What's new in MQIPT Version 2.1


Provision of a Java runtime environment

MQIPT Version 2.1 includes a Java runtime environment (JRE). This means that you no longer have to provide a JRE on the PATH in order to run MQIPT. The MQIPT command scripts automatically uses the JRE provided. Only a JRE supplied by IBM® for use with MQIPT should be installed. Using an alternative JRE is not supported.

The SSL and TLS support for MQIPT is provided by using the JSSE library from the supplied JRE.


SSL/TLS features

MQIPT now supports several new SSL/TLS features:

  • TLS 1.1 and TLS 1.2 protocol support.
  • SHA-2 hash algorithms for digital signatures and CipherSuite message integrity. SHA-224, SHA-256, SHA-384 and SHA-512 are all supported.
  • Elliptic Curve encryption.
  • Support for many new CipherSuites including those that use Galois/Counter Mode (GCM).
See SSL/TLS support for more information.


Certificate and key management

MQIPT version 2.1 provides the same iKeyman and iKeycmd tools used to administer digital certificates in IBM MQ. These can be run using the new mqiptKeyman and mqiptKeycmd commands. For more information about MQIPT digital certificate considerations, see Digital certificate considerations for MQIPT.


Multiple installations

From version 2.1 of MQIPT, we can install the product wherever you want on your computer, and can have several installations at the same time. Each installation can be used and maintained separately, so for example we can have different fix pack levels of MQIPT installed in different locations if you choose. See Install MQIPT for more details.


Certificate DN attributes

The following additional certificate DN attributes are now supported for use in selecting site certificates and matching remote peer certificates:

  • Domain Component (DC)
  • Domain Name Qualifier (DNQ)
  • Postal Code (PC)
  • Street address (STREET)
  • Title (T)
  • User ID (UID)
Note: The iKeyman and iKeycmd tools refer to the postal code attribute as POSTALCODE, not PC. In particular, always specify POSTALCODE in the -dn parameter when we use the mqiptKeycmd command-line certificate management tool to request or create certificates with a postal code.


New route properties

The following new route properties can be used:

  • SSLClientDN_DC
  • SSLClientDN_DNQ
  • SSLClientDN_PC
  • SSLClientDN_Street
  • SSLClientDN_T
  • SSLClientDN_UID
  • SSLClientSiteDN_DC
  • SSLClientSiteDN_DNQ
  • SSLClientSiteDN_PC
  • SSLClientSiteDN_Street
  • SSLClientSiteDN_T
  • SSLClientSiteDN_UID
  • SSLServerDN_DC
  • SSLServerDN_DNQ
  • SSLServerDN_PC
  • SSLServerDN_Street
  • SSLServerDN_T
  • SSLServerDN_UID
  • SSLServerSiteDN_DC
  • SSLServerSiteDN_DNQ
  • SSLServerSiteDN_PC
  • SSLServerSiteDN_Street
  • SSLServerSiteDN_T
  • SSLServerSiteDN_UID
See Route properties for a full list of route properties with descriptions.

The SSLClientDN_DC, SSLClientSiteDN_DC, SSLServerDN_DC and SSLServerSiteDN_DC route properties can match multiple domain component (DC) values in certificate Distinguished Names. To match multiple DC values, use a comma as a separator in the route property value.


Tracing

In version 2.0, tracing was global to the entire MQIPT process. The trace level was calculated as the maximum value of the Trace property from all sections in the mqipt.conf file: trace was then enabled or disabled for all threads in the process based on this value. It was not possible to trace a subset of routes, resulting in potentially large trace files.

In version 2.1, the Trace setting is route-specific. Enabling trace for one route by adding a Trace property to its [route] section in mqipt.conf does not cause other routes to be traced.

Routes without a Trace property in their [route] section inherit the trace setting from the [global] section. Therefore we can use the [global] section Trace property to enable trace for multiple routes, although any route that explicitly sets Trace=0 is not traced because the [route] section trace setting overrides the [global] section setting. For more information about the global and route Trace property settings, see Global properties and Route properties.


Error messages

There are some new and amended error messages in Version 2.1. For a complete list of messages see, List of MQIPT MQC messages.

The SSL and TLS error messages have changed due to the use of JSSE. See SSL/TLS error messages for details.


Removal of the MQIPT servlet

The MQIPT servlet has been removed. The servlet supplied with MQIPT Version 2.0 can be downloaded separately and can still be used if necessary. Note that the servlet does not support the sharing conversations feature of IBM MQ, so any SVRCONN channels that connect through MQIPT must have SHARECNV(0).