What's new and changed in release 9.4.0

This topic describes new and changed features in version 9.4.0 of the appliance firmware.

Features that are new to continuous delivery users are identified by a light blue version flag, features that are new to long term service users are identified by a dark blue version flag.

Features new to CD and LTS users

The following features are new at version 9.4.0 to both continuous delivery (CD) and long term service (LTS) users of the IBM® MQ Appliance.

The following features are new for version 9.4.0:

  • Key repository backups now use the PKCS#12 format. For more details, see Key repository archive format.
  • For features that are new and changed with IBM MQ V9.4.0, see What's new and changed in IBM MQ V9.4.0 in the IBM MQ documentation.
  • The ability to disable TLS renegotiation. You can disable renegotiation for the web UI and REST interfaces to appliance administration functions (this does not apply to IBM MQ channels). See TLS connections.

Features new to LTS users

The following features are new at version 9.4.0 to long term service (LTS) users of the IBM MQ Appliance. (The features have been available to CD users in version 9.3.X CD releases.)

  • The version 9.4.0 firmware supports disaster recovery (DR) between two high availability (HA) pairs of appliances, so that HA is automatically available after a DR fail over. See Configuring disaster recovery fail over to another high availability group.
  • Several changes have been made to the IBM MQ Console:
    • The console now has a view that shows details of applications that are connected to queue managers. See IBM MQ Console: Working with applications.
    • The console now has a view that shows details of objects that are associated with queues. See IBM MQ Console: Working with queues.
    • There is a new Overview tab for queue managers in IBM MQ Console that displays various information about a queue manager and the resources it is consuming, see Quick tour of the IBM MQ Console. This tab makes it easier to see at a glance what the overall state of the queue manager is, and any problems that might need to be investigated. Some of the information is derived from monitoring system topics. This monitoring can be disabled, if required, see setmqweb (set mqweb server configuration).
    • There are two new overview tabs in the IBM MQ Console. The Applications Overview tab displays a number of tiles giving a quick view of applications connected to the queue manager being viewed. The MQ Network Overview tab displays a number of tiles giving a quick view of the queue manager to queue manager communication for the queue manager being viewed. See Quick tour of the IBM MQ Console.
    • In the IBM MQ Console, the timestamps associated with queue managers are now displayed in the timezone where the queue manager is running, rather than the timezone of the console.
  • New attributes have been added to the DISPLAY QMSTATUS command. These attributes report additional information and help with administration and troubleshooting. See DISPLAY QMSTATUS (display queue manager status) on Multiplatforms in the main IBM MQ documentation.
  • Users can now log into the appliance by using an SSH certificate. See SSH authentication for CLI sessions. SSH certificates can be individually revoked to remove access when required. See Managing the SSH revoked keys list for authenticating CLI sessions.
  • Disk space usage is now monitored and written as log events. You can configure what is monitored and the level of information written to logs. See Disk space monitoring.
  • You now have access to a number of IBM provided, and supported, connectors which can copy data from IBM MQ to Kafka, or from Kafka to IBM MQ, see Configuring Kafka connectors.
  • The following SHA2 signatures are now supported for SSH certificates:
    • rsa-sha2-256
    • rsa-sha2-512

    To generate an SSH certificate that uses one of these algorithms, use an OpenSSH client at version 8 or later. Use the -t parameter to specify the required algorithm.

    For example, to generate an unsigned public/private key:
    ssh-keygen -t rsa-sha2-256 -b 4096 -f admin-key -C admin
    For example, to generate a signed certificate from an unsigned key:
    ssh-keygen -t rsa-sha2-256 -s mqa-ssh-user-ca -I admin -n admin admin-key.pub
  • There is a new secure backup and restore facility which simplifies and streamlines the process of backing up the appliance configuration and messaging users and groups, see Back up and restore.

Features changed for CD and LTS users

  • Default TLS server profile to secure connections from clients. The default TLS server profile that secures connections from clients to the web UI or REST interface supports only TLS 1.2 and TLS 1.3 and the following cipher suites in preference order.
    • AES_256_GCM_SHA384
    • CHACHA20_POLY1305_SHA256
    • ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • ECDHE_RSA_WITH_AES_256_GCM_SHA384
    Instead of using the built-in TLS server profile that uses a self-signed certificate, you can use a custom TLS server profile or TLS SNI server profile to secure connections from clients.
  • Password aliases. The maximum character length of plain text and encrypted password has increased from 127 to 512 characters.

Features changed for LTS users

  • For new or reinitialized appliances, the option to generate error reports at startup is enabled by default. The option is also enabled if you reset the failure notification configuration to its default settings. See Configuring failure notification using the web UI.
  • When you create a TLS client or server profile, the following cipher suites are no longer defined as default cipher suites.
    DHE_DSS_WITH_AES_256_GCM_SHA384
DHE_DSS_WITH_AES_256_CBC_SHA256
DHE_DSS_WITH_AES_256_CBC_SHA
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA
DHE_DSS_WITH_AES_128_GCM_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA256
DHE_DSS_WITH_AES_128_CBC_SHA
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA
    This change does not affect existing TLS client and server profiles. Review your TLS client and server profiles to evaluate whether your security requirements for TLS connections require these cipher suites. For more information, see the documentation for the following commands.
    • TLS client profile ciphers command.
    • TLS server profile ciphers command.
  • When you used the web UI to search for an object class by name, the following objects previously started with the word "Crypto":
    • Crypto certificate
    • Crypto certificate monitor
    • Crypto identification credentials
    • Crypto key
    • Crypto shared secret key
    • Crypto validation credentials
    These objects no longer start with the word "Crypto".
  • The following SSH cipher suites are no longer supported
    3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
  • The following SSH key exchange (KEX) algorithms are no longer supported:
    diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
    The diffie-hellman-group14-sha1 algorithm was previously enabled by default. Check to see if you were relying on it.
  • The following SSH message authentication code (MAC) algorithms are no longer supported:
    hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com