| Author |
Message
|
| mqusr |
 Posted: Tue Jul 23, 2019 5:07 am Post subject: AMQ9034 error in implementing MQ AMS |
 |
|
Novice
Joined: 24 Feb 2018
Posts: 20
|
Hi All,
We are trying to implement AMS between 2 java applications. MQ server and client version is 8.0.0.11
Both client applications are using IBM Java 8 and AIX as OS.
Keystore creation, signer exchange , keystore.conf and AMS policy setting has been done.
However, when my application tries to put message in the queue, we are getting 2063 error at the application end. In the MQ logs, we are getting the below error.
AMQ9034: Message does not have a valid protection type.
EXPLANATION:
The WebSphere MQ security policy interceptor detected an invalid protection
type in a message header. This usually occurs because the WebSphere MQ message
header is not valid.
ACTION:
Retry the operation. If the problem persists, contact your IBM service
representative.
Any pointers would be helpful. Why would I get AMQ9034 error?
Regards,
mqusr |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jul 23, 2019 5:41 am Post subject: Re: AMQ9034 error in implementing MQ AMS |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqusr wrote: |
| Any pointers would be helpful. Why would I get AMQ9034 error? |
Because your policy isn't what you think it is?
I'm assuming here the application can put a message successfully without AMS in place. If not, I've found your problem.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqusr |
| Posted: Tue Jul 23, 2019 9:38 pm Post subject: |
|
|
Novice
Joined: 24 Feb 2018
Posts: 20
|
Thank Vitor. Yes the application fails to put message to the queue with the error 2063 with AMS. Without AMS, messaging works fine.
I am using a straight forward sign and encrypt policy with signing algorithm as SHA256 and encryption as AES256 with the CN of specific recipient.
Where could I being going wrong in this? Is there any log or trace that I can enable to find where I may be going wrong.
Thanks and Regards. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 24, 2019 5:07 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqusr wrote: |
| Where could I being going wrong in this? |
Almost anywhere. I'm not a fan of AMS as it always seems that once you have your ducks in a row, it transpires that you have the wrong number of ducks (with no clue what the right number is) and they are supposed to be describing a complex geometric pattern.
I would start with putting a test message with amqsputc just to eliminate the possibility JMS is doing something interesting with the header that's confusing things.
Also absolutely check the policy matches the queue being protected. Eliminate a finger problem.
| mqusr wrote: |
| Is there any log or trace that I can enable to find where I may be going wrong. |
I'm not aware of one; others may know better and I invite them to comment.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 24, 2019 7:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you set up the java interceptor on the svrconn channel?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqusr |
| Posted: Thu Jul 25, 2019 12:31 am Post subject: |
|
|
Novice
Joined: 24 Feb 2018
Posts: 20
|
Hi,
I am using MQ AMS and not MCA interception. Hence have not set interceptor on svrconn channel. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jul 25, 2019 3:25 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqusr wrote: |
Hi,
I am using MQ AMS and not MCA interception. Hence have not set interceptor on svrconn channel. |
What does the AMS manual say about java/JMS and svrconn channel?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 25, 2019 7:25 pm Post subject: Re: AMQ9034 error in implementing MQ AMS |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mqusr wrote: |
However, when my application tries to put message in the queue, we are getting 2063 error at the application end. In the MQ logs, we are getting the below error.
AMQ9034: Message does not have a valid protection type.
EXPLANATION:
The WebSphere MQ security policy interceptor detected an invalid protection
type in a message header. This usually occurs because the WebSphere MQ message
header is not valid.
ACTION:
Retry the operation. If the problem persists, contact your IBM service
representative. |
You describe this as happening at the putting end - I think this error looks more like it was at the getting end. Can you double check?
Also, if you'd like us to comment on whether your configuration is correct, can you describe it to us please?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| mqusr |
| Posted: Mon Jul 29, 2019 4:51 am Post subject: |
|
|
Novice
Joined: 24 Feb 2018
Posts: 20
|
Hi All,
We have been able to resolve the above reported error. The error was due to absence all required MQ jars at the client end which had to encrypt the message and put it in the queue.
We were initially only using the basic MQ jars for the implementation at the sender application. Now we have included all the MQ java jars and are able to successfully able to perform put into the queue.
However, now a new issue has cropped up. The receiver application when tries to read the message from the queue for further processing, it is sending the messages to SYSTEM.PROTECTION.ERROR.QUEUE. The problem is, all these messages in the Error queue are in Uncommited state. Hence we are unable to take any action on them. Whenever we close the connection established by the receiver to the queue to process it, the encrypted messages again become available in the queue for processing.
Why would messages in the SYSTEM.PROTECTION.ERROR.QUEUE be in uncommited state??
Just to add, as this is a request response kind of flow, the receiver processes the message and sends the response to the sender(on another queue). We have set policy on this queue and AMS works perfectly fine here.
Thanks and Regards |
|
| Back to top |
|
|
| mqusr |
| Posted: Tue Jul 30, 2019 3:53 am Post subject: |
|
|
Novice
Joined: 24 Feb 2018
Posts: 20
|
Hi All,
Today, we have tried to use JMSConsumer sample application to read the messages from the queue instead of the receiver application.
The messages this time went to the SYSTEM.PROTECTION.ERROR.QUEUE with the below JMS error
$ java JmsConsumer -m QM1 -d Q1_IN -h localhost -p 1414 -l MY.SVRCONN
Could not initialize log file, java.nio.file.AccessDeniedException: mqjms.log.0.lck
July 30, 2019 1:03:30 PM IST[main] com.ibm.mq.ese.prot.MessageProtectionIBMJCEImpl
An internal error occurred: the signature algorithm 'SHA-1' received by the IBM WebSphere MQ Advanced Message Security Java interceptor is not valid.
The signature algorithm received by the Java interceptor is not valid.
Retry the failing operation. If the problem persists, contact your IBM service representative.
--------------------------------------------------------------------
July 30, 2019 1:03:30 PM IST[main] com.ibm.mq.ese.intercept.JmqiGetInterceptorImpl
The IBM WebSphere MQ Advanced Message Security Java interceptor failed to unprotect the received message.
An error occurred when the IBM WebSphere MQ Advanced Message Security Java interceptor was unprotecting the received message.
See subsequent messages in the exception for more details about the cause of the error
--------------------------------------------------------------------
July 30, 2019 1:03:30 PM IST[main] com.ibm.mq.ese.service.EseMQServiceImpl
The IBM WebSphere MQ Advanced Message Security interceptor has put a defective message on error handling queue 'SYSTEM.PROTECTION.ERROR.QUEUE '.
EXPLANATION:
This is an informational message that indicates the IBM WebSphere MQ Advanced Message Security put a message it could not interpret on the specified error handling queue.
ACTION:
Make sure only valid messages are put onto queues protected by IBM WebSphere MQ Advanced Message Security.
--------------------------------------------------------------------
com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2002: Failed to get a message from destination 'Q1_IN'.
WebSphere MQ classes for JMS attempted to perform an MQGET; however WebSphere MQ reported an error.
Use the linked exception to determine the cause of this error.
Inner exception(s):
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2063' ('MQRC_SECURITY_ERROR').
FAILURE
We got the same error of SHA-256 algorithm also.
The Java version being used at receiver is
java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 8.0.5.0 - pap6480sr5-20170905_01(SR5))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References 20170901_363591 (JIT enabled, AOT enabled)
J9VM - d56eb84
JIT - tr.open_20170901_140853_d56eb84
OMR - b033a01)
JCL - 20170823_01 based on Oracle jdk8u144-b01
At the sender end, it is
java version "1.8.0"
Java(TM) SE Runtime Environment (build 8.0.5.0 - pap6480sr4fp10-20170727_01(SR4 FP10))
IBM J9 VM (build 2.8, JRE 1.8.0 AIX ppc64-64 Compressed References 20170722_357405 (JIT enabled, AOT enabled)
J9VM - R28_20170722_0201_B357405
JIT - tr.r14.java_20170722_357405
GC - R28_20170722_0201_B357405_CMPRSS
J9CL - 20170722_357405
JCL - 20170726_01 based on Oracle jdk8u144-b01
Any inputs on how to overcome this error will be very helpful.
Thanks and Regards,
mqusr |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 30, 2019 4:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Apparently you may have to look at both ends. You say you're using SHA-2 but the receiving end is complaining about SHA-1! Could it be that the sending end is not at the same MQ level as the receiving end, or not at the same java fix pack? I seem to remember that depending on the MQ and Java Fix Pack there was a lot of changes in SSL/TLS about deprecated ciphersuites...
And remember for the system to work you can't have a policy mismatch between the sender and the receiver... Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqusr |
| Posted: Tue Jul 30, 2019 4:42 am Post subject: |
|
|
Novice
Joined: 24 Feb 2018
Posts: 20
|
Thanks for the quick response.
What I mean is, whether the policy is set to SHA1 or SHA2, we get the same error of "algorithm not valid".
MQ versions are same.
Yes, there is a difference in the Java fixpack levels between sender and receiver though the main version is IBM Java 1.8.
Does Java fixpack level difference also impact the security implementation?
Thanks and Regards, |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 31, 2019 9:27 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqusr wrote: |
Thanks for the quick response.
What I mean is, whether the policy is set to SHA1 or SHA2, we get the same error of "algorithm not valid".
MQ versions are same.
Yes, there is a difference in the Java fixpack levels between sender and receiver though the main version is IBM Java 1.8.
Does Java fixpack level difference also impact the security implementation?
Thanks and Regards, |
Yes the java fix pack level makes a difference as some ciphers have been deprecated and some protocols are no longer accepted (TLS 1.0 vs TLS 1.2) etc...
Key size on the certs might also come into play...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
