| Author |
Message
|
| tkaravind |
 Posted: Fri May 02, 2025 1:37 pm Post subject: GCM Cipher Data limit - AMQ9288E |
 |
|
Acolyte
Joined: 24 Jul 2001
Posts: 64
|
Hi,
I have recently had errors on the MQ logs for the channels using GCM ciphers.
This is the AMQ9288E.
Upon reading further I see
The channel is reset after 23726566 are sent in the sender channel .it uses TLS_RSA_WITH_AES_256_GCM_SHA384 .This is due to the the Limit on the cipher as per the GSK tool kit provider used in MQ .
Once the limit is reached the channel will abort and then new session key is generated by re-negotiation . During this time SSL handshake will happen
Questions:
How does one translate 23726566 into bytes? I see this is the no. of TLS records?
Will this reset temporarily block the affected channel for sometime until it completes along with the SSL handshake?
Thanks |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri May 02, 2025 2:14 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| tkaravind |
| Posted: Sat May 03, 2025 1:14 am Post subject: |
|
|
Acolyte
Joined: 24 Jul 2001
Posts: 64
|
Thanks. There is this one line here -
-------
Automatic Key Updates
When using AES GCM in TLS 1.3, Keys will be updated transparently every 2^24.5 (23,726,566) records.
--------
I take that to be with an auto channel terminate/restart
But I still can't find how to translate these TLS records to bytes. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat May 03, 2025 8:06 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
For curiosity? Or for what purpose?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tkaravind |
| Posted: Sat May 03, 2025 12:24 pm Post subject: |
|
|
Acolyte
Joined: 24 Jul 2001
Posts: 64
|
Even to know if one needs to plan around this if too bad.
There are low volume channels that we wont bother touching if the byte value turns out to be too high and so wont block these channels frequently |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat May 03, 2025 1:12 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
Handshake should be subsecond. Other than the AMQ9288E, what problem are you seeing? Missing SLA?s, for example?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Last edited by bruce2359 on Sat May 03, 2025 6:39 pm; edited 1 time in total |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat May 03, 2025 1:33 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9472
Location: US: west coast, almost. Otherwise, enroute.
|
From https://www.ibm.com/docs/en/ibm-mq/9.4.x?topic=multiplatforms-amq9xxx-remote
Response
This error can be avoided in one of the following ways:
(a) Use secret key reset to ensure that the session key is reset before the data transfer limit is exceeded.
(b) Use a stronger CipherSpec which is not subject to a data transfer limit.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tkaravind |
| Posted: Sun May 04, 2025 3:46 am Post subject: |
|
|
Acolyte
Joined: 24 Jul 2001
Posts: 64
|
| Its not a real issue yet. Just something new we observed on the logs, The channels took 10-15 secs to resume from the time the errors were reported. Depending on how the apps are setup this could cause timeouts in a request-reply scenario. If it comes to that , yes we will remediate with one of these steps mentioned. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue May 06, 2025 12:20 am Post subject: Re: GCM Cipher Data limit - AMQ9288E |
|
|
Padawan
Joined: 09 May 2013
Posts: 1961
Location: Bay of Plenty, New Zealand
|
| tkaravind wrote: |
| How does one translate 23726566 into bytes? I see this is the no. of TLS records? |
According to the message explanation:-
| IBM mqrc tool wrote: |
EXPLANATION:
CipherSpec '<insert two>' has reached a data transfer limit of 2222 (the
transfer limit is expressed in terms of TLS records for GCM ciphers, or MB for
all other ciphers). |
If you have a GCM cipher, then you multiple the size of a TLS record (16KB) with the number shown.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
