What's changed in Version 9.0.0, Fix Pack 1
IBM MQ Version 9.0.0, Fix Pack 1 includes a number of changes to functions and resources.
- JMS exception listener updates
- Support for class name allowlisting in JMS ObjectMessage
- IBM MQ resource adapter IVT application updated to support WildFly V10
- Proxy subscriptions are not modified to ADMIN when alterations are attempted
- Restriction on the use of topic alias queues in distribution lists
- Deprecated CipherSpecs
- GSKit version updated
- Adopting other security contexts when we use the ADOPTCTX(YES) parameter
- mqconfig change for nproc
- MQPROMPT environment variable for runmqsc
- fteMigrateAgent command changes
- New MFT agent property addCommandPathToSandbox
- New MFT agent property additionalWildcardSandboxChecking
- New agent property adminGroup for use with MFT agents on z/OS
JMS exception listener updates
From Version 9.0.0, Fix Pack 1 IBM MQ classes for JMS are updated so that:- An ExceptionListener registered by an application is invoked for any connection broken exceptions, regardless of whether the application is using synchronous or asynchronous message consumers.
- An ExceptionListener registered by an application is invoked if a TCP/IP socket used by a JMS Session is broken.
- Non-connection broken exceptions (for example MQRC_GET_INHIBITED) that arise during message delivery are delivered to an application's ExceptionListener when the application is using asynchronous message consumers and the JMS ConnectionFactory used by the application has the ASYNC_EXCEPTIONS property set to the value ASYNC_EXCEPTIONS_ALL.
For more information, see Exceptions in IBM MQ classes for JMS.
Support for class name allowlisting in JMS ObjectMessage
With APAR IT14385, and from Version 9.0.0, Fix Pack 1, IBM MQ classes for JMS supports allowlisting of classes in the implementation of the JMS ObjectMessage interface. The allowlist defines which Java classes might be serialized with ObjectMessage.setObject() and deserialized with ObjectMessage.getObject().
For more information, see Class name allowlisting in JMS ObjectMessage and Running IBM MQ classes for JMS applications under the Java Security Manager.
IBM MQ resource adapter IVT application updated to support WildFly V10
The IBM MQ Version 9.0 Long Term Support release resource adapter installation verification test application has been updated so that the WMQ_IVT_MDB.jar file contains the file META-INF\jboss-ejb3.xml, which is used by WildFly V10. The file WEB-INF\jboss-web.xml within the WMQ_IVT.war file contains the correct resource references for WildFly V10.
For more information, see Install and testing the resource adapter in Wildfly.
Proxy subscriptions are not modified to ADMIN when alterations are attempted
Subscriptions with a SUBTYPE of PROXY cannot be modified. From Version 9.0.0, Fix Pack 1, if an attempt is made to modify a proxy subscription, an error message is reported and the SUBTYPE is not modified to ADMIN. See DISPLAY SUB and ALTER SUB.
Restriction on the use of topic alias queues in distribution lists
Distribution lists do not support the use of alias queues that point to topic objects. From Version 9.0.0, Fix Pack 1, if an alias queue points to a topic object in a distribution list, IBM MQ returns MQRC_ALIAS_BASE_Q_TYPE_ERROR.
Deprecated CipherSpecs
From Version 9.0.0, Fix Pack 1, the following CipherSpecs are deprecated:
FIPS_WITH_3DES_EDE_CBC_SHA
- NULL_MD5
- NULL_SHA
- TRIPLE_DES_SHA_US
- TLS_RSA_WITH_NULL_MD5
- TLS_RSA_WITH_NULL_SHA
- ECDHE_ECDSA_NULL_SHA256
- ECDHE_RSA_NULL_SHA256
- TLS_RSA_WITH_NULL_NULL
- TLS_RSA_WITH_NULL_SHA256
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- ECDHE_ECDSA_3DES_EDE_CBC_SHA256
- ECDHE_RSA_3DES_EDE_CBC_SHA256
GSKit version updated
The GSKit version has been updated in Version 9.0.0, Fix Pack 1. The new version of GSKit alters the stash file format that is used when you generate an .sth file to stash the key database password. Stash files that are generated with this version of GSKit are not readable by earlier versions of GSKit.
To ensure that stash files that are generated with Version 9.0.0, Fix Pack 1, or later, are compatible with our applications and other IBM MQ installations, you must update to a version of IBM MQ that contains a compatible version of GSKit. The following fix packs contain a compatible version of GSKit:- v7.1.0.8
- v7.5.0.8
- v8.0.0.6
- v9.0.0.1
If we cannot update our applications or other IBM MQ installations, we can request a stash file format that is compatible with an earlier version. When we use the runmqakm or runmqckm commands with the -stash or -stashpw option, include the -v1stash command line parameter. We cannot use the iKeyman GUI to generate a stash file that is compatible with an earlier version.
Adopting other security contexts when we use the ADOPTCTX(YES) parameter
When we use the ADOPTCTX(YES) parameter on an authentication information object, another security context cannot be adopted unless you set the ChlauthEarlyAdopt parameter in the channels stanza of the qm.ini file.
For more information, see Attributes of the channels stanza.
mqconfig change for nproc
On Linux , each thread is implemented as a light-weight process (LWP) and each LWP is counted as one process against the resource limit nproc. Therefore nproc needs to be set based on the number of threads.
From Version 9.0.0, Fix Pack 1, the mqconfig script has been modified to display the number of processes based on number of threads running instead of the number of processes.
For more information about mqconfig and nproc, see Configure and tuning the operating system on Linux and mqconfig.
MQPROMPT environment variable for runmqsc
From Version 9.0.0, Fix Pack 1, we can make it easier to see that you are in an MQSC environment and see some details of the current environment by setting a prompt of your choice by using the MQPROMPT environment variable. For more information, see Administration using MQSC commands.
fteMigrateAgent command changes
From Version 9.0.0, Fix Pack 1 the fteMigrateAgent command has been updated to ensure that the check to see if the user is an administrator is traced.
The command has also been updated to check that user satisfies (at least) one of these conditions in order to run the migrate command on z/OSĀ®:- Be a member of the mqm group (if the mqm group exists).
- Be a member of the group named in the BFG_GROUP_NAME environment variable (if one is named).
- Have no value set in the BFG_GROUP_NAME environment variable.
For more information about the fteMigrateAgent command, see fteMigrateAgent .
New MFT agent property addCommandPathToSandbox
A new agent property addCommandPathToSandbox has been added to the Managed File Transfer component. This property is used to determine whether the directories specified by the commandPath property (and all of their subdirectories) should be added to the denied paths for both user sandboxes and the agent sandbox.
For more information, see The commandPath property and The agent.properties file.
New MFT agent property additionalWildcardSandboxChecking
From Version 9.0.0, Fix Pack 1, if an agent has been configured with a user or agent sandbox in order to restrict the locations that the agent can transfer files to and from, we can specify that additional checks are to be made on wildcard transfers for that agent by setting the additionalWildcardSandboxChecking property to true. For more information, see Additional checks for wildcard transfers and The agent.properties file.
New agent property adminGroup for use with MFT agents on z/OS
Version 9.0.0, Fix Pack 1 adds a new agent property adminGroup for use with Managed File Transfer agents on z/OS. This property defines the name of group of users who can:- Start the agent by using the fteStartAgent command.
- Stop the agent by using the fteStopAgent command.
- Enable or disable trace for the agent by using the fteSetAgentTraceLevel command.
- Display agent details by using the fteShowAgentDetails command.