I am currently a Middleware Systems Engineer for mostly IBM MQ and a little bit WebSphere Application Server and WebSphere Transformation Extender (WTX/ITX). I’m interested in addressing MQ security and AMS as our company is starting to address increasing security internally and externally with MQ. We are only using basic MQ security (local user and AD /service accounts) in our configured architecture.

I am interested in best practices for HA (high availability) in a virtualized environment. I would like to make the most of our current licensing budget. What are other users doing with relation to licensing and cloud environments?

My company is in the infancy of cloud integration which MQ is currently not a part of. We will be using Azure for cloud development. Our MQ presence is fairly small (about 5-6) queue managers at present using PUT/GET and not using PUB/SUB.

Any advice/feedback/support you can provide is appreciated.

Hi John,

I'm the IBM Offering Manager for MQ on z/OS. You're not alone - we're seeing a lot of clients look to adopt AMS at the moment, particularly in the context of increasing regulation around security of customer data (GDPR, PCI-DSS, HIPAA amongst others). If you have licensing for AMS you can enable message level security (via configuration rather than application changes) such that the payload is encrypted end-to-end across the MQ network (so in-flight over channels, at rest on disk and in memory within queue managers). I'd recommend the following blog on this topic:

https://developer.ibm.com/messaging/2018/01/08/protecting-messages-rest/

Performance overhead is also minimal for the new "confidentiality" option (V9.0.1 onwards) and you can configure the amount of key reuse to balance this against your security requirements.

On the Cloud/virtualised environment topic, MQ can be deployed in several container technologies (Docker is probably most popular). It is also a great way to provide connectivity between on-premises systems and applications deployed in a variety of cloud environments, including Azure. You can certainly utilise existing PVUs by assigning them to these environments (bring your own license).

For high availability, there are a number of options depending on your requirements and platform - software-based HA is built into MQ on distributed platforms (there is reduced cost licensing available for standby instances), you can use clustering, create highly available queue managers using data replication and, if on z/OS, make use of Coupling Facilities to create highly available shared queues with shared storage and automatic recovery.

Very happy to organise a call on any of the above - mail me at sunleym@uk.ibm.com.

Just a brief comment on the HA aspect of this inquiry and that is to point out that the innate asynchronous nature of MQ messaging means that it is essential to consider the whole system picture (what happens if I have persistent messages stuck on queues) when designing appropriate HA. If it is possible to approach the MQ system as providing a service such that availability of the service (rather then recoverability of the message data) is the key aim of the HA design, then as Matthew has mentioned, there are a number of approaches and facilities that can be used. But apart from the unique data sharing capability of sysplex shared queues on z/OS, there may be the need to cater for messages stuck on queues that are part of some bigger business transaction. (Note that even with completely synchronous 2-pc transactions, there still can be an element of doubt after failures).