View Only

MQ Appliance 9.3.3: SSH certificate authentication and file system usage notifications

By Jamie Squibb posted Tue June 20, 2023 12:14 PM


The IBM MQ Appliance is a hardware offering that provides a dedicated and optimised platform for hosting IBM MQ queue managers. It includes integrated support for high availability (HA), disaster recovery (DR) and IBM MQ Advanced capabilities, such as Advanced Message Security (AMS). You can read more about the appliance at

From version 9.3.3, the MQ Appliance firmware includes support for standard SSH password and certificate authentication, and it includes a file system usage monitor that provides notifications about disk consumption.

SSH authentication updates

SSH is a widely used protocol for establishing secure connections to remote servers for command line interaction. Prior to 9.3.3, the MQ Appliance firmware supports SSH, but it implements a proprietary authentication method whereby users must enter both their username and password. From 9.3.3, this method is still used by default, but you can alternatively enable standard SSH password and/or certificate authentication instead. When you enable these options, the SSH service on the appliance responds as per SSH on other systems, which helps to meet user expectations, simplify scripting, and satisfy security policies that mandate certificates.

Default authentication (no configured SSH authentication method)

The username and password are entered at the proprietary prompts.

$ ssh hostname

login: username
Password: ********

Unauthorized access prohibited.

Welcome to IBM MQ Appliance M2003A console configuration.



SSH password authentication

The SSH client determines the username automatically, or it can be explicitly specified. The client prompts for the password, then the credentials are sent to the appliance for authentication.

$ ssh user@hostname
user@hostname's password: ********

Unauthorized access prohibited.

Welcome to IBM MQ Appliance M2003A console configuration.



SSH CA-signed certificate authentication

The SSH client determines the username automatically, or it can be explicitly specified. The client sends a certificate to the appliance for authentication. Assuming this is successful, the user is logged in. If a valid certificate is not provided, then the connection can either be rejected, or the user can be prompted for a password instead.

$ ssh -i user-key user@hostname

Unauthorized access prohibited.

Welcome to IBM MQ Appliance M2003A console configuration.



The MQ Appliance supports CA-signed SSH certificates instead of unsigned SSH keys. This means that a user can only login by using a certificate that has been signed by a trusted CA key, which enforces a centralised point of control. It also means that the appliance only needs to be configured with the CA public key instead of needing the public key for every user. Individual certificates can be revoked, as required. The certificate is only used for authentication, so the user must still be authorised to login and perform operations, as per when using a password. The SSH authentication method is configured on the appliance in a new section under RBM Settings.

The RBM settings to configure SSH authentication

File system usage monitor

The appliance has two types of built-in storage:

  • Flash storage, where the appliance firmware, the system configuration and the system logs reside.
  • RAID (SSD) storage, where queue manager data, queue manager logs and other MQ configuration files reside.

These storage devices are divided in to file systems that are used for specific purposes, which also enables quotas to be enforced for different types of data. Each queue manager is allocated its own file system, and it is this file system that is replicated between appliances in a high availability (HA) or disaster recovery (DR) configuration.

It is best practice to monitor disk usage to understand trends, to aid ongoing capacity planning, and to respond to high disk usage before a file system becomes full. Prior to 9.3.3, file system usage information can be queried by using the CLI, the REST API, or other administrative interfaces. These commands and APIs enable the information to be polled, but additional orchestration is required to do this.

From 9.3.3, the MQ Appliance firmware also includes a file system usage monitor. This monitor can be scheduled to query file system usage and record this information in the log at a configurable interval. Warning and critical usage thresholds can be configured, either globally or for individual file systems, to control the severity of the notifications written to the log. The MQ Appliance firmware supports the streaming of logs to central monitoring tools, such as Splunk and Elastic Stack. By including file system usage information in these logs, it is easy to monitor file system usage over time, and receive timely notifications for file systems that are becoming full so that corrective action can be taken. In a HA or DR configuration, the monitor reports file system usage information for queue managers that have the primary role.

The File System Usage Monitor settings

[warn] File system for queue manager 'QM1' is 55% used, 28862 MB free.
[info] File system for queue manager 'QM2' is 0% used, 64139 MB free.

Additional information

What’s new and changed for the MQ Appliance in 9.3.3

What’s new and changed for MQ in 9.3.3

SSH authentication for CLI sessions

Disk space monitoring




Wed June 28, 2023 11:07 AM

Hi Jamie, 
Thank you very clear.   The title confused me where it says SSH certificate authentication. 

SSH can use public key authentication to generate a secure connection.  It does not need a certificate.   It can optionally use certificates.   The Linux Doc says

A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used.  This has the advantage that a single trusted certification authority can be used in place of many public/private keys.  See the   CERTIFICATES section of ssh-keygen(1) for more information.

You described logging on with SSH and using your logged on userid.   I read the blog post as using the information from the certificate to authenticate. 

It may be I read the SSH doc wrongly. 


Wed June 28, 2023 05:53 AM

Hi Colin,

SSH clients usually default the user name to the userid that they are invoked by on the client host, for example:

$ whoami

$ ssh m2003a04
jamie@m2003a04's password: 

You can override this default behaviour on the command line by using either:

$ ssh -l admin m2003a04
admin@m2003a04's password: 


$ ssh admin@m2003a04
admin@m2003a04's password: 

Alternatively, you can configure the user name to use in the SSH client's configuration file (for example ~/.ssh/config):

Host m2003a04
    User admin

It will depend on the specific SSH client you are using though. It is not something that the SSH server (i.e. the appliance) controls.

It is also worth noting that the principal associated with the certificate needs to match the userid you are using to login. See

Wed June 28, 2023 05:30 AM


How does "The SSH client determines the username automatically," work.   does it take the userid from the CN? or is there a mapping of CN to userid within the appliance.

On z/OS My certificate has a CN="COLIN PAICE", and my userid is IBMUSER, and I have a RACF mapping for this.

The CN does not have to be unique within an organisation.   The CN,C,O,OU tends to be unique.