What’s in Command Levels 90x

MQ90x StairsIBM MQ released Long Term Support release V9.0.0 back in June 2016 which had a Command Level of 900. The subsequent Continuous Delivery releases, V9.0.1, V9.0.2 and V9.0.3 have each introduced their own Command Levels, 901, 902 and 903 respectively.

This post captures the changes that are available in each of those Command Levels.

Release Command Level Features protected by Command Level – details below
V9.0.0.0 900 AMS Protection Policy enhancement – Confidentiality Policy
LDAP Authorization on Windows
V9.0.1 901 No changes protected by Command Level
V9.0.2 902 Log management features
V9.0.3 903 No changes protected by Command Level

AMS Protection Policy enhancement – Confidentiality Policy

With the introduction of Confidentiality Policies in Command Level 900, there is a new attribute on the Set Policy command. A confidentiality policy has no signature algorithm, but does have a encryption algorithm. The Key Reuse feature is applicable to this type of policy. Jon Rumsey has a great write-up of this IBM MQ V9 feature on the MQDev blog, MQ V9 Fast encrypted messages with MQ – Introducing AMS Confidentiality Policies.

AMS Policy

New Attribute MQSC name
See SET POLICY
Look for KC 9000 indicator
PCF constant and values
See Set Policy
Look for KC 9000 indicator
Key Reuse

KEYREUSE

  • DISABLED
  • UNLIMITED
  • 1 – 9999999

MQIA_KEY_REUSE_COUNT (267)

  • MQKEY_REUSE_DISABLED (0)
  • MQKEY_REUSE_UNLIMITED (-1)
  • 1 – 9999999

LDAP Authorization on Windows

Introduced in Command Level 801 on Unix, this feature extended the V8.0.0 Connection Authentication feature which checked your user ID and password, to allow LDAP authorization as well. The fields now available on Windows are the same as those noted in the earlier post for Command Level 801, and are not repeated here.

Log management

With the introduction of Automatic management of linear log extents, and Automatic writing of media images, in Command Level 902, there are new attributes on the queue manager object, queue manager status, and one on queue objects. Mark Whitlock has written about this in an MQDev Blog Post: Logger enhancements for MQ v9.0.2.

Queue Manager Object

New Attribute MQSC name
See ALTER QMGR
Look for KC 902 indicator
PCF constant and values
See Change Queue Manager
Look for KC 902 indicator
Image Schedule

IMGSCHED

  • AUTO
  • MANUAL

MQIA_MEDIA_IMAGE_SCHEDULING (268)

  • MQMEDIMGSCHED_AUTO (1)
  • MQMEDIMGSCHED_MANUAL (0)
Image Interval

IMGINTVL

  • 1 – 999 999 999
  • OFF

MQIA_MEDIA_IMAGE_INTERVAL (269)

  • 1 – 999 999 999
  • MQMEDIMGINTVL_OFF (0)
Image Log Length

IMGLOGLN

  • 1 – 999 999 999
  • OFF

MQIA_MEDIA_IMAGE_LOG_LENGTH (270)

  • 1 – 999 999 999
  • MQMEDIMGLOGLN_OFF (0)
Image Recover Object

IMGRCOVO

  • NO
  • YES

MQIA_MEDIA_IMAGE_RECOVER_OBJ (271)

  • MQIMGRCOV_NO (0)
  • MQIMGRCOV_YES (1)
Image Recover Queue

IMGRCOVQ

  • NO
  • YES

MQIA_MEDIA_IMAGE_RECOVER_Q (272)

  • MQIMGRCOV_NO (0)
  • MQIMGRCOV_YES (1)

Queue Manager Status

New Attribute MQSC name
See DISPLAY QMSTATUS
Look for KC 902 indicator
PCF constant and values
See Inquire Queue Manager Status
Look for KC 902 indicator
Archive Log Extent Name

ARCHLOG

MQCACF_ARCHIVE_LOG_EXTENT_NAME (3208)

  • String of length MQ_LOG_EXTENT_NAME_LENGTH (24)
Archive Log Size

ARCHSZ

MQIACF_ARCHIVE_LOG_SIZE (1416)

Media Log Size

MEDIASZ

MQIACF_MEDIA_LOG_SIZE (1417)

Restart Log Size

RECSZ

MQIACF_RESTART_LOG_SIZE (1418)

Reusable Log Size

REUSESZ

MQIACF_REUSABLE_LOG_SIZE (1419)

Archive Log In Use

LOGINUSE

MQIACF_LOG_IN_USE (1420)

Archive Log Utilization

LOGUTIL

MQIACF_LOG_UTILIZATION (1421)

Reset QMgr command

Updated attribute MQSC name
See RESET QMGR
Look for KC 902 indicator
PCF constant and values
See Reset Queue Manager
Look for KC 902 indicator
Action

TYPE

  • REDUCELOG
  • ARCHLOG

MQIACF_ACTION (1086)

  • MQACT_REDUCE_LOG (10)
  • MQACT_ARCHIVE_LOG (11)
Archived Log

ARCHIVED

MQCACF_ARCHIVE_LOG_EXTENT_NAME (3208)

  • String of length MQ_LOG_EXTENT_NAME_LENGTH (24)
Log Reduction

REDUCE

  • AUTO
  • ONE
  • MAX

MQIACF_LOG_REDUCTION (1422)

  • MQLR_AUTO (-1)
  • MQLR_ONE (1)
  • MQLR_MAX (-2)

Queue Local and Queue Model

New Attribute MQSC name
See DEFINE queues
Look for KC 902 indicator
PCF constant and values
See Change, Copy, and Create Queue
Look for KC 902 indicator
Image Recover Queue

IMGRCOVQ

  • NO
  • YES
  • QMGR

MQIA_MEDIA_IMAGE_RECOVER_Q (272)

  • MQIMGRCOV_NO (0)
  • MQIMGRCOV_YES (1)
  • MQIMGRCOV_AS_Q_MGR (2)

You can get the equivalent information for earlier Command Levels from these posts.

Advertisements

MO71 – AMS Policy Commands

MQGem recently delivered a new version of MO71 that supports the new IBM MQ V9 release. As well as support for the new command level, there were a number of other features in this new version of MO71. One of those new features was the inclusion of the Advanced Message Security (AMS) policy commands.

AMS policy commands allow you to create policies for the protection of messages on your MQ queues. You can define the following types of policies:-

  • Integrity Policy
    To quote Knowledge Center,

    Integrity protection is provided by digital signing, which provides assurance on who created the message, and that the message has not been altered or tampered with.

    An integrity policy has a signature algorithm, but no encryption algorithm.

  • Privacy Policy
    To quote Knowledge Center,

    Privacy protection is provided by a combination of digital signing and encryption.

    A privacy policy has both a signature algorithm and an encryption algorithm.

  • Confidentiality Policy
    New in IBM MQ V9, to quote Knowledge Center,

    Confidentiality protection is provided by encryption only.

    A confidentiality policy has no signature algorithm, but does have a encryption algorithm. The Key Reuse feature is applicable to this type of policy. Jon Rumsey has a great write-up of this new IBM MQ V9 features on the MQDev blog, MQ V9 Fast encrypted messages with MQ – Introducing AMS Confidentiality Policies.

MO71 Protection Policies Menu

Work with AMS Protection Policies in MO71

If your queue manager is not yet at V9, you can use this latest version of MO71 to manage your Integrity and Privacy policies on your pre-V9 Distributed Queue Manager.

You’ll find the Protection Policy dialogs along with your other security commands.

You can list your policies, amend and delete them, and create new ones through the familiar MO71 dialogs. You can also export them as you can any other queue manager configuration, and filter them using MO71’s powerful filter capabilities.

MO71 Protection Policies Dialog

Use MO71 to display and manage your Integrity, Privacy and Confidentiality Policies


If this feature interests you and you’d like to try it out for yourself, you can download MO71 from the MQGem website and if you don’t currently have a licence, you may email support@mqgem.com to request a trial licence.

MQSCX feature – CommandLevel and Platform

In a recent update to MQSCX, two new features were introduced which allow you to discover the Command Level and Platform of the queue manager that the script is currently connected to.

The Command Level feature is aptly demonstrated by a new example script, mqauthlist.mqsx, available in our Example Scripts bundle. This script uses the DISPLAY AUTHREC command to interrogate the queue manager for the current authorisation settings for the queue manager. This command is only available at a command level of 710 or above, and the script utilises a new MQSCX system variable, _cmdlevel to check for this before attempting to issue any such commands. Here’s how:-

** QMgr must be at command level 710 or greater to use this script.
if( _cmdlevel < 710 )
   fprint @hf,"QMgr does not support authorization record queries."
   fprint @hf,"Command Level must be 710 or greater.",_nl
   continue
endif

CmdLevel PlatformAlthough not illustrated in this script, the other new MQSCX system variable which goes hand-in-hand with _cmdlevel is _platform which allows you to check the platform of the queue manager is as expected before doing something in a script that is dependent on a particular platform.

The values of _cmdlevel and _platform are the same values that you would see if you issued the MQSC command:-

DISPLAY QMGR CMDLEVEL PLATFORM

when the script is connected to a queue manager, and -1 and NOTCONNECTED respectively when the script is not connected to a queue manager.


The best way to understand scripts is of course to have a go with them yourself. There are various examples in the download, so why not try them out yourself. If you are not currently an MQSCX licence holder, you may email support@mqgem.com to request a trial licence.

Looking back on 2015

In this post we look back on the year that was 2015 and what happened in both IBM MQ, and MQGem Software.

New Versions

Both IBM MQ and MQGem Software products had a number of new releases in 2015.

MQGem Software products

Three new versions of our premier product, MO71 – a graphical administrative product for IBM MQ. Version 8.0.2 was released in January, 8.0.3 was released in April, and 8.0.4 was released in November.

A new version of MQSCX – our extended MQSC product, version 8.0.1, was released in May.

A new product, QLOAD V8.0.1 was released in June, with an initial three month free trial period.

IBM MQ Fix Packs and new function

One new Fix Pack on IBM WebSphere MQ V7.0.1. Fix Pack 7.0.1.13 was released in August. Two new Fix Packs on IBM WebSphere MQ V7.1. Fix Pack 7.1.0.7 in November, and 7.1.0.6 in January. One new Fix Pack on IBM WebSphere MQ V7.5. Fix Pack 7.5.0.5 was released in May.

Three new Fix Packs on IBM MQ V8. Fix Pack 8.0.0.2 in February – introducing new Command Level 801, 8.0.0.3 in June – introducing new Command Level 802 and new function, and 8.0.0.4 in October also adding new function.

IBM delivered the new MQ Appliance M2000 in February. Here’s the Announce Letter, Blog Post and Video. An IBM Redbook was released in November: Integrating the IBM MQ Appliance into your IBM MQ Infrastructure. Later in the year, it then delivered on the SoD with the DR capability added to the appliance – read more about it in How the IBM MQ Appliance Brings MQ and High Availability Together.

IBM provided the MQLight function, and AMQP client protocol in IBM MQ, as part of FixPack 8.0.0.4 in October. Read more about it in MQ support for MQ Light and AMQP 1.0 released in 8.0.0.4.

Videos

At your request, dear customers, MQGem Software has created a number of videos of our products. Each product has a playlist.

YouTube

The MO71 playlist contains the following 7 videos.

The MQSCX playlist contains the following two videos.

Conference Events

There have been quite a number of events throughout 2015 that have had IBM MQ content delivered at them. I hope you were able to attend at least one. The presentation material is online for many of these events, and download links are shown below where we are aware of them.

Online articles

There have been some really great blog posts written throughout 2015. Lots of the guys in IBM Hursley have been blogging about the new features they have been releasing throughout the year. The IBM MQ Blogosphere has really grown over 2015. Read more in IBM MQ Blogosphere.

 
2015 has been a great year for all things MQ. MQGem wishes all its customers, readers, and friends a Happy and Prosperous 2016. HAPPY NEW YEAR!

MQGem products support Command Level 802

With the release of the latest Fix Pack on V8, V8.0.0.3, there was the introduction of a new Command Level 802. Read more about Fix Pack 3 and what’s in Command Level 802 in the following posts.

With the newest revisions of MQSCX V8.0.1 and MO71 V8.0.3, both these MQGem Software products now support Command Level 802.

Read more about the other features in these releases of our products:-

MQ V8.0.0.3 is available – What does that mean for you?

On Thursday 18th June, IBM released V8.0.0 Fix Pack 3 for the MQ product.

You can obtain this Fix Pack from IBM Fix Central from the above link.

What does this Fix Pack mean to you?

Defect Fixes

First and foremost, this is a Fix Pack and contains fixes to various defects. The list of defects that have been fixed can be found here. Note that MQ Fix Packs are cumulative service, meaning that all the fixes from previous Fix Packs are included, so you’ll get all the fixes from Fix Pack 2, for example, even if you didn’t have that Fix Pack installed before.

Security Fixes

The table of fixes in the above link indicates, in the first two columns, whether the fix is a security APAR or a HIPER APAR. Fix Pack 3 contains 2 security APARs and 1 HIPER APAR.

The security and HIPER APARs from Fix Pack 3
Security
APAR
HIPER
APAR
APAR Description
  IT07224 CVE-2015-1957
  IT08199 CVE-2015-1967
  IV70337 Memory errors with cluster queue managers when putting applications are using queues with the DEFBIND(GROUP) attribute

T.Rob reminds us that where security fixes are concerned, to stay compliant, you have a limited amount of time to get this Fix Pack applied. The time span will vary depending on what your shop has dictated, or your business partners have dictated or whether you are trying to stay compliant with a particular system, for example PCI-DSS.

Here are some good articles on the subject:-

New Function

This Fix Pack also releases some new functions.

PAM Authentication

The first delivers RFE 61007 which requested that the Connection Authentication feature introduced in IBM MQ V8 should make use of Pluggable Authentication Module (PAM).

Mark Taylor introduces us to this new function in FixPac 3.

 
To use this new function you need to run a special variant of the strmqm command to set the new command level, as described in an earlier blog post about the 801 Queue Manager.

Due to the introduction of this new function, which contains a new object attribute, there is a new Command Level 802, so the post I originally wrote for the new Command Level 801 has been updated to include the small number of changes for 802 as well.

Extended “Queue Manager Active” Events

The second is some new information in the Queue Manager Active Event which helps when running a multi-instance queue manager by adding both the hostname that the queue manager is running on and indicating whether standby is permitted or not.

Mark Taylor has another video for us on this new function.

 
You can see the details of this extra data in the event reference section of Knowledge Center.

More Deprecated CipherSpecs

Does this count as new function or not? Well, one thing that is new is the way you re-enable these deprecated CipherSpecs if you’re unlucky enough to still have requirements to use these weaker algorithms. Read all about it in another blog post, “Deprecated CipherSpecs”.

Giving channel exits access to details of Remote connection

There are two fields that tell you a lot of information about the remote connection, and those are Remote Product (RPRODUCT) and Remote Version (RVERSION). You can read more about these fields in IBM MQ Little Gem #2: RPRODUCT and RVERSION. These fields were previously only available on the DISPLAY CHSTATUS command. In this Fix Pack they are extended to be available to channel exits by being provided in the channel exits parameter structure (MQCXP). This change delivers RFE 60616 which notes that it will be delivered on z/OS at some future point. Here is a snippet of the end of the structure definition from Fix Pack 3 so that you can see the fields. You can read more details in Knowledge Center: MQCXP fields RemoteProduct and RemoteVersion.

typedef struct tagMQCXP MQCXP;
typedef MQCXP MQPOINTER PMQCXP;

struct tagMQCXP {
:
  MQCHAR4   RemoteProduct;            /* The identifier for the */
                                      /* remote product */
  MQCHAR8   RemoteVersion;            /* The version of the remote */
                                      /* product */
  /* Ver:9 */
};

Next MQLight Beta Phase

The next phase of the MQLight Beta relies upon Fix Pack 8.0.0.3. Among other things it adds CHLAUTH rules and SSL/TLS support to the AMQP channels. You can read more about the changes in this blog post by Matthew Whitehead.


IBM Certified Specialist

Morag Hughson is a Certified IBM MQ Specialist
IBM Certified System Administrator – MQ V8.0
Find her on: LinkedIn: http://uk.linkedin.com/in/moraghughson   Twitter: https://twitter.com/MoragHughson   SlideShare: http://www.slideshare.net/moraghughson

MQGem products support the MQ Appliance

MQ Appliance

The MQ appliance – photo taken at InterConnect

With the recent releases of MQSCX V8.0.1 and MO71 V8.0.3, both these MQGem Software products now support the MQ Appliance.

The MQ Appliance is a Command Level 801 queue manager in an appliance form factor. Lots of great information about the MQ Appliance can be found at ibm.biz/MQApplianceMoreInfo and if you’re on Twitter check out the hashtag #MQAppliance.

Read more about the other features in these new releases of our products:-