IBM MQ is renowned for its enterprise qualities and this presentation will show you how this is taken to the next level when running on IBM's enterprise platform, z/OS. Learn how its integration with the z/OS platform provides the perfect solution for your enterprise needs, whether that's through its unique shared queue HA capability or its integration to the latest z/OS security capabilities.

1. © 2018 IBM Corporation
1
The enterprise differentiator of IBM MQ on z/OS
—
Matt Leming
Architect, MQ on z/OS

2. © 2018 IBM Corporation
2
Contents
MQ Advanced for VUE
MQ on z/OS: the most
resilient form of MQ
Hardware integration and z14

3. MQ Advanced for VUE

4. IBM MQ Advanced for z/OS Value Unit Edition
IBM MQ Advanced
Message Security for z/OS
IBM MQ for z/OS
The richest set of z/OS messaging capabilities in a single, simple to deploy offering
Connector Pack
IBM MQ Managed
File Transfer for z/OS
IBM MQ Advanced for z/OS Value Unit Edition V9.0.3 onwards
Provides end-to-end encryption of message contents to protect
sensitive data from all forms of intrusion, attack or accidental
disclosure, and with no need for application change
Provides reliable, secure and auditable file transfer that reduces the
need for manual processes, and management tools that help
reduce wasted time when dealing with failure analysis
Enables the secure, reliable exchange of business data across
applications, systems and services on-premises, in the Cloud, or
in Hybrid environments
Enables applications and systems to participate in a Blockchain
network via MQ, performing CRUD operations on Hyperledger
Fabric Blockchain running in IBM Cloud or running locally
4

5. © 2018 IBM Corporation
6
Tight integration with z/OS platform and subsystems
Maximum performance, high availability, connectivity and security
IBM Z, z/OS and the Parallel Sysplex
provide the foundation for IBM MQ on
z/OS
Create high performance
environments able to process millions
of messages every second
Highly available connectivity with
shared storage and automatic
recovery
Tight integration with key subsystems
and consistency with a range of other
platforms
CICS
z/OS
IMS
Batch
Db2
IIB WAS
zCEE
Queue
manager
Channel
initiator
mqweb
MQ
Clients
REST
z/OS
Java
Clients

6. IBM MQ Advanced Message Security
for z/OS
7

7. 9 Billion
4%
Of the
only
breached since 2013
were encrypted 3
records
$4M
Average cost of a data
breach in 2016 2
Likelihood of an organization
having a data breach in the
next 24 months 1
26%
“It’s no longer
a matter of if,
but when …”
Health
Insurance
Portability and
Accountability
Act (HIPAA)
European Union
General Data
Protection Regulation
(GDPR)
Payment Card Industry Data
Security Standard (PCI-DSS)
1, 2 Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis -- http://www.ibm.com/security/data-breach/
3 Source: Breach Level Index -- http://breachlevelindex.com/
How do you address data protection and compliance?
8

8. © 2018 IBM Corporation
9
MQ Advanced for z/OS VUE delivers pervasive encryption
Protects data at rest, in-flight and in-memory to guarantee privacy of message contents
Application B
Application A
Channels
IBM MQ system
Queue Manager
Queue Manager
Apply end-to-end encryption to existing
messaging infrastructure easily and with
no application changes
Authenticate and protect messages across
the enterprise making audit simple
Reduce time and skills needed to comply
with aspects of common security
standards
Detect and remove rogue messages
New confidentiality option for encryption
has minimal performance impact
Decrypted at destination
Encrypted at source

9. IBM MQ Managed File Transfer
for z/OS
10

10. © 2018 IBM Corporation
12
Move data and files with MQ Advanced for z/OS VUE
Consistent approach to transporting application data and file data as messages
How:
 File-to-file
 File-to-message
 Message-to-file
MFT Agent:
Performs the fundamental file transfer function of sending
and receiving files from the local system
MFT Service:
Installs a file transfer agent on MQ server with additional
capabilities
Benefits:
• Reliability of delivery
• Increased security of system and data
• Integrated management and recovery
Channels
MQ Advanced QMs
Logging
component
MFT Agent
Application BApplication A
MFT Agent
Unlimited deployments
of MQ MFT Agents when
connecting them to MQ
Advanced Queue
Managers

11. © 2018 IBM Corporation
13
MQ Adv VUE
MFT
Agent
MFT
Agent
MFT
Agent
LPAR 1 LPAR 2
File Hub
(LPAR 3)
Create a “File Hub” using simplified MFT Agent connectivity
MFT agents deployed wherever files are to
be sourced or delivered
No requirement for a local z/OS queue
manager - choose where to handle file
workload
Files transferred across the MQ network
between local and remote agents
Reduce the number of queue managers
required - simplified topology for easier
administration

12. Connector Pack
14

13. Blockchain: holds details of
all vehicles for country
Manufacturer
adds vehicles
Recycle/Scrap
removes vehicles
Dealer: Registers
vehicle, updates
ownership
Importer: adds
vehicles
Tax
Records
Tax Due
process
Send
Reminder
process
Reminder
Excise Authority`
Query current
Owner
Modified Hybrid Business Process
MQ
Blockchain requires connectivity for data sharing
Parties in the business network need to exchange data often held in Systems of Record
Enable a range of different
applications and systems to
send updates to a Blockchain
network
Ensure data integrity following
changes to shared assets
Transport critical business data
securely and reliably
…sound familiar?
Requirements…
16

14. IBM MQ
Bridge for
Blockchain
IBM MQ
Connect to Blockchain with MQ Advanced for z/OS VUE
Deploy IBM MQ Bridge for Blockchain to enable applications and systems to participate
Bridge allows an MQ application to connect to Hyperledger Fabric
Blockchain running in IBM Cloud or running locally
Utilise request-reply MQ messages to query information from
Blockchain (e.g. what is the value of the balance on this account)
Use MQ to drive Create, Read, Update and Delete operations on
Blockchain-managed assets
No need to understand the ledger-specific APIs, configuration or
controls
Connection to Queue Manager
---------------------------
Queue Manager : [MQ21]
Bridge Input Queue : [SYSTEM.BLOCKCHAIN.INPUT.QUEUE]
Bridge User Identity Queue : [SYSTEM.BLOCKCHAIN.IDENTITY.QUEUE]
MQ Channel : [SYSTEM.DEF.SVRCONN]
MQ Conname : [host1.example.com(3714)]
Blockchain - User Identification
--------------------------------
Blockchain Userid : [WebAppAdmin]
Enrollment Secret : []******
Blockchain - Organisation Identification
----------------------------------------
Organisation Name : [PeerOrg1]
Certificate Authority servers : [ldn1-zbc5a.2.secure.blockchain.ibm.com:14511] 17

15. © 2018 IBM Corporation
18
Connector Pack also contains
9.0.3:
Support for client connections from MFT agents
to MQ Advanced for z/OS VUE queue managers
running on other LPARs
9.0.4:
Support for client connections from Java applications
to MQ Advanced for z/OS VUE queue managers
running on other LPARs
Client mode support for MFT logger in file mode
9.0.5
AMS support for Java applications using client
connections
MQ Adv VUE
JMS
Client
Java
Client
LPAR 1 LPAR 2
LPAR 3

16. MQ on z/OS: the most
resilient form of MQ

17. © 2018 IBM Corporation
20
IBM Z is most reliable and resilient
hardware platform
Less than one minute unplanned
downtime per server per year
99.999% or greater reliability
Baked in from CPU, memory, IO
subsystems, cooling, chassis, OS,
coupling facility, all the way up to
the middleware
INCLUDING MQ!
http://itic-corp.com/blog/2018/01/ibm-lenovo-top-latest-itic-global-server-hardware-reliability-poll/

18. IBM MQ – resiliency capabilities
21
A layered set of capabilities to build robust and highly available connectivity
LOGGING ARCHIVING CLUSTERING
DATA
SHARING
SHARED
QUEUES
DATA RECOVERY
SERVICE
HIGH AVAILABILITY
SERVICE & DATA
HIGH AVAILABILITY
IBM MQ records all significant
changes to persistent data in a
recovery log
Enables data recovery after a
hardware or software failure
MQ for z/OS: Dual logging offers
further protection against data
loss
MQ for z/OS: Logs automatically
archived to secondary storage
(tape or DASD)
Clusters of queue
managers provide WLM
and high availability of
messaging resources
resilient to individual
server failures
Gold standard for resilience on MQ for z/OS: Queue
Sharing Groups
Queue managers can be members of a queue sharing
group with resources held in coupling facilities. Pull
workload balancing and automatic peer recovery
through shared data access
High availability of individual distributed platform
queue managers provided by:
• Multi-instance queue managers using shared
file system
• Data replication using appliance HA or RDQM
• HA clusters managed using hardware
DATA
REPLICATION

19. © 2018 IBM Corporation
22
Service high availability:
MQ clusters
Multiple instances of a named queue can be deployed
into a cluster
Cluster workload management routine
distributes messages between the instances
Benefits:
Service remains available even if a queue
manager fails
Workload balancing between instances
Most customers operating critical services
at scale make use of MQ clustering
Up to 1000s of cluster members
Available on all supported MQ platforms
NB: Failure of a queue manager in
the cluster results in its messages
being unavailable
Client
Service
Cluster
WLM
QMGR
CLUSQ
QMGR
CLUSQ
QMGR
Service

20. © 2018 IBM Corporation
23
Data high availability:
shared queues
Queue sharing group: set of queue
managers with shared object definitions
Shared queue: queue where messages
are stored in coupling facility structure
Messages accessible
from any member of
queue sharing group
Pull based WLM: applications can
consume messages at their own speed
The most resilient MQ topology
Client
Queue sharing group
QMGR
QMGR
QMGR
Shared queue
held in coupling
facility structure
Service
Service
Service

21. © 2018 IBM Corporation
24
Resiliency characteristics of
shared queues
Messages remain available if individual queue
managers or LPARs fail
Peer recovery for inflight work
Applications and queue managers can continue
to connect into queue sharing group if individual
queue managers or LPARs fail (shared
channels)
Resilient to structure failure
Resilient to coupling facility connectivity failure
Resilient to application failure
Client Service
QUEUE FULL

22. Hardware integration and z14

23. Pervasive encryption with IBM z Systems
Enabled through full-stack platform integration
1 Statement of Direction* in the z/OS Announcement Letter (10/4/2016) - http://ibm.co/2ldwKoC
2 IBM z/OS Version 2 Release 3 Preview Announcement Letter (2/21/2017) -
http://ibm.co/2l43ctN
Broadly protect Linux® file systems and z/OS data sets1 using policy
controlled encryption that is transparent to applications and databasesData at Rest
Integrated Crypto
Hardware
Hardware accelerated encryption on every core – CPACF performance improvements of up to 7x
Next Gen Crypto Express6S – up to 2x faster than prior generation
Protect z/OS Coupling Facility2 data end-to-end, using
encryption that’s transparent to applications
Clustering
Protect network traffic using standards based encryption from end to end, including encryption
readiness technology2 to ensure that z/OS systems meet approved encryption criteria
Network
Secure deployment of software appliances including tamper protection during installation and
runtime, restricted administrator access, and encryption of data and code in-flight and at-rest
Secure Service
Container
The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure
management of keys and certificates with a variety of cryptographic devices and key stores.
Key
Management
****Data in Use Protect MQ data while it is in memory within z/OS, while it is at rest, while it is inflight using MQ
Advanced for z/OS VUE based end-to-end encryption that’s transparent to applications
1
0
1
26

24. z14 Integrated Cryptographic Hardware
CP Assist for Cryptographic Functions
(CPACF)
Hardware accelerated encryption on every
microprocessor core
Performance improvements of up to 7x for
selective encryption modes
Crypto Express6S
Next generation PCIe Hardware Security
Module (HSM)
Performance improvements up to 2x
Industry leading FIPS 140-2 Level 4
Certification Design
Why is it valuable:
More performance = lower latency + less CPU
overhead for encryption operations
Highest level of protection available for encryption
keys
Industry exclusive “protected key” encryption
27

25. © 2018 IBM Corporation
28
We have been trying out MQ on z14!
The news is good…
Better scalability
Crypto improvements
Dataset encryption
Storage class memory
I/O performance gains
Improvements in compression via
zEDC
Generally in line with LSPR, but
sometimes much better

26. © 2018 IBM Corporation
30
Better scalability
Z14 brings:
Faster processors, and more of them
MQ benefits:
Improved scalability – up 11% to 641K
transactions per second
Almost 1.3 million messages per second
Rate doesn’t tail off with increased CPUs
Chart shows non-persistent out of synchpoint
messaging. Buffer pools and pagesets tuned
to minimize contention
When sending messages in synchpoint, z14
continues to scale up to 32 CPUs 30

27. © 2018 IBM Corporation
31
Crypto improvements: TLS
channels
Z14 brings:
New Crypto Express 6S (CEX6S)
Improved CPACF
TLS channels benefit:
20% cheaper on average over z13
With CEX5S 17-22% faster over z13
With CEX6S there is a further 5-14%
speed gain
Secret key negotiated for every 1MB of
data sent, shows benefits of CPACF and
CEX6S (charts on left)
Secret key negotiated at start up shows
benefits of CPACF only: 28% cheaper, 35%
faster (see performance report)
31

28. © 2018 IBM Corporation
32
Crypto improvements: AMS
Integrity signs messages (CEX6S)
Privacy signs and encrypts (CEX6S+CPACF)
Confidentiality encrypts + key reuse (CPACF)
Size of message has an effect on numbers
but gains were made across the board
For medium messages:
% change in Integrity Privacy Confide-
ntiality
Transaction
cost
-10 -12 -30
Cost of
protection
-10 -12.25 -40
Throughput +21.3 +18.5 +31.3
32

29. © 2018 IBM Corporation
34
Storage class memory
Z14 brings: virtual flash memory,
replacing Flash Express cards on
EC12 and later
MQ benefits:
Improved pre-fetch performance
Faster IO access
Two use cases for MQ:
Emergency storage
Tolerate very long getting application
outage
SMDS + message offloading + SCM
Improved performance
Allow long getting application outage
with minimal performance impact
SCM only
34
SCM assumes messages are got in priority
order
VFM performance gains most apparent when not
getting in priority order, e.g. by correlation id
z13 z14 Change
Transaction rate 483 804 +66%
Average read service
time
1285 323 -75%
Average write service
time
414 231 -44%
SCM read per minute 39,000 77,000 +41
SCM delayed 25% 26%

30. © 2018 IBM Corporation
35
Summary
MQ Advanced for VUE
MQ on z/OS: the most
resilient form of MQ
Hardware integration and z14

31. Notices and disclaimers
© 2018 International Business Machines Corporation. No part of this
document may be reproduced or transmitted in any form without
written permission from IBM.
U.S. Government Users Restricted Rights — use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to
products that have not yet been announced by IBM) has been reviewed
for accuracy as of the date of initial publication and could include
unintentional technical or typographical errors. IBM shall have no
responsibility to update this information. This document is distributed
“as is” without any warranty, either express or implied. In no event,
shall IBM be liable for any damage arising from the use of this
information, including but not limited to, loss of data, business
interruption, loss of profit or loss of opportunity. IBM products and
services are warranted per the terms and conditions of the agreements
under which they are provided.
IBM products are manufactured from new parts or new and used parts.
In some cases, a product may not be new and may have been previously
installed. Regardless, our warranty terms apply.”
Any statements regarding IBM's future direction, intent or product
plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a
controlled, isolated environments. Customer examples are presented as
illustrations of how those
customers have used IBM products and the results they may have
achieved. Actual performance, cost, savings or other results in other
operating environments may vary.
References in this document to IBM products, programs, or services
does not imply that IBM intends to make such products, programs or
services available in all countries in which IBM operates or does
business.
Workshops, sessions and associated materials may have been prepared
by independent session speakers, and do not necessarily reflect the
views of IBM. All materials and discussions are provided for informational
purposes only, and are neither intended to, nor shall constitute legal or
other guidance or advice to any individual participant or their specific
situation.
It is the customer’s responsibility to insure its own compliance with legal
requirements and to obtain advice of competent legal counsel as to
the identification and interpretation of any relevant laws and regulatory
requirements that may affect the customer’s business and any actions
the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products
will ensure that the customer follows any law.
36

32. Notices and disclaimers
continued
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products about this
publication and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions
on the capabilities of non-IBM products should be addressed to the
suppliers of those products. IBM does not warrant the quality of any
third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM expressly disclaims all
warranties, expressed or implied, including but not limited to, the
implied warranties of merchantability and fitness for a purpose.
The provision of the information contained herein is not intended to, and
does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com and [names of other referenced IBM
products and services used in the presentation] are trademarks of
International Business Machines Corporation, registered in many
jurisdictions worldwide. Other product and service names might
be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark
information" at: www.ibm.com/legal/copytrade.shtml.
.
37

33. Thank you
Matt Leming
Architect, MQ on z/OS
—
lemingma@uk.ibm.com
Helpshape
thefutureof
MQ… ibm.biz/MQ-Customer-Survey