, and stops it from occurring.