[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]

What's changed in IBM MQ 9.4.0

Before upgrading your queue managers to the latest product version, review these changes to functions and resources since IBM® MQ 9.3.0 and decide whether you must plan to make changes to existing applications, scripts, and procedures before starting to migrate your systems.

IBM MQ 9.4.0 includes changes of behavior that were previously delivered in the CD releases of IBM MQ 9.3.0 through IBM MQ 9.3.5, along with some changes that are new at IBM MQ 9.4.0:
  • Changes that are new to Long Term Support (LTS) users at IBM MQ 9.4.0 are indicated by a dark blue icon Icon for IBM MQ 9.4.0 LTS
  • Changes that are new to Continuous Delivery (CD) users at IBM MQ 9.4.0 are indicated by a light blue icon Icon for IBM MQ 9.4.0 CD
License entitlement, installation and migration
The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
The following changes are new for Long Term Support and Continuous Delivery at IBM MQ 9.4.0:
The following changes are relevant to Long Term Support only at IBM MQ 9.4.0:
Security
The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
The following changes are new for Long Term Support and Continuous Delivery at IBM MQ 9.4.0:
Administration
The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
The following changes are new for Long Term Support and Continuous Delivery at IBM MQ 9.4.0:
Application development
[MQ 9.4.0 Jun 2024]The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]The following changes are new for Long Term Support and Continuous Delivery at IBM MQ 9.4.0:
Containers
[MQ 9.4.0 Jun 2024]The following changes first appeared in IBM MQ 9.3.x Continuous Delivery releases and are new for Long Term Support at IBM MQ 9.4.0:

License entitlement, installation and migration

[MQ 9.4.0 Jun 2024][UNIX, Linux, Windows, IBM i]Change to nonprod entitlement option of setmqinst command
From IBM MQ 9.4.0, the nonprod option of the -l parameter of the setmqinst command sets the entitlement to IBM MQ (Non-Production) or IBM MQ Advanced (Non-Production), depending on whether the installation is IBM MQ Advanced or not. For more information about the setmqinst command, see setmqinst (set IBM MQ installation).
[MQ 9.4.0 Jun 2024]Changes to the features that are supplied with the mqweb server
The mqweb server is a WebSphere® Liberty server that is used to support the IBM MQ Console and REST API. From IBM MQ 9.4.0, the WebSphere Liberty features that are supplied with the mqweb server are reduced to only those that are required to run, secure, and monitor the IBM MQ Console and REST API. This significantly reduces the size of the installation files for the mqweb server.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024][Linux]Migration considerations relating to IBM MQ Bridge to Salesforce removal
The IBM MQ Bridge to Salesforce is removed from the product at IBM MQ 9.4.0. Salesforce connectivity can be achieved with IBM App Connect Enterprise. Salesforce Input and Salesforce Request nodes can be used to interact with Salesforce applications. For more information, see Using Salesforce with IBM App Connect Enterprise.
On Linux® for x86-64 only, if you are migrating from an installation where the IBM MQ Bridge to Salesforce is present, you must remove it before you upgrade to IBM MQ 9.4.0 or later.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]IBM Aspera® faspio Gateway version upgraded
IBM MQ Advanced for Multiplatforms 9.4.0, IBM MQ Advanced 9.4.0, IBM MQ Advanced for z/OS® Value Unit Edition 9.4.0, and IBM MQ Advanced for z/OS 9.4.0 upgrade the version of the IBM Aspera faspio Gateway to 1.3.4.
IBM Aspera faspio Gateway 1.3.4 makes a number of breaking changes from earlier versions:
[MQ 9.4.0 Jun 2024]Name change from Long Term Support (LTS) to Support Cycle 2 (SC2) for IBM MQ in containers
From IBM MQ Operator channel v3.2, Long Term Support (LTS) is renamed to Support Cycle 2 (SC2). This is because the only available LTS path for IBM MQ in containers is two years support under IBM Cloud Pak® for Integration entitlement, and IBM Cloud Pak for Integration has adopted the term SC2.
Here is the full picture of entitlement:
  • With IBM MQ entitlement, the IBM MQ Operator can deploy only the IBM MQ Continuous Delivery (CD) images.
  • With IBM Cloud Pak for Integration entitlement, the IBM MQ Operator can deploy CD or SC2 (formerly LTS) images.

Security

[AIX][MQ 9.4.0 Jun 2024][Linux]Changes to Security Policy attribute of the Service stanza of the qm.ini file
From IBM MQ 9.4.0, changes are made to the SecurityPolicy attribute of the Service stanza of the qm.ini file when the queue manager is configured to accept authentication tokens. To allow users that are not known to the queue manager to be used for authentication and authorization, the queue manager is put in UserExternal mode when the AuthToken stanza is added to the qm.ini file. This does not automatically happen if the SecurityPolicy attribute of the Service stanza of the qm.ini file is already set to group. If you want to use authentication tokens, change the setting from group to UserExternal and restart your queue manager. For more information, see SecurityPolicy and AuthToken stanza of the qm.ini file.
[MQ 9.4.0 Jun 2024]Change to SSLCIPH property for AMQP channels
From IBM MQ 9.4.0, AMQP channels support ANY* generic CipherSpecs. For more information, see Configuring AMQP clients with TLS and Enabling CipherSpecs.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]AMQP channel no longer supports CMS keystores
From IBM MQ 9.4.0, the AMQP channel no longer supports CMS keystores. If your queue manager is currently configured with a CMS keystore (that is, a .kdb keystore), and you are using an SSL/TLS channel for AMQP, the channel will fail to start. To utilize AMQP SSL channels, you must convert your CMS keystore to a PKCS12 keystore. For more information on how to perform this conversion, see SSL/TLS support in Securing AMQP Clients.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Removal of support for RSA key exchange when operating in FIPS mode
From IBM MQ 9.4.0, the IBM Java 8 JRE removes support for RSA key exchange when operating in FIPS mode. This removal applies to the following CipherSuites:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
To continue using FIPS mode, the following IBM MQ components should be changed to use a CipherSuite that is still supported:
  • AMQP server
  • Managed File Transfer (MFT)
  • IBM MQ Console
  • IBM MQ Explorer
  • IBM MQ REST API
  • IBM MQ Telemetry service
For more information, see TLS CipherSpecs and CipherSuites in IBM MQ classes for Java.
[AIX, Linux, Windows][MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Changes to MQIPT certificate management commands
From IBM MQ 9.4.0, the following commands to manage certificates in MQIPT keystores are removed:
  • mqiptKeycmd
  • mqiptKeyman
A new command, mqiptKeytool, can be used instead of these commands to manage certificates in MQIPT keystores.
The mqiptKeytool command runs the Java keytool certificate management utility. The parameters that need to be specified when the mqiptKeytool command is run are different to the parameters that need to be specified when the mqiptKeyman command is run in earlier versions of MQIPT.
For more information about the mqiptKeytool command, see mqiptKeytool (manage certificates). For more information about managing MQIPT keystores, see Managing MQIPT keystores.
[AIX, Linux, Windows][MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Changes to IBM MQ certificate management commands
From IBM MQ 9.4.0, the following commands to manage certificates in key repositories that are used by IBM MQ are removed:
  • runmqckm
  • strmqikm
The runmqakm command, or the new runmqktool command, can be used instead to manage key repositories and certificates.
The runmqktool command runs the Java keytool certificate management utility. The parameters that need to be specified when the runmqktool command is run are different to the parameters that need to be specified when the runmqckm command is run in earlier versions of IBM MQ.
For more information about the IBM MQ key repository and certificate management commands, see runmqakm and runmqktool commands on AIX®, Linux, and Windows.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Managed File Transfer support for secure ciphers extended
From IBM MQ 9.4.0, Managed File Transfer has increased the number of secure ciphers supported by the product.

In addition, the default values for the cipherList and the SFTP server specific attributes have changed from the IBM MQ 9.4.0 release. You are likely to see message BFGBR0127E after you have migrated to IBM MQ 9.4.0.

See Protocol bridge properties file format for details of the additions to the ciphers, and the Important note on how you can resolve the BFGBR0127E error.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]MQIPT rejects HTTP connections by default
From IBM MQ 9.4.0, MQIPT routes accept only connections that use the IBM MQ protocol by default. If MQIPT is used to accept HTTP connections from another instance of MQIPT, use the new AllowedProtocols property to configure the route to accept HTTP connections before migrating to MQIPT in IBM MQ 9.4.0.
For more information, see AllowedProtocols.

Administration

[MQ 9.4.0 Jun 2024]Changed return code for endmqm
If an endmqm command was issued to a queue manager that was in the process of starting up, the generic code 71 'unexpected error' was returned. From IBM MQ 9.4.0, an attempt to end a queue manager that is starting up now returns the code 4 ' Queue manager is being started'. For more information, see endmqm (end queue manager).
[AIX][MQ 9.4.0 Jun 2024][Linux]runmqdlq tool default permissions change
From IBM MQ 9.4.0, the default permissions of runmqdlq have been changed to remove the setuid bit. When running runmqdlq, the tool now runs under the context of the user that invokes the command. This change brings runmqdlq in line with other tools that support client connection functionality. For more information about runmqdlq, see runmqdlq (run dead-letter queue handler).
[MQ 9.4.0 Jul 2024][z/OS]Changes to the RECOVER CFSTRUCT command
From IBM MQ 9.4.0, RECOVER CFSTRUCT processing has been changed to make use of 64 bit storage instead of 31 bit storage. If you are likely to issue the command for structures that contain more than a few million messages you should increase the MEMLIMIT parameter in the relevant queue manager's JCL by 500MB. For more information, see Queue manager storage configuration.
[IBM MQ Advanced VUE][MQ 9.4.0 Jun 2024][IBM MQ Advanced]Changes to the output of the MFT fteDisplayVersion command
Before IBM MQ 9.4.0, the output from the fteDisplayVersion command included components that Managed File Transfer does not use. From IBM MQ 9.4.0, these components are no longer included in the output. For more information, see fteDisplayVersion (display installed version of MFT).
[AIX, Linux, Windows][MQ 9.4.0 Jun 2024]Changes to entries in the connection log for connections to MQIPT TLS server routes that close without sending any data
From IBM MQ 9.4.0, connections to IBM MQ Internet Pass-Thru (MQIPT) routes that close before any data is sent are not logged as errors. This change affects routes that are defined with SSLServer=true and SSLPlainConnections=false.

In previous versions of MQIPT, connections to these routes that closed without sending any data caused an entry to be written to the connection log with an ERROR completion code and a SSLHandshakeException error message. From IBM MQ 9.4.0, the same connections cause a nodata entry to be written to the connection log, with an OK completion code. This change makes the connection log entries for connections that close before any data is sent consistent for all types of MQIPT routes.

[MQ 9.4.0 Jul 2024][z/OS]Changes to the way the CSQ1LOGP EXTRACT function handles messages with message properties
From IBM MQ 9.4.0, the CSQ1LOGP EXTRACT function is changed so that a message with message properties has the properties converted into MQRFH2 in the output record.
Attention:
  • The utility no longer produces MQPUTPRP records.
  • The CSQ1LOGP EXTRACT function requires thlqual.SCSQAUTH to be included in STEPLIB.

See The log print utility (CSQ1LOGP) for more information, and Service facilities codes (X'F1') for changes to the codes produced.

[MQ 9.4.0 Jul 2024][z/OS]Changes to zHyperWrite
From IBM MQ 9.4.0, the zHyperWrite behavior has changed, so that when ZHYWRITE(YES) is set, active log writes attempt to use zHyperWrite regardless of whether the log data sets are enabled for zHyperWrite. Previously active log writes would attempt to use zHyperWrite only if the log data sets were enabled for zHyperWrite. For more information, see Using zHyperWrite with IBM MQ active logs.
[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]RHEL 7 no longer supported for RDQM
From IBM MQ 9.4.0, RDQM on RHEL 7 is no longer supported. You must move to RHEL 8 or RHEL 9 when migrating your RDQM configuration, see Migrating replicated data queue managers.
[AIX, Linux, Windows][MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Change to the start of the AMQP Service
From IBM MQ 9.4.0, the default behavior of the setting of the CONTROL attribute for starting the AMQP service has changed. When creating and starting a new queue manager, the AMQP service does not automatically start as part of the queue manager startup process. For more information, see AMQP Service does not start automatically on queue manager startup.

Application development

[MQ 9.4.0 Jun 2024]Changes to Bouncy Castle JAR file names
From IBM MQ 9.4.0, the names of the Bouncy Castle JAR files bundled with the product have changed. For example, bcprov-jdk15to18.jar has changed to bcprov-jdk18on.jar. For more information, see IBM MQ classes for JMS/Jakarta Messaging relocatable JAR files and IBM MQ classes for Java relocatable JAR files.
[MQ 9.4.0 Jun 2024]com.ibm.mq.cfg.useIBMCipherMappings no longer needed for configuring mappings
From IBM MQ 9.4.0, a Cipher can be defined as either the CipherSpec or CipherSuite name and is then handled correctly by IBM MQ.
The Java System Property com.ibm.mq.cfg.useIBMCipherMappings, which was previously used for configuring an application to use IBM Java or Oracle Java CipherSuite mapping, is no longer needed for controlling which mappings are used and is removed from the product.
[Windows][MQ 9.4.0 Jun 2024][Linux]Error message improvements for security exit failures when a .NET client is connecting to IBM MQ
A security exit program is used to verify that the partner at the other end of a channel is genuine. This is also known as authentication. To specify that a channel must use a security exit, you can specify the exit name in the SCYEXIT field of the channel definition.
From IBM MQ 9.4.0, a new and improved diagnostic message is thrown by the managed IBM MQ classes for .NET or IBM MQ classes for XMS .NET client application if the security exit used by the application results in a unsuccessful connection to the IBM MQ server. The old error message 2195 MQRC_UNEXPECTED_ERROR is replaced by the error message 2406 MQRC_CLIENT_EXIT_LOAD_ERROR.

For more information about security exits, see Channel security exit programs.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Use of separately downloadable IBM Semeru Java runtime for IBM MQ client applications

[MQ 9.4.0 Jun 2024]From IBM MQ 9.4.0, you should use a separately downloadable IBM Semeru Java runtime for IBM MQ client applications instead of using the Java runtime packaged with IBM MQ. IBM MQ supports the IBM Semeru runtime via IBM MQ product entitlement when used for the purpose of running IBM MQ Java/JMS applications. The Java runtime packaged with the IBM MQ product is expected to be updated more often which might result in breaking changes for applications depending on it.

[Windows][MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024][Linux]Removal of IBM MQ .NET Standard client libraries
The IBM MQ .NET client libraries built using .NET Standard 2.0, which were deprecated at IBM MQ 9.3.1, have been removed from the product from IBM MQ 9.4.0. This means that you will no longer see the folder netstandard2.0 and the libraries that it contained, that is, amqmdnetstd.dll and amqmxmsstd.dll, in the following locations:
  • [Windows]MQ_INSTALLATION_PATH\bin\netstandard2.0
  • [Linux]MQ_INSTALLATION_PATH\lib64\netstandard2.0
Here are two scenarios that you might encounter following the removal of the netstandard2.0 libraries:
  • If you are using a IBM MQ classes for .NET Framework or IBM MQ classes for XMS .NET Framework application that is built using the netstandard2.0 libraries such as amqmdnetstd.dll, you need to rebuild your application with the Microsoft.NET Framework 4.7.2 libraries such as amqmdnet.dll, in order for your application to run successfully. If you do not rebuild your application, you might get an System.IO.Unexceptionable message:
    Exception caught: System.IO.FileLoadException: Could not load file or assembly 'amqmdnetstd, Version=9.3.5.0, Culture=neutral, PublicKeyToken=23d6cb914eeaac0e' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
File name: 'amqmdnetstd, Version=9.3.5.0, Culture=neutral, PublicKeyToken=23d6cb914eeaac0e'
   at SimplePut.SimplePut.PutMessages()
   at SimplePut.SimplePut.Main(String[] args) in C:\SampleCode\Program.cs:line 132
  • If you are using a .NET 6 application that is built using netstandard2.0 libraries, then you just need to replace those libraries with the same .NET 6 libraries in the bin folder of the application runtime directory. No rebuild is required.
    Note: The replacement .NET 6 library should always be of the same or higher level than the replaced netstandard2.0 library.

For more information, see Installing IBM MQ classes for .NET and Installing IBM MQ classes for XMS .NET.

[MQ 9.4.0 Jun 2024][MQ 9.4.0 Jun 2024]Changes to how C sample programs with authentication capabilities are built
The C sample programs that allow users to connect to a queue manager with credentials have been altered so that authentication is only enabled when a new compile flag, SAMPLE_AUTH_ENABLED, is defined. Clients that build the shipped source sample files will need to define this compile flag if they wish to use authentication. For more information on how to build samples with and without authentication, see Preparing and running the sample programs.

Containers

[MQ 9.4.0 Jun 2024][Linux]Changed environment variables for the IBM MQ Advanced for Developers container image
Three new environment variables are added:
  • MQ_LOGGING_CONSOLE_SOURCE
  • MQ_LOGGING_CONSOLE_FORMAT (which supersedes LOG_FORMAT)
  • MQ_LOGGING_CONSOLE_EXCLUDE_ID

For more information, see IBM MQ Advanced for Developers container image.

[OpenShift Container Platform][MQ 9.4.0 Jun 2024]For use in containers, a certificate must have a unique Subject Distinguished Name
Queue manager certificates with the same Subject Distinguished Name (DN) as the issuer (CA) certificate are not supported for use with IBM MQ containers. The product now checks for this condition, and stops it from occurring.