2. Overview – "Continuous Delivery"
V8.0.0.3 FixPack released June 18 for all distributed platforms
– New function alongside the usual APARs
Some function automatically enabled, some needs specific configuration
– Often gated by CMDLEVEL (similar to NEWFUNC on z/OS)
– Use of all V8.0.0.3 function requires setting CMDLEVEL to 802
V8.0.0.4 FixPack released October 2015
– More new function
– Various RFEs satisfied
– No new CMDLEVEL needed to use new function
3. Message Expiry Cap
An attribute that enforces an expiry limit for messages
Allows administrators to override application behaviour
– If app asks for too large (or unlimited) expiry value, it is set to the cap
Initial implementation using CUSTOM on queues and topics
– ALTER QL(X) CUSTOM('CAPEXPRY(nnn)')
– ALTER TOPIC(X) CUSTOM('CAPEXPRY(ASPARENT)')
"CUSTOM" is another mechanism for new features in service stream
– Any future MQ version would migrate the function to a real attribute
– May change spellings, details when made first-class attribute
RFE 21984,
37837
4. Event formatting sample program
No sample ever shipped to format "standard" events
– Authorisation, queue full, service interval, command/config etc
– Other samples are available for acct/stats, activity reports
– Several SupportPacs but product only has out-of-date source code in the KC
New sample amqsevt formats events into readable English-ish text
– Option to stay with full MQI constant name instead of making it look nice
– Uses MQCB to read from multiple event queues. No polling required
– Can connect as client to any remote queue manager including z/OS
– Source code included
5. Examples
**** Message #1 (320 Bytes) on Queue SYSTEM.ADMIN.QMGR.EVENT ****
Event Type : Queue Mgr Event [44]
Reason : Unknown Alias Base Queue [2082]
Event created : 2015/07/07 10:54:51.17 GMT
Queue Mgr Name : V8003_A
Queue Name : EVT.NO.BASE.QUEUE
Base Object Name : EVT.NOT.DEFINED
Appl Type : Unix
Appl Name : amqsput
Base Type : Queue
**** Message #4 (300 Bytes) on Queue SYSTEM.ADMIN.QMGR.EVENT ****
Event Type : Queue Mgr Event[44]
Reason : Not Authorized [2035]
Event created : 2015/07/07 10:54:51.30 GMT
Queue Mgr Name : V8003_A
Reason Qualifier : Open Not Authorized
Queue Name : EVT.NO.PUT
Open Options : 0x00002010 [ fiq out ]
User Identifier : db2inst1
Appl Type : Unix
Appl Name : amqsput
6. MQI string formatting assistance
C header file now included to help convert MQI numbers to strings
Many developers have MQI strerror-like functions
– The hard work is now done for you
– The new cmqstrc .h is automatically updated (300+ new verbs!)
Similar to Java MQConstants.lookup() capability for all sets of constants
printf("Error is %sn",MQRC_STR(2035));
printf("Completion Code is %sn",MQCC_STR(CompCode));
printf("%s is %sn",
MQIA_STR(MQIA_PLATFORM),MQPL_STR(MQPL_UNIX));
will show
MQRC_NOT_AUTHORIZED
MQCC_OK
MQIA_PLATFORM is MQPL_UNIX
7. Command/Configuration Events for security changes
Configuration events give an audit trail of object changes
• Reports complete set of object attributes
Command events are "who did what, how"
– Show which parameters were used in the command
Existing command events for MQSC SET AUTHREC and PCF
equivalent
– Not for setmqaut
No config events for any of these operations
V8.0.0.4 adds command events for setmqaut
Also adds configuration events for all mechanisms
RFE 53559
8. Example
**** Message #1 (324 Bytes) on Queue SYSTEM.ADMIN.COMMAND.EVENT ****
Event Type : Command Event
Reason : Command MQSC
Event created : 2015/07/07 10:26:47.82 GMT
Correlation Id : 414D5120563830335F41202020202CC001F03
COMMAND CONTEXT
Event User Id : metaylor
Event Origin : Console
Event Queue Mgr : V8003_A
Command : Set Auth Rec
COMMAND DATA
Auth Profile Name : self
Object Type : Queue Mgr
Principal Entity Names : db2inst1
Auth Add Auths : Connect
$ setmqaut -m V8003_A -t qmgr -p db2inst1 +connect
The setmqaut command completed successfully.
9. **** Message #2 (316 Bytes) on Queue SYSTEM.ADMIN.CONFIG.EVENT ****
Event Type : Config Event
Reason : Config Change Object
Object state : Before Change
Correlation Id : 414D5120563830335F41202020202CC001F03
Event created : 2015/07/07 10:26:47.82 GMT
Event User Id : metaylor
Event Origin : Console
Event Queue Mgr : V8003_A
Object Type : Auth Rec
Auth Profile Name : self
Auth Rec Type : Queue Mgr
Entity Name : db2inst1
Entity Type : Principal
Authorization List : None
**** Message #3 (316 Bytes) on Queue SYSTEM.ADMIN.CONFIG.EVENT ****
Event Type : Config Event
Reason : Config Change Object
Object state : After Change
Correlation Id : 414D5120563830335F41202020202CC001F03
Event created : 2015/07/07 10:26:47.82 GMT
Event User Id : metaylor
Event Origin : Console
Event Queue Mgr : V8003_A
Object Type : Auth Rec
Auth Profile Name : self
Auth Rec Type : Queue Mgr
Entity Name : db2inst1
Entity Type : Principal
Authorization List : Connect
10. Certificate expiry made easier to parse
New option for runmqakm to print dates in a standard format
$ ./runmqakm -cert -list -db ./key.kdb –pw passw0rd –expiry –rfc3339
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Certification Authority (2048)"
Not After : 2019-12-24T18:20:51Z
! "Entrust.net Client Certification Authority"
Not After : 2019-10-12T19:54:30Z
! "Entrust.net Global Client Certification Authority"
Not After : 2020-02-07T16:46:40Z
RFE 65496
$ ./runmqakm -cert -list -db ./key.kdb -pw passw0rd –expiry
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Certification Authority (2048)"
Not After : 24 December 2019 18:20:51 GMT
! "Entrust.net Client Certification Authority"
Not After : 12 October 2019 20:54:30 GMT+01:00
! "Entrust.net Global Client Certification Authority"
Not After : 7 February 2020 16:46:40 GMT
11. MQLight integration
Next delivery phase of support for MQLight client connections to an MQ
queue manager
– V8.0.0.2 and V8.0.0.3 provided changes in MQ (eg to define AMQP channels)
– Had separate Tech Preview download for the channel "listener" service
V8.0.0.4 removes need for the Tech Preview download
MQLight integration becomes part of standard MQ installation
– "AMQP Service" is selectable component during install
– All Unix/Linux platforms and Windows
– Change to fileset component list forces a manufacturing refresh
– PPA downloads then give an install image already at V8.0.0.4
– This will not be available in V8.0.0.4 fixpack from FixCentral
– But V8.0.0.5 will go on top of earlier versions, no matter how you got there (will
not update a non-existent AMQP component)
12. XA Configuration
When MQ is a transaction manager, XAOpenString in qm.ini defines
how to connect to a resource manager (database)
– String can contain connection credentials
Long-lived requirement not to have plain-text passwords in the file
– Most people have used OS authentication (ie which id is running the program)
with no need to provide additional credentials
– Sample exits have shown how to solve this but you had to write some code
V8.0.0.4 includes an official solution
New command setmqxacred to define id/password for DB connection
– XAOpenString now can refer to ++USERID++, ++PASSWORD++ and have
variables replaced
– Separate file contains obfuscated password similar to mqccred channel exit
RFE 53133
13. SSL/TLS Configuration verification
SupportPac MH03 provides a tool to validate SSL/TLS configurations
Checks include
– Missing files
– Incorrect SSLKEYR queue manager attribute
– Password settings
– Certificate labels, expiry dates and trust chains
– Validate queue manager and client certificates against each other
– Verifies SSLCAUTH/SSLPEER settings with queue manager
MH03 does not work with current MQ versions – built on old toolkits
Now part of MQ product
– Renamed to mqcertck
– Updated to work with current MQ versions and recognise new features such
as per-channel certificates
14. Relocatable/redistributable client
Shipping client as a simple tar/zip image removing need to install
– Application users do not need OS admin privileges to install MQ code
– Developers will still need a properly-installed SDK for header files
Windows and Linux x64 for now
– Additional platforms would be considered based on demand
License changes make it legal to embed client image with applications
Includes C, C++, COBOL, Java and .Net libraries
Client images still also available in traditional format
RFE 26670,
38765, 26671,
30697 etc
15. And for the future
Continue to plan for more frequent delivery of new function
Incremental changes instead of releases containing large amounts