Posts Tagged ‘MQ AMS’

Complying with GDPR and the importance of protecting data with MQ Advanced

July 11, 2018

padlock

As a business, acquiring and keeping customers is crucial. You need to ensure that you are continually delighting them, ensuring you deliver the best value, and are easy to do business with. And one critical thing above all others is to ensure that the customer can trust your business.

 

Why is this important? A key reason is that the customer is trusting your business with their information, and you therefore have a responsibility to keep it safe. Because if a customer can’t trust you with their information, they won’t do business with you.

Screen Shot 2017-09-26 at 11.42.31

And it is not just a question of customer trust. There is more and more legislation around the world designed to ensure that businesses are taking the protection and security of 3rd party data seriously. The headlines recently around this have been driven by the deadline date for the EU’s GDPR. But honestly protecting your own data, as well as customer information should have been essential practice anyway.

 

Meeting the needs of GDPR, other legislation in this area, and also customer trust isn’t just about ticking a box and can’t be addressed through a single change or product. There needs to be a comprehensive approach to ensure there aren’t gaps in the security. One of the best ways to ensure that is the thought of ‘privacy by design’ as mentioned in GDPR. Instead of having to try to protect multiple aspects of security in every system, you can ensure security is applied much more widely so that individual areas of security and multiple connected systems are protected without additional effort or overview.

 

There are multiple reasons why a business might use IBM MQ’s messaging to move data within a business, or between businesses. Thousands of the world’s leading businesses have depended on it for reliable, scalable, secure and highly available messaging for 25 years. And while IBM MQ is a secure environment, today’s connected business systems, with the challenge of regulations like GDPR requiring demonstrable protection and records of who could have had access, and the need to show removal of data requires even more security. And this is available as a part of IBM MQ Advanced or IBM MQ Appliance with end-to-end encryption including encryption of data at rest.

 

Why is this important, and how would it help protect data, as well as help to comply with GDPR and other legislation? Consider a typical connected environment with messages flowing across many different connected systems. Maybe data originating from a customer will bounce across different business systems as a message: ordering, invoicing, manufacturing, shipping, loyalty programs. Some of these might be with the enterprise, and others might be 3rd party businesses who provide a service. As messages flow, they will get persisted to disk to ensure they don’t get lost in case of a failure. But how to ensure that every system and every disk is protecting these messages without having to be in control of all these systems and disks, which might be owned by other organizations?

Screen Shot 2018-07-11 at 11.13.48

The end to end encryption in MQ Advanced is policy-based and doesn’t require application updates. In fact, the applications themselves will be unaware that the messages will be encrypted between the sending and receiving applications. The messages being sent over MQ will have the MQ message contents encrypted, but the messaging header (properties) will remain in the clear. As each message is persisted to disk in a queue, the contents will remain encrypted. The messages will only be decrypted at the destination application as set in the policy. With this in place, it becomes irrelevant how many systems the message will travel through between source and destination, or even the security or ownership of each system. It can be demonstrated that the message will not be accessible except to the receiving application, therefore ensuring that there is a complete record of who has had access to every message, and therefore it is under complete control.

 

The enhancements to this end-to-end encryption in MQ Advanced V9.0 and most recently in MQ V9.1 (announced July 2018) not only provide this strong encryption that doesn’t require application changes, but also can be applied with virtually no performance impact either.

 

With your business under pressure from GDPR and other legislation, and the need to ensure your customers can trust you to look after their data and personal information, it has become essential to consider the move to MQ Advanced in order to take advantage of this cutting-edge data protection capability.

Update: For more information in detail about the security features of the IBM MQ family and how they might help as part of a GDPR approach, here is link to a presentation by Jamie Squibb on this topic, presented to Guide Share Europe earlier this year.

Get started today, by downloading the MQ Advanced trial, or MQ Advanced for developers or even simpler try out the new hosted IBM MQ on IBM Cloud .

Advertisements

Putting out a new release like IBM MQ V9.0.5 is more than a 9-5 job

March 16, 2018

9-5clocks

At least in the UK, the traditional hours worked in a day job were 9 to 5. You would ‘clock-in’ at 9am and leave at 5pm. I guess it is common as there was a 1980s film called “9 to 5” starring Dolly Parton. These days office life is rather more flexible, and certainly the idea of clocking in and out at fixed times is gone.

 

For 25 years, virtually every major IT infrastructure has been able to rely on the secure and reliable exchange of data between applications and systems thanks to IBM MQ. Previously called MQSeries, then WebSphere MQ, this software offering, developed in the IBM Hursley Lab in the UK has been a critical part of the business world. So much so that most people living their lives have no idea they use IBM MQ so much on a daily basis as it ‘just works’.

 

There is a great team of developers who work hard day-in and day-out to enhance and update IBM MQ, and . We have now released IBM MQ V9.0.5, going GA on Friday March 16th. And our developers have worked for months, giving up evenings and weekends to not just add new features, but to make sure it is another offering that works when put into use. So not 9-5 at all.

 

Now for some customers this will be more of a prelude to the main act. This is referring to V9.0.5 being a Continuous Delivery release. When we brought out V9.0 we split it into 2 streams: Continuous Delivery and Long Term Support. This release marks the final release in the initial set of Continuous Delivery releases. The next release will be the first of a new Long Term Support release. And customers can expect that the functions delivered in the 5 CD releases will be made available in the new Long Term Support release.

 

When that new LTS release is available, you can expect me to summarize all the new features, but for now in this blog I will call out a few of the new features in V9.0.5.

 

The new Easy HA feature (Replicated Data Queue Managers) delivered in MQ Advanced V9.0.4 gets updated to add support for a Disaster Recovery mode, with manual takeover after either synchronous, or asynchronous replication between a pair of MQ servers.

 

The MQ Managed File Transfer capability, available with MQ Advanced or MQ Appliance gets the first support for the REST API admin interface for listing current transfers and querying MFT Agent status.

 

MQ Advanced itself will do more to identify itself when it is installed, and so prevent compliance issues, and ensures that components can recognize Queue Managers.

 

Other updates include a MQ Console refresh, and for customers who use MQ with WebSphere Application Server, performance enhancement through implicit syncpointing.

 

For MQ Appliance users there is an enhancement for better reliability by allowing aggregated IP interfaces for the Floating IP feature. This removes a potential single point of failure.

 

And for users of MQ Advanced for z/OS Value Unit Edition there have been improvements including enhancements to MQ AMS which will see increased performance.

MQ clouds puttenham

Perhaps even more exciting is the new availability of a hosted instance of MQ on the Cloud. More about this can be found here, but it creates a great opportunity to quickly and easily make use of MQ without needing to install, deploy or manage the environment. Just configure and go! Nice that after 5 years of talking about it on this blog we have an explicit offering running in the cloud. This is of course alongside MQ already being able to run in AWS as a QuickStart. Or deployed as containers in IBM Cloud private.

 

As well as looking forward in the future to a new Long Term Support release, the statement of direction indicated that the Blockchain bridge, available in MQ Advanced, will be updated to be based on the Hyperledger Composer interfaces. And additionally, customers deploying MQ in containers will in the future be able to track the size of the container, and the duration of use, and license based on that container size, rather than the full capacity of the system where the container is running. The intent will be to support existing pricing metrics such as PVUs and VPC monthly metrics, but also a future VPC Hourly metric.

ibmthink

IBM MQ, along with many other IBM and business partner solutions will be some of the highlights discussed at IBM Think in Las Vegas running March 19th-22nd. I will be there and I hope to see some of you there as well. Famously Las Vegas never sleeps, so I guess that’s something else that’s not 9 to 5. Lucky we have IBM MQ V9.0.5 now though.

9to5dolly

 

Simple can be better – the new MQ and MQ Advanced licensing

January 24, 2017

simplicity

Last year my son did a school project on flight – and his project focused on Leonardo da Vinci, and it was fascinating for us all to learn more about Leonardo’s genius. Not just an artist, his incredible imagination seemed to create and explore new worlds, never dreamed of before. And yet for all his visionary ideas, his quote above also stands out: “Simplicity is the ultimate sophistication”.

The same idea can be seen in Blaise Pascal (and Mark Twain) saying “I didn’t have time to write a short letter, so I wrote a long one instead”. Sadly this applies to this blog entry as well so in the interests of brevity, a quick summary of what’s described in more detail below:
IBM is simplifying the MQ licensing for new purchases:
• Parts now as follows: MQ, MQ Advanced, MQ Idle Standby, MQ Advanced Idle Standby, MQ Advanced for Developers
• MFT Agents are no longer separately and individually licensed but are free to deploy and use when connected to MQ Advanced entitled Queue Managers – essentially providing a free to use MQ MFT network when you use MQ Advanced
• The parts being withdrawn are only those for new entitlements to the separate MQ MFT, MQ AMS and MQ Telemetry parts but not the Subscription and Support renewal parts – you can continue with your existing entitlement as before.
• If you have MQ Advanced today this change applies to all your existing MQ Advanced entitlement – not just to the latest MQ V9.0.1 release.

Today, our world is moving faster and faster. Businesses need to be more agile. Do more with less. Get more for their money. Keeping things simple makes sense today. Even more so as business environments are highly dynamic, and need to balance between unique requirements and common deployments for ease of development, deployment, operations and maintenance.

When it comes to critical offerings like IBM MQ – providing reliable, secure, scalable and robust enterprise messaging, why should we make it more complex than it needs to be? From January 24th 2017, IBM is simplifying the IBM MQ licensing structure to make it simple to describe, simple to purchase, simple to understand and simple to deploy and use.

What are we talking about? Well, for nearly 25 years IBM has been selling IBM MQ – and we still are. But for almost 15 years IBM has been selling extensions to IBM MQ as separate offerings: MQ Managed File Transfer, MQ Advanced Message Security and MQ Telemetry. These all built on and extended the value offered by IBM MQ – and in 2012, as part of MQ V7.5 we brought all the separate components together into a single package, and also created a single offering called MQ Advanced to provide entitlement to the MQ Server along with all of the MQ Server extensions.

Since then, MQ Advanced has been the most popular way to extend MQ, over buying the individual product parts. However, there was always a complexity about the MQ Advanced license for customers using it for Managed File Transfer. This was because MQ’s Managed File Transfer was available as both the MFT Service component that came with MQ Advanced, but also was licensed as MQ MFT Agents on a per Install basis. Even though you might have bought lots of MQ Advanced licenses, you would still need to buy MQ MFT Agents for those systems where you wanted to deploy MQ managed file transfer capabilities, but where you didn’t have MQ Advanced installed. This would be even more noticeable since MQ V9.0.1 shipped which allowed the MQ MFT Agents to be redistributable and made them available in a zip format, suitable for embedding in other solutions. Having per install licensing for MFT Agents would restrict the potential for use of this style of deployment.

MQMFT image

As part of this license change, the MQ MFT Agents are no longer chargeable, or licensed per Install. Instead they are free to deploy and use – in any quantity, as long as the appropriate MQ Servers are licensed with MQ Advanced entitlements. The Agent QM, and the co-ordination QM, and the Logging QM for the MFT Agents must all have MQ Advanced entitlement. These can be all the same Queue Manager, or they can be separated – but all must have MQ Advanced entitlement – but then all MQ MFT Agents using these QMs can be deployed and used at no cost, whether 1 Agent, 100 Agents or more.

mq-new-licenses

The licensing for MQ and MQ Advanced going forward is now very simple. You select IBM MQ if you just want MQ, or IBM MQ Advanced if you want MQ and any other capability. Both are licensed by PVU (perpetual or monthly license) – so by the capacity of the machine where you install the MQ server or by the Virtual Processor Core as described here. Along with IBM MQ and IBM MQ Advanced, there are Idle Standby parts for both, and also IBM MQ Advanced for Developers. Just a handful of parts giving you so much potential for your business.

The additional features in MQ Advanced include MQ Managed File Transfer (as mentioned above) which allows the contents of files to be sent reliably and securely over the MQ network as MQ messages. Differentiating factor with this solution is that the file contents can be directly consumed as messages, moving file transfer into virtually real time data usage. Now available to be deployed anywhere at no additional cost when connected to MQ Advanced Queue Managers. Then there is Advanced Message Security, which provides end to end message content encryption. Since MQ V9 this has a new option allowing for encryption at virtually no impact to performance or throughput, helping you protect your business and customer data from exposure in the case of a breach. And MQ Telemetry which enables your MQ applications to connect directly using the MQTT protocol to mobile phones and the Internet of Things.

It’s all so much simpler now to explain, to buy and to use. But what if you have previously bought some of the separate parts. We have made sure to keep the existing renewal parts available so you can continue to use them and stay current with support on them. So nothing needs to change – you can continue exactly as before. But you might want to consider moving to MQ Advanced entitlement as only this will provide the ability to connect MQ MFT Agents at no cost, and there is no entitlement to buy or deploy new MQ MFT Agents without MQ Advanced entitlement in the future. Existing purchased MQ MFT Agent entitlements remain valid and can continue to be deployed and used.

Feel free to reach out to your IBM rep, your IBM business partner or even me to discuss this, and what it might mean to you. We have tried to do this very carefully so that there is no negative impact on anyone today, and that going forward there are lots of benefits – such as the ability to deploy a much larger MQ managed file transfer network at no additional cost with MQ Advanced entitlement. And as an added change, we have ensure that the MQ Appliance license also allows for connection of MQ MFT Agents at no cost – so that provides an additional deployment and connectivity option for MQ MFT solutions.

Manwithfiles

I will try to write another blog shortly about our MQ Managed File Transfer solution soon – but this one needs to end so you can get back to work.

Think what you can do with this now. It’s going to be a busy year. Let’s start now.

Let your troubles float away with the IBM MQ Appliance

November 15, 2016

balloons

Sometimes you instinctively know when something is right. It just seems to fit. To all fall into place. When you solve a mathematical equation. When you put on a jacket. When you pick up a hammer. You just know it is feels right.

Since IBM released the IBM MQ Appliance in 2015, we have had a lot of customers look at it, and for many of them it has seemed to be something just right for them – just what they were looking for, as it simplified their infrastructure and reduced the tasks of configuring, operating and maintaining their MQ installs.

However, there is plenty of opportunity for improvement, both in adding new features and in improving those already there. And some of the early customer feedback about the MQ Appliance has been critical in some of the enhancements that have already been delivered and also feedback has been critical to some of the features just delivered in the latest update to the IBM MQ Appliance M2001, providing MQ V9.0.1 on the MQ Appliance. Note that this latest software update is also available for customers still running the MQ Appliance M2000.

floating

One of the key new features is the provision of Floating IP support to aid in the High Availability failover configurations. The MQ Appliance provides High Availability by connecting appliances as a pair, and individual Queue Managers can failover from one appliance to another quickly and seamlessly, with the persistent messages and logs already replicated synchronously. However, in order to support this, the MQ client used by the application needed to be configured with not just the IP address of the primary appliance but of the second appliance in the pair as well. This wasn’t always convenient for customers to require all the MQ clients and applications to have a string of IP addresses to prepare for failover.

To address this, and make the experience of using the MQ Appliance even better for our customers, in the latest V9.0.1 level of code, High Availability configurations now allow for Floating IP – which means that as the first MQ Appliance fails over, the second appliance not only starts up a Queue Manager, but it starts up the IP address from the primary, enabling the MQ applications to connect to the second appliance even if they only have a single IP address configured. This should make using the MQ Appliance an even better experience for a much wider set of deployments, without requiring too much of a change to the applications.

As already mentioned above, the MQ Appliance now ships with the MQ 9.0.1 continuous delivery release. This means that the MQ Appliance now benefits from the MQ V9 functions such as the new MQ AMS confidentiality option. This also means that all the new and upcoming features in the MQ continuous delivery stream will be available to the MQ Appliance as those releases come out, with more access to the new REST API for admin and configuration as well as a refreshed MQ Console.

 

monitoringmanagementappliance

Also, as well as some usability improvement for management of the appliance and the MQ operational aspects, this update includes s number of key features exposed from some of the underlying firmware. Key among these are support for SNMP and enhanced security, such as role based authorization, and LDAP authentication for appliance admin accounts. These, again, should make the MQ Appliance fit even better into an organization and be applicable to more use cases.

With further updates to come as part of the Continuous Delivery stream for MQ and the MQ Appliance, there will be more improvements to come to continue to make the experience feel even better. So get ready to float away from your troubles with the latest update to the MQ Appliance.

UPDATE: An excellent blog on MQDev developerWorks site by Ian Harwood. Another blog specifically on the MQ Appliance update by Ant Beardsmore.

No waiting in these queues. IBM MQ V9 and the MQ Appliance M2001 delivers fast, reliable and secure message queuing

June 29, 2016

wile_e_coyote

Recent weeks have been pretty busy on this blog, reflecting just how busy the MQ development team has been in bringing out new and updated offerings in MQ V9 and the MQ Appliance M2001 here and here. And of course in our cloud messaging options.

As both of these have been fairly full of new content I thought I would do just a short update to focus on a couple of key benefits which are specifically measurable in these 2 refreshed offerings. After all, a lot of the new and improved features can sometimes be hard to quantify in terms of the benefits they provide, but in each offering this time there are some easy to define benefits.

As you may have seen in my most recent update, the MQ Appliance M2001 added large capacity SSD storage which enables much faster throughput for persistent messages. These are the messages that get written to storage to ensure they are still available in the case of failure before the message has been successfully deliver to all consumers. At high rates of message throughput, there can be a lot of contention for access to storage with traditional hard drives. With the new MQ Appliance M2001, this potential bottleneck has been removed. You can now read the latest MQ Appliance M2001 performance report here which shows that the performance in those scenarios which saw large volumes of persistent messages sees improvement of up to 3.5 times the previous message rate.

Clearly this represents a significant improvement and given that persistent messages are used in those business critical situations where IBM MQ delivers so much value, it is a hugely important benefit.

 

In MQ V9 there were a number of enhancements but the one I specifically want to call out is, as part of the MQ Advanced package, the enhancement to MQ Advanced Message Security (MQ AMS). The change here was to add a new mode of operation – Confidentiality. This new mode changed the way in which the encryption operations are performed on the message contents (MQ AMS offers policy based encrypted message contents which ensures data at rest is protected in case of a security breach). The goal of this change was to continue to offer a strong level of security for the message contents without too big of an impact on the performance and throughput from the effects of the encryption used.

Now instead of new asymmetric keys being generated for every exchange, the feature can be configured to allow for reusable symmetric keys to be used after the initial generation of an asymmetric key. This still provides a very high level of security, but depending on the reuse count before a new asymmetric key is generated, can drastically cut the performance overhead. The benefits can see more than an order of magnitude increase in throughput. You can see a quick snap shot of some of the early results in Jon Rumsey’s blog here – which includes a small table showing performance improvements exceeding 10x gains. With everyone concerned about security these days, the ability to better protect your information and customer data with little performance impact has to be a good thing.

 

So what are you waiting for? With secure, reliable enterprise messaging for on-premise deployments, cloud deployments or physical appliances, there is no waiting with IBM MQ V9 or IBM MQ Appliance M2001.

no-waiting

[An interesting history of Wile E. Coyote here]

Did you remember to lock your car?

November 12, 2013

Image

We’ve all done it. You have driven your car to a car park, walked away, and then had a momentary pang of doubt about whether you locked your car. It has become second nature to lock your car. To keep it secure. The car even locks the doors itself when it is in motion. But when you park it and walk away, that’s when the uncertainty comes in, and also when your car is most vulnerable.

It is the same with your enterprise messaging. What happens when you use a product like WebSphere MQ to send a message across your enterprise? Well, of course, what is happening is the application takes some data and packages it in the contents section of a message structure, along with some header information to describe the message and the destination. The message is then dispatched. All in all that’s pretty similar to you getting in your car and driving to the shops to buy something like food for dinner, or presents for a birthday. There is a destination and something of value to be transferred. With a car, you have to park in a space in a car park. With messaging, instead of a car park you have a queue manager and queues.

Messages start in an application and a MQ Client packages the information to be moved into a message. This then is sent to a queue manager, to be written into a queue. According to the destination or other information, the message is then sent on to either another queue, another queue manager, or to the destination client application.

As far as securing the message goes, when the message is moving between the client application and the queue manager, then the MQ resources are secured by MQ built-in security definitions and the message and contents itself is secured while moving over the ‘wire’ by use of SSL. However while the message is encrypted by SSL as it moves, once it reaches the queue manager, and is written to the queue, it is unencrypted and thus sits on the queue without any encryption. Thus if the system with the queue manager is penetrated, the messages on the queues are available in the clear. This is the same as parking your car in a ‘secure car park’ but leaving the car unlocked as the car park is secure. Would you do that? I’m pretty sure I wouldn’t.

Now what would we like to happen? What would be smart would be a routine that ensured our car was locked, pretty much at all times unless people wanted to get in and out of it – subject to key rules – such as ensuring people could actually get out or in when they needed. For messages we would want to make sure the message contents were secure at all times, including when sitting in queues, but would continue to be available to the receiving applications, and of course would still expose the header information needed for routing etc.

What IBM offers for WebSphere MQ is WebSphere MQ Advanced Message Security, which is also available as part of the entitlement of WebSphere MQ Advanced. This is a policy-based encryption capability which allows message contents to be encrypted from sending application to receiving application. So the contents are encrypted while it flows over the network and while it sits in intermediary queues. The applications are unchanged, with just updated client libraries to be used. And the security is based on policies, so different rules might apply for different message contents, or different queue managers. After all there are some times when you have to leave your car unlocked. So I’m pretty sure you have rules for securing your car. Isn’t it about time you had rules for securing your messages?

Image