CSQ4LOGS strips the MQRFH2 header added by log extract and converts it to a message handle before putting the message, to preserve the PROPCTL(V6COMPAT) behaviour.
System topics used for some of the tiles, so these aren’t available on z/OS:
- CPU Percentage: estimate of CPU usage by the queue manager. (Not applicable on z/OS®.)
- Memory Percentage: estimate of memory usage by the queue manager. (Not applicable on z/OS or Windows.)
- Storage Percentage: estimate of the free space of the disk on which the queue manager resides. (Not applicable on z/OS.)
- Active queues Count of queues that either have messages, or are open for input or output.
- Connected queue managers: Count of currently connected queue managers as derived from active channels.
- Connected applications: Count of currently connected applications.
- Messages in the last minute: Displays a summary of the PUT/GET system topics that show message throughput every 10 seconds. (Not applicable on z/OS.)
- Subscriptions Displays a count of subscriptions. Only visible on z/OS and on other platforms where monitoring of system topics is inhibited (see setmqweb properties).
- Deepest queues: Lists queues in order of depth. Shows current queue depth and maximum queue depth.
- Most recently used: Lists currently connected queue managers, ordered by last message date.
- Most recently connected: Lists currently connected applications as derived from active server-connection channels, ordered by channel start date and time.
- Oldest messages: Lists queues ordered by the oldest message date and time.
Just FYI for the speaker: Most organizations are now looking to single sign on with multi-factor authentication for users and applications – either for how they modernize existing applications or certainly for their new applications. Not having the ability to do this might mean either won’t integrate into your architecture, or you might need to get security exceptions and build custom workarounds to get it to fit.
IBM MQ is moving towards a password-less approach to authentication so applications can operate in a more secure way with Multi-Factor Authentication (MFA) environment. We’re introducing the use of tokens as a way to secure communication between two parties –
Instead of storing or passing passwords which can be a security vulnerability, it is more efficient. A token is a simple structure that contains information about a user and can easily be transferred between parties over the internet. They can be cryptographically signed to form something called a JSON Web Signature
If all your services trust one issuer then you don't need different security solutions for each service. You just point everything at that and manage trust there.
And it’ enabled more flexible architectures – actually facilitating collaboration between enterprises and platforms because the headaches of implementing and managing security across multiple diverse applications and users. As an example, while OS-based security is higher performance because it's a shorter distance for MQ to query the OS than to make network/API call out to an external provider. The trade off is management of those users and OS users mean you have users that people can use to login to the box. with OS you'd need to create all the users/groups on the new OS machine for the QM and a new user would need to be propagated out to all the existing OS machines.
Not available for MQ on z/OS.
Explain the diagram – key cloak is set up to authenticate certain applications. At runtime the application can request a token and the keycloak server can check to see whether that app is ok. Then the application can provide that token to MQ which can validate if the token can be accepted.
MQ will validate the token or deny access so at runtime there is NO communication between the token issuer and the component validating.
NOTE: JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification.
Initially MQ is focused on Authentication - This will be enhanced in future releases to allow authorization checks based on the claims. Queue managers in IBM MQ 9.3.4 and above that run on AIX®, Linux®, and OpenShift® Container Platforms are configured to accept tokens, IBM MQ MQI clients present tokens on connection and can be authenticated.
Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.