Your responsibilities with using IBM MQ on Cloud

Learn about the responsibilities you have when you use IBM MQ on IBM Cloud. For overall terms of use, see Cloud Services terms.

Overview of shared responsibilities

IBM MQ on IBM Cloud is a managed service in the IBM Cloud shared responsibility model. Review the following table of who is responsible for particular cloud resources when using IBM MQ on IBM Cloud. Then, you can view more granular tasks for shared responsibilities in Tasks for shared responsibilities by area.

Table 1. Responsibilities by resource.
The rows are read from left to right. The resource area of comparing responsibilities is in the first column. The next five columns describe whether you, IBM, or both have shared responsibilities for a particular area.
Resource	Incident and operations management	Change management	Identity and access management	Security and regulation compliance	Disaster Recovery
Data	You	You	You	You	You
Applications	You	You	You	You	You
Observability	Shared	IBM	Shared	IBM	IBM
Queue manager	Shared	Shared	Shared	Shared	Shared
Certificates	Shared	IBM	IBM	IBM	IBM
App networking	IBM	IBM	IBM	IBM	IBM
Cluster networking	IBM	IBM	IBM	IBM	IBM
Cluster version	IBM	IBM	IBM	IBM	IBM
Worker nodes	IBM	IBM	IBM	IBM	IBM
Master	IBM	IBM	IBM	IBM	IBM
Service	IBM	IBM	IBM	IBM	IBM
Virtual storage	IBM	IBM	IBM	IBM	IBM
Virtual network	IBM	IBM	IBM	IBM	IBM
Hypervisor	IBM	IBM	IBM	IBM	IBM
Physical servers and memory	IBM	IBM	IBM	IBM	IBM
Physical storage	IBM	IBM	IBM	IBM	IBM
Physical network and devices	IBM	IBM	IBM	IBM	IBM
Facilities and Data Centers	IBM	IBM	IBM	IBM	IBM

Tasks for shared responsibilities by area

After reviewing the overview, see what tasks you and IBM share responsibility for each area and resource when you use IBM MQ on IBM Cloud.

Incident and operations management

You and IBM share responsibilities for the set up and maintenance of your IBM MQ on IBM Cloud environment. You are responsible for incident and operations management of your application data.

Table 2. Responsibilities for incident and operations management
The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column.
Resource	IBM responsibilities	Your responsibilities
Observability	Provide Log Analysis and Monitoring as managed add-ons to enable observability of your IBM MQ on IBM Cloud. Maintenance is simplified for you because IBM provides the installation and updates for the managed add-ons. Provide integration with Activity Tracker and send IBM MQ on IBM Cloud API events for auditability.	Set up and monitor the health of your queue manager logs. Setup and monitor events in Activity Tracker
Queue manager	Provide a highly available queue manager deployment Configure channels and queues for testing purposes Monitoring of queue manager availability	Select the queue manager size based on messaging requirements Monitor IBM Cloud status for planned maintenance Configuring and monitoring queue depth to ensure storage requirements do not exceed limits Monitoring open connections to ensure they do need exceed limits Configure multiple queue managers in different regions to provide additional high availability
Certificates	Provide Let's Encrypt signed certificates Refresh provided certificates before expiry	Optionally: Import user defined certificate chains Ensure that user provided certificates do not expire Configure certificate usage on queue manager channels

Change Management

You and IBM share responsibilities for managing queue manager changes in the IBM MQ on IBM Cloud environment. You are responsible for change management of your application data.

Table 3. Responsibilities for change management
The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column.
Resource	IBM responsibilities	Your responsibilities
Queue manager	Automatic upgrade to the latest revision	Managing queue manager configuration Optional: manually upgrade queue managers to the latest revision before automatic upgrade

Identity and access management

You and IBM share responsibilities for controlling access to the IBM MQ on IBM Cloud environment. You are responsible for identity and access management of your application data.

Table 4. Responsibilities for identity and access management
The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column.
Resource	IBM responsibilities	Your responsibilities
Observability	Provide the ability to integrate IBM Cloud Activity Tracker to audit the actions that users take in IBM MQ on IBM Cloud.	Set up IBM Cloud Activity Tracker or other capabilities to track user activity.
Queue Manager	Configure specified IBM Cloud users and applications with the required IAM policies Provide API keys for user and applications to authenticate	Define the users and applications that have access to queue managers Configure authority records for queue manager specific resources

Security and regulation compliance

IBM is responsible for the security and compliance of the IBM MQ on IBM Cloud service. You and IBM share responsibilities for the security and compliance of the queue managers. You are responsible for security and regulation compliance of your application data.

Table 5. Responsibilities for security compliance
The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column.
Resource	IBM responsibilities	Your responsibilities
Queue Manager	Maintain controls to meet industry compliance standards such as ISO27k Provide default queue manager resources that are TLS enabled Monitor, isolate, and recover the queue manager Automatically apply security patch updates Disable certain insecure actions such as channel exits Continuously monitor queue manager images to detect vulnerability and security compliance issue	Configure queue manager security such as TLS and AMS on queue manager resources Configure authority records for queue manager resources to limit access to only required users and applications

Disaster recovery

You and IBM share responsibilities for the set up and maintenance of your IBM MQ on IBM Cloud environment. You are responsible for disaster recovery of your application data.

Table 6. Responsibilities for disaster recovery
The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column.
Resource	IBM responsibilities	Your responsibilities
Queue Manager	Backup queue manager configuration daily Recover required infrastructure Provision new infrastructure in a backup availability zone, if recovery is not possible Redeploy queue managers to new availability zone Restore queue manager configuration from previous backup	Register for disaster recovery notifications Reset channel sequence numbers so that channels will successfully communicate

Applications and data

You are completely responsible for the applications and data that you use with IBM MQ on IBM Cloud . However, IBM provides various tools to help you set up, manage, secure, integrate and optimize your apps as described in the following table.

Table 7. Applications and data
The rows are read from left to right. The resource area of comparing responsibilities is in the first column, with the responsibilities of IBM in the second column and your responsibilities in the third column.
Resource	How IBM helps	What you can do
Applications	Provide default queue manager configuration to allow applications to connect securely Provide sample applications such as MQ JMS client Generate an API key that is used to access queue managers Provide application connection configuration in JSON CCDT format	Maintain responsibility for your apps, data, and their complete lifecycle Configure applications for high availability Manage open connections to ensure the maximum queue manager limit is not exceeded
Data	Provide encrypted persistent storage for persistent messages Separation of storage from queue manager runtime allowing queue managers to recover within an availablity zone with no data loss	Maintain responsibility for your data and how your apps consume the data Control queue sizes to prevent storage limits being exceeded Encrypt message payload in transit and at rest using Advanced Message Security (AMS)