MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Recent changes and updates in MQIPT

By Gwydion Tudur posted Mon August 10, 2020 06:23 AM

  

As MQ 9.2 is now available, I thought I'd take this opportunity to highlight some important recent changes and new features in MQ Internet Pass-Thru (MQIPT).

What is MQIPT?

In case you're not familiar with MQIPT, I'll start with some background.

MQIPT is an optional component of IBM MQ. It can be used to help connect MQ endpoints between remote sites across the internet. It essentially acts a proxy for connections using the MQ protocol. Connections from a queue manager or client are forwarded to the destination queue manager, possibly passing through more than one instance of MQIPT. However, MQIPT can also perform various transformations on MQ connections, such as adding or removing TLS, or wrapping an MQ connection in HTTP, as well as validating connections before allowing them to pass through to the destination queue manager.

MQIPT typically runs on a different machine to MQ queue managers and clients, but it doesn’t have to - you can run it wherever you need to.

Common uses of MQIPT are to act as a single point of entry and exit for MQ connections entering and leaving your enterprise, therefore simplifying firewall rules and adding an extra layer of security that connections must pass through before getting to the queue managers. It's also often placed in a DMZ to terminate and re-encrypt TLS sessions for MQ connections.

As it becomes more common to connect MQ workload running in a cloud with MQ infrastructure running on-premise, MQIPT can help simplify the network connections required to set this up.

Example of MQIPT used in a DMZ

What changed in MQ 9.1.4?

MQIPT has been available for many years as a fully supported SupportPac. The most recent version of the SupportPac is MQIPT version 2.1.

However, since MQ 9.1.4, MQIPT is now an optional component of MQ itself. It's still a separate download and installation (you can download the latest version from FixCentral), and it's still free to use with any supported version of MQ.

The integration of MQIPT with MQ has brought several benefits. For instance, the Java Runtime Environment supplied with MQIPT has been upgraded to the Java 8 JRE that is also supplied with MQ. Also, the list of supported platforms is now more closely aligned with MQ. MQIPT is now supported on the same AIX, Linux and Windows platforms as MQ. This adds support for MQIPT on some new Linux platforms, while dropping support for some older operating system versions, HP-UX, and Solaris.

What if I'm currently using the MQIPT SupportPac?

For a long time the MQIPT SupportPac web page stated that the SupportPac would remain in support for as long as MQ version 8 remained in support. This means that the original published end of support date for the MQIPT SupportPac was 30th April 2020. However, more recently, the end of support date for the MQIPT SupportPac was extended to 30th September 2020, to allow more time for existing users of the SupportPac to migrate to a newer version.

If you're still using the MQIPT SupportPac, you need to take action soon to migrate to MQIPT 9.1.4 or higher. Now that MQ 9.2 is available, you have the option of migrating to MQIPT 9.2, which is an LTS release.

Migrating to a newer version of MQIPT is quite an easy process. In most cases your existing configuration will continue to work unchanged. However, bear in mind these two recent changes when migrating to a recent version of MQIPT:

  • Since version 9.1.4, only TLS 1.2 is enabled in MQIPT by default. You can still use SSL 3.0 and older versions of TLS, however these protocols are now disabled by default. If you want to use these older protocols, you need to re-enable them before they can be used by following this procedure in the MQ Knowledge Center.
  • The MQIPT GUI (also known as the IPT Administration Client) has been removed in MQIPT 9.2. To configure and administer MQIPT 9.2, you need to manually edit the mqipt.conf configuration file, and use the mqiptAdmin command to refresh or stop running instances of MQIPT.

Are there any new features?

There have been several enhancements to MQIPT since it was integrated more closely with MQ.

In MQIPT 9.1.4, support for PKCS#11 hardware was introduced. This allows MQIPT to use certificates stored in hardware support modules (HSMs) that support the PKCS#11 interface. You need an MQ Advanced licence in order to use this feature.

In MQIPT 9.1.5, a more secure method for protecting passwords that are stored in the MQIPT configuration was introduced. If you are migrating from a previous version of MQIPT, I'd strongly suggest that you re-encrypt any passwords in the MQIPT configuration to take advantage of this feature.

And in MQIPT 9.2 there are several enhancements to make the administration of MQIPT easier and more secure. There's more details about these enhancements in this separate blog post.

Summary

In summary, if you're still using the MQIPT SupportPac, then please plan to upgrade to a more recent version before 30th September 2020 to ensure that the version of MQIPT you are running remains in-support.

If you are not currently using MQIPT, but you need to connect MQ endpoints that are on different networks, then consider whether MQIPT can help to simplify the task of setting up these connections securely.

There is more information about MQIPT in the MQ Knowledge Center.

1 comment
25 views

Permalink

https://community.ibm.com/community/user/blogs/gwydion-tudur1/2020/08/10/recent-changes-and-updates-in-mqipt

Comments

Michael Dag
Mon August 17, 2020 09:42 AM

completely missed the MQIPT end of service date of september 2020 😱 doesn’t feel logical with introduction in a CD release to start the clock for end of service.