Known limitations of AMS

There are a number of IBM MQ options that are either not supported, or have limitations for Advanced Message Security.

  • The following IBM MQ options are not supported or have limitations:

      Publish/subscribe
      One of the major benefits of a publish/subscribe messaging model over point-to-point is that the sending and receiving applications do not need to know anything about each other for data to be sent and received. This benefit is negated by the use of Advanced Message Security policies that must define intended recipients or authorized signers. It is possible for an application to publish to a topic via an alias queue definition that is protected by a policy, it is also possible for a subscribing application to get messages from a policy protected queue. It is not possible to assign a policy directly to a topic string, policies can only be assigned to queue definitions.

      Channel data conversion
      The protected payload of an Advanced Message Security protected message is transmitted using binary format, this ensures that data conversion on a channel between applications does not invalidate the message digest. Applications retrieving messages from a policy protected queue should request data conversion, the conversion of the protected payload will be attempted after messages have been successfully verified and unprotected.

      Distribution lists
      Advanced Message Security policies can be used when protecting applications putting messages to distribution lists, provided each destination queue in the list has an identical policy defined. If inconsistent policies are identified when an application opens a distribution list, the open operation will fail and a security error returned to the application.

      Application message segmentation
      The size of policy protected messages will increase and it is not possible for applications to accurately specify the segment boundaries of a message.

      Applications using IBM MQ classes for .NET in a managed mode (client connections)
      Applications using IBM MQ classes for .NET in a managed mode (client connections) are not supported. Note: MCA interception can be used to allow unsupported clients to use AMS.

      Message Service client for .NET (XMS) applications in a managed mode
      Message Service client for .NET (XMS) applications in a managed mode are not supported. Note: MCA interception can be used to allow unsupported clients to use AMS.

      IBM MQ queues processed by the IMS bridge
      IBM MQ queues processed by the IMS bridge are not supported. Note: AMS is supported on CICS bridge queues. We should use the same user ID to MQPUT (encrypt) and MQGET (decrypt) on CICS bridge queues.

      Put to waiting getter
      Put to waiting getter is not supported for getter applications against queues that have AMS policies defined for them.

      Server to server MCA interception
      From Version 9.1.3, on IBM MQ for z/OS, server to server MCA interception is only supported for sender, server, receiver and requestor channel types.

  • Users should avoid putting more than one certificate with the same Distinguished Name in a single keystore file, because the choice of which certificate to use when protecting a message is undefined.
  • AMS is not supported in JMS if the WMQ_PROVIDER_VERSION property is set to 6.
  • The AMS interceptor is not supported for AMQP or MQTT channels.

Parent topic: Technology supported by Advanced Message Security