MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to Blog List

9.4.2 marks ten years of the MQ Appliance

By Jamie Squibb posted Mon March 24, 2025 07:25 AM

The IBM MQ Appliance was originally released on 13 March 2015, so this month marks its 10-year anniversary. It’s simple form factor and maintenance, easy deployment, and built-in support for both high availability (HA) and disaster recovery (DR), continues to provide a valuable and attractive platform for running IBM MQ. The past ten years have seen both notable updates to the appliance hardware and important enhancements to the firmware. The current M2003 hardware includes RAID 10 with NVMe SSDs for high performance disk I/O, up to 6TB of built-in storage for MQ data, and support for 1Gb, 10Gb, 40Gb and 100Gb Ethernet connectivity. The firmware includes IBM MQ Advanced and important enterprise features, such as HA, DR, encryption for data at REST, TLS and IBM MQ Advanced Message Security.

A photograph of the current MQ Appliance M2003 hardware model.

IBM MQ 9.4.2 is the latest continuous delivery (CD) release, which recently became available. This firmware release has a security focus for the MQ Appliance, with updates including:

Support for the MQ UserExternal security policy, which can simplify messaging user management when TLS mutual authentication is used for MQ client connections.
Support for TLS certificate authentication for the web UI and REST API.
Support for OIDC authentication for the web UI.
Support for configuring certificate validation checks for AMS MCA interception by using OCSP or CRL.

Other updates include new commands for configuring AMQP properties (dspamqp and setamqp), and generating performance metrics (mqperfck).

The TLS certificate authentication and OIDC authentication enhancements continue our journey of providing richer authentication options, especially those that help to eliminate the need for user passwords. The 9.3.3 firmware release introduced support for SSH certificate authentication for command line access. These latest enhancements in 9.4.2 introduce equivalent capability for the web UI and for REST. The OIDC enhancement can be used by customers who need to implement multi-factor authentication (MFA).

These authentication options required us to design a mapping from a TLS certificate DN or an OIDC subject name to a valid MQ user ID for subsequent authority checks. Custom plugins or scripts cannot be run on the appliance because they might compromise system integrity, so the firmware enables you to define rules for implementing this user mapping instead. These mapping rules can match explicit values, or they can use regular expressions to define policies that apply to multiple identities. For example, you can easily extract the common name (CN) from a certificate DN, or the value of any other DN attribute, and either use this value directly, or map it to an alternative user name. OIDC subject names can be similarly mapped, as required.

For more information about these features and the other enhancements in MQ 9.4.2, see the MQ Appliance documentation and/or use the links below.

IBM MQ Appliance: What's new and changed in release 9.4.2
https://www.ibm.com/docs/en/mq-appliance/9.4?topic=appliance-whats-new-changed-in-release-942

IBM MQ Appliance: Defining external users
https://www.ibm.com/docs/en/mq-appliance/9.4?topic=users-defining-external

IBM MQ Appliance: User authentication with TLS certificates
https://www.ibm.com/docs/en/mq-appliance/9.4?topic=management-user-authentication-tls-user-certificates

IBM MQ Appliance: User authentication with OIDC
https://www.ibm.com/docs/en/mq-appliance/9.4?topic=management-user-authentication-oidc

0 comments

10 views