MO71 – AMS Policy Commands

MQGem recently delivered a new version of MO71 that supports the new IBM MQ V9 release. As well as support for the new command level, there were a number of other features in this new version of MO71. One of those new features was the inclusion of the Advanced Message Security (AMS) policy commands.

AMS policy commands allow you to create policies for the protection of messages on your MQ queues. You can define the following types of policies:-

  • Integrity Policy
    To quote Knowledge Center,

    Integrity protection is provided by digital signing, which provides assurance on who created the message, and that the message has not been altered or tampered with.

    An integrity policy has a signature algorithm, but no encryption algorithm.

  • Privacy Policy
    To quote Knowledge Center,

    Privacy protection is provided by a combination of digital signing and encryption.

    A privacy policy has both a signature algorithm and an encryption algorithm.

  • Confidentiality Policy
    New in IBM MQ V9, to quote Knowledge Center,

    Confidentiality protection is provided by encryption only.

    A confidentiality policy has no signature algorithm, but does have a encryption algorithm. The Key Reuse feature is applicable to this type of policy. Jon Rumsey has a great write-up of this new IBM MQ V9 features on the MQDev blog, MQ V9 Fast encrypted messages with MQ – Introducing AMS Confidentiality Policies.

MO71 Protection Policies Menu

Work with AMS Protection Policies in MO71

If your queue manager is not yet at V9, you can use this latest version of MO71 to manage your Integrity and Privacy policies on your pre-V9 Distributed Queue Manager.

You’ll find the Protection Policy dialogs along with your other security commands.

You can list your policies, amend and delete them, and create new ones through the familiar MO71 dialogs. You can also export them as you can any other queue manager configuration, and filter them using MO71’s powerful filter capabilities.

MO71 Protection Policies Dialog

Use MO71 to display and manage your Integrity, Privacy and Confidentiality Policies


If this feature interests you and you’d like to try it out for yourself, you can download MO71 from the MQGem website and if you don’t currently have a licence, you may email support@mqgem.com to request a trial licence.

MQSCX feature – CommandLevel and Platform

In a recent update to MQSCX, two new features were introduced which allow you to discover the Command Level and Platform of the queue manager that the script is currently connected to.

The Command Level feature is aptly demonstrated by a new example script, mqauthlist.mqsx, available in our Example Scripts bundle. This script uses the DISPLAY AUTHREC command to interrogate the queue manager for the current authorisation settings for the queue manager. This command is only available at a command level of 710 or above, and the script utilises a new MQSCX system variable, _cmdlevel to check for this before attempting to issue any such commands. Here’s how:-

** QMgr must be at command level 710 or greater to use this script.
if( _cmdlevel < 710 )
   fprint @hf,"QMgr does not support authorization record queries."
   fprint @hf,"Command Level must be 710 or greater.",_nl
   continue
endif

CmdLevel PlatformAlthough not illustrated in this script, the other new MQSCX system variable which goes hand-in-hand with _cmdlevel is _platform which allows you to check the platform of the queue manager is as expected before doing something in a script that is dependent on a particular platform.

The values of _cmdlevel and _platform are the same values that you would see if you issued the MQSC command:-

DISPLAY QMGR CMDLEVEL PLATFORM

when the script is connected to a queue manager, and -1 and NOTCONNECTED respectively when the script is not connected to a queue manager.


The best way to understand scripts is of course to have a go with them yourself. There are various examples in the download, so why not try them out yourself. If you are not currently an MQSCX licence holder, you may email support@mqgem.com to request a trial licence.

Looking back on 2015

In this post we look back on the year that was 2015 and what happened in both IBM MQ, and MQGem Software.

New Versions

Both IBM MQ and MQGem Software products had a number of new releases in 2015.

MQGem Software products

Three new versions of our premier product, MO71 – a graphical administrative product for IBM MQ. Version 8.0.2 was released in January, 8.0.3 was released in April, and 8.0.4 was released in November.

A new version of MQSCX – our extended MQSC product, version 8.0.1, was released in May.

A new product, QLOAD V8.0.1 was released in June, with an initial three month free trial period.

IBM MQ Fix Packs and new function

One new Fix Pack on IBM WebSphere MQ V7.0.1. Fix Pack 7.0.1.13 was released in August. Two new Fix Packs on IBM WebSphere MQ V7.1. Fix Pack 7.1.0.7 in November, and 7.1.0.6 in January. One new Fix Pack on IBM WebSphere MQ V7.5. Fix Pack 7.5.0.5 was released in May.

Three new Fix Packs on IBM MQ V8. Fix Pack 8.0.0.2 in February – introducing new Command Level 801, 8.0.0.3 in June – introducing new Command Level 802 and new function, and 8.0.0.4 in October also adding new function.

IBM delivered the new MQ Appliance M2000 in February. Here’s the Announce Letter, Blog Post and Video. An IBM Redbook was released in November: Integrating the IBM MQ Appliance into your IBM MQ Infrastructure. Later in the year, it then delivered on the SoD with the DR capability added to the appliance – read more about it in How the IBM MQ Appliance Brings MQ and High Availability Together.

IBM provided the MQLight function, and AMQP client protocol in IBM MQ, as part of FixPack 8.0.0.4 in October. Read more about it in MQ support for MQ Light and AMQP 1.0 released in 8.0.0.4.

Videos

At your request, dear customers, MQGem Software has created a number of videos of our products. Each product has a playlist.

YouTube

The MO71 playlist contains the following 7 videos.

The MQSCX playlist contains the following two videos.

Conference Events

There have been quite a number of events throughout 2015 that have had IBM MQ content delivered at them. I hope you were able to attend at least one. The presentation material is online for many of these events, and download links are shown below where we are aware of them.

Online articles

There have been some really great blog posts written throughout 2015. Lots of the guys in IBM Hursley have been blogging about the new features they have been releasing throughout the year. The IBM MQ Blogosphere has really grown over 2015. Read more in IBM MQ Blogosphere.

 
2015 has been a great year for all things MQ. MQGem wishes all its customers, readers, and friends a Happy and Prosperous 2016. HAPPY NEW YEAR!

MQGem products support Command Level 802

With the release of the latest Fix Pack on V8, V8.0.0.3, there was the introduction of a new Command Level 802. Read more about Fix Pack 3 and what’s in Command Level 802 in the following posts.

With the newest revisions of MQSCX V8.0.1 and MO71 V8.0.3, both these MQGem Software products now support Command Level 802.

Read more about the other features in these releases of our products:-

MQ V8.0.0.3 is available – What does that mean for you?

On Thursday 18th June, IBM released V8.0.0 Fix Pack 3 for the MQ product.

You can obtain this Fix Pack from IBM Fix Central from the above link.

What does this Fix Pack mean to you?

Defect Fixes

First and foremost, this is a Fix Pack and contains fixes to various defects. The list of defects that have been fixed can be found here. Note that MQ Fix Packs are cumulative service, meaning that all the fixes from previous Fix Packs are included, so you’ll get all the fixes from Fix Pack 2, for example, even if you didn’t have that Fix Pack installed before.

Security Fixes

The table of fixes in the above link indicates, in the first two columns, whether the fix is a security APAR or a HIPER APAR. Fix Pack 3 contains 2 security APARs and 1 HIPER APAR.

The security and HIPER APARs from Fix Pack 3
Security
APAR
HIPER
APAR
APAR Description
  IT07224 CVE-2015-1957
  IT08199 CVE-2015-1967
  IV70337 Memory errors with cluster queue managers when putting applications are using queues with the DEFBIND(GROUP) attribute

T.Rob reminds us that where security fixes are concerned, to stay compliant, you have a limited amount of time to get this Fix Pack applied. The time span will vary depending on what your shop has dictated, or your business partners have dictated or whether you are trying to stay compliant with a particular system, for example PCI-DSS.

Here are some good articles on the subject:-

New Function

This Fix Pack also releases some new functions.

PAM Authentication

The first delivers RFE 61007 which requested that the Connection Authentication feature introduced in IBM MQ V8 should make use of Pluggable Authentication Module (PAM).

Mark Taylor introduces us to this new function in FixPac 3.

 
To use this new function you need to run a special variant of the strmqm command to set the new command level, as described in an earlier blog post about the 801 Queue Manager.

Due to the introduction of this new function, which contains a new object attribute, there is a new Command Level 802, so the post I originally wrote for the new Command Level 801 has been updated to include the small number of changes for 802 as well.

Extended “Queue Manager Active” Events

The second is some new information in the Queue Manager Active Event which helps when running a multi-instance queue manager by adding both the hostname that the queue manager is running on and indicating whether standby is permitted or not.

Mark Taylor has another video for us on this new function.

 
You can see the details of this extra data in the event reference section of Knowledge Center.

More Deprecated CipherSpecs

Does this count as new function or not? Well, one thing that is new is the way you re-enable these deprecated CipherSpecs if you’re unlucky enough to still have requirements to use these weaker algorithms. Read all about it in another blog post, “Deprecated CipherSpecs”.

Giving channel exits access to details of Remote connection

There are two fields that tell you a lot of information about the remote connection, and those are Remote Product (RPRODUCT) and Remote Version (RVERSION). You can read more about these fields in IBM MQ Little Gem #2: RPRODUCT and RVERSION. These fields were previously only available on the DISPLAY CHSTATUS command. In this Fix Pack they are extended to be available to channel exits by being provided in the channel exits parameter structure (MQCXP). This change delivers RFE 60616 which notes that it will be delivered on z/OS at some future point. Here is a snippet of the end of the structure definition from Fix Pack 3 so that you can see the fields. You can read more details in Knowledge Center: MQCXP fields RemoteProduct and RemoteVersion.

typedef struct tagMQCXP MQCXP;
typedef MQCXP MQPOINTER PMQCXP;

struct tagMQCXP {
:
  MQCHAR4   RemoteProduct;            /* The identifier for the */
                                      /* remote product */
  MQCHAR8   RemoteVersion;            /* The version of the remote */
                                      /* product */
  /* Ver:9 */
};

Next MQLight Beta Phase

The next phase of the MQLight Beta relies upon Fix Pack 8.0.0.3. Among other things it adds CHLAUTH rules and SSL/TLS support to the AMQP channels. You can read more about the changes in this blog post by Matthew Whitehead.


IBM Certified Specialist

Morag Hughson is a Certified IBM MQ Specialist
IBM Certified System Administrator – MQ V8.0
Find her on: LinkedIn: http://uk.linkedin.com/in/moraghughson   Twitter: https://twitter.com/MoragHughson   SlideShare: http://www.slideshare.net/moraghughson

MQGem products support the MQ Appliance

MQ Appliance

The MQ appliance – photo taken at InterConnect

With the recent releases of MQSCX V8.0.1 and MO71 V8.0.3, both these MQGem Software products now support the MQ Appliance.

The MQ Appliance is a Command Level 801 queue manager in an appliance form factor. Lots of great information about the MQ Appliance can be found at ibm.biz/MQApplianceMoreInfo and if you’re on Twitter check out the hashtag #MQAppliance.

Read more about the other features in these new releases of our products:-

What’s in Command Levels 801 and 802

MQ 801 Goody Bag

IBM MQ V8.0.0 Fix Pack 2 introduces a new Command Level, 801, and Fix Pack 3 introduces Command Level 802. Read What is an 801 Queue Manager? for details on how to enable these new Commmand Levels.

This post captures the changes that are available once you have an 801 or 802 Queue Manager.

LDAP Authorization

The V8.0.0 Connection Authentication feature which checked your user ID and password has been extended in V8.0.0.2 to allow LDAP authorization as well. The new fields that allow you to configure this on an AUTHTYPE(IDPWLDAP) Authentication Information object are protected by the 801 Command Level.

New Attribute MQSC name
See DEF AUTHINFO
Look for KC 8002 indicator
PCF constant and values
See Create Authentication Information
Look for KC 8002 indicator
LDAP Auth Method

AUTHORMD

  • OS
  • SEARCHGRP
  • SEARCHUSR

MQIA_LDAP_AUTHORMD (263)

  • MQLDAP_AUTHORMD_OS (0)
  • MQLDAP_AUTHORMD_SEARCHGRP (1)
  • MQLDAP_AUTHORMD_SEARCHUSR (2)
LDAP Group Object Class CLASSGRP

MQCA_LDAP_GROUP_OBJECT_CLASS (2133)

  • String of length MQ_LDAP_CLASS_LENGTH (128)
LDAP Base DN Group BASEDNG

MQCA_LDAP_BASE_DN_GROUPS (2132)

  • String of length MQ_LDAP_BASE_DN_LENGTH (1024)
LDAP Group Attr Field GRPFIELD

MQCA_LDAP_GROUP_ATTR_FIELD (2134)

  • String of length MQ_LDAP_FIELD_LENGTH (128)
LDAP Find Group FINDGRP

MQCA_LDAP_FIND_GROUP_FIELD (2135)

  • String of length MQ_LDAP_FIELD_LENGTH (128)
LDAP Group Nesting

NESTGRP

  • NO
  • YES

MQIA_LDAP_NESTGRP (264)

  • MQLDAP_NESTGRP_NO (0)
  • MQLDAP_NESTGRP_YES (1)

PAM Authentication

The V8.0.0 Connection Authentication feature which checked your user ID and password has been extended in V8.0.0.3 to allow PAM authentication as a choice. The new field that allows you to configure this on an AUTHTYPE(IDPWOS) Authentication Information object is protected by the 802 Command Level.

New Attribute MQSC name
See DEF AUTHINFO
Look for KC 8003 indicator
PCF constant and values
See Create Authentication Information
Look for KC 8003 indicator
Authentication Method

AUTHENMD

  • OS
  • PAM

MQIA_AUTHENTICATION_METHOD (266)

  • MQAUTHENTICATE_OS (0)
  • MQAUTHENTICATE_PAM (1)

Channel Status

Channels now show the security protocol in use – helping those people who were unsure how to answer the oft-asked question after the POODLE vulnerability, “are you still using an SSL CipherSpec?” Now instead of looking up your CipherSpec in the table in Knowledge Center, you can instead see this information output in the channel status display. Read more about this in Know your protocol.

New Attribute MQSC name
See DIS CHSTATUS
Look for KC 8002 indicator
PCF constant and values
See Inquire Channel Status
Look for KC 8002 indicator
Security Protocol

SECPROT

  • NONE
  • SSLV3
  • TLSV1
  • TLSV12

MQIACH_SECURITY_PROTOCOL (1645)

  • MQSECPROT_NONE (0)
  • MQSECPROT_SSLV30 (1)
  • MQSECPROT_TLSV10 (2)
  • MQSECPROT_TLSV12 (4)

AMQP Channel

In support of the MQLight in IBM MQ Beta, there is a whole new channel type with an associated set of channel attributes added. This is not yet documented in Knowledge Center but is visible when operating a queue manager at Command Level 801, and in the header files for PCF applications. Along with the Beta download that enables some of these attributes, there is a PDF of instructions on how to use the attributes available at the above link for the Beta. Be aware that although you can view and set all these attributes, not all of them are implemented by the current Beta. Get involved with the Beta program and read the PDF file mentioned above to see which attributes are currently usable.

New Attribute MQSC name PCF constant and values
Channel Type

CHLTYPE

  • AMQP

MQIACH_CHANNEL_TYPE (1511)

  • MQCHT_AMQP (11)
Description DESCR

MQCACH_DESC (3502)

  • String of length MQ_CHANNEL_DESC_LENGTH
Port PORT

MQIACH_PORT (1522)

  • Value in the range 1 – 65335
Local Address LOCLADDR

MQCACH_LOCAL_ADDRESS (3520)

  • String of length MQ_LOCAL_ADDRESS_LENGTH
SSL/TLS Certificate Label CERTLABL

MQCA_CERT_LABEL (2121)

  • String of length MQ_CERT_LABEL_LENGTH
SSL/TLS Cipher Spec SSLCIPH

MQCACH_SSL_CIPHER_SPEC (3544)

  • String of length MQ_SSL_CIPHER_SPEC_LENGTH
SSL/TLS Client Auth SSLCAUTH

MQIACH_SSL_CLIENT_AUTH (1568)

  • String of length MQ_SSL_CIPHER_SPEC_LENGTH
SSL/TLS Peer Name SSLPEER

MQCACH_SSL_PEER_NAME (3545)

  • String of length MQ_SSL_PEER_NAME_LENGTH
Alteration Date ALTDATE

MQCA_ALTERATION_DATE (2027)

  • String of length MQ_DATE_LENGTH
Alteration Time ALTTIME

MQCA_ALTERATION_TIME (2028)

  • String of length MQ_TIME_LENGTH
AMQP Keep Alive AMQPKA

MQIACH_AMQP_KEEP_ALIVE (1644)

  • Values in the range 0 – 99 999
  • MQKAI_AUTO
Use Client Identifier

USECLTID

  • YES
  • NO

MQIACH_USE_CLIENT_ID (1629)

  • MQUCI_YES (1)
  • MQUCI_NO (0)
Max Message Length MAXMSGL

MQIACH_MAX_MSG_LENGTH (1510)

  • Values in the range 0 – 100MB
MCA UserId MCAUSER

MQCACH_MCA_USER_ID (3527)

  • String of length MQ_MCA_USER_ID_LENGTH
Max Instances MAXINST

MQIACH_MAX_INSTANCES (1618)

  • Values in the range 0 – 999 999 999

Display Connection

With the introduction of the AMQP channel in CommandLevel 801, there is also a new attribute returned when you display application connections.

New Attribute MQSC name
See DIS CONN
Look for KC 8002 indicator
PCF constant and values
AMQP Client ID CLIENTID

MQCACF_AMQP_CLIENT_ID (3207)

  • String of length MQ_AMQP_CLIENT_ID_LENGTH (256)

Queue Manager Object

With the introduction of the AMQP channel in CommandLevel 801, there is also a new attribute on the queue manager object.

New Attribute MQSC name PCF constant and values
AMQP Capability

AMQPCAP

  • NO
  • YES

MQIA_AMQP_CAPABILITY (265)

  • MQCAP_NOT_SUPPORTED (0)
  • MQCAP_SUPPORTED (1)

You can get the equivalent information for earlier Command Levels from these posts.


IBM Certified Specialist

Morag Hughson is a Certified IBM MQ Specialist
IBM Certified System Administrator – MQ V8.0
Find her on: LinkedIn: http://uk.linkedin.com/in/moraghughson   Twitter: https://twitter.com/MoragHughson   SlideShare: http://www.slideshare.net/moraghughson