Disabling Advanced Message Security at the client

You need to disable IBM MQ Advanced Message Security (AMS) if you are using a Version 7.5 or later client to connect to a queue manager from an earlier version of the product and a 2085 (MQRC_UNKNOWN_OBJECT_NAME) error is reported.


From Version 7.5, IBM MQ Advanced Message Security (AMS) is automatically enabled in an IBM MQ client and so, by default, the client tries to check the security policies for objects at the queue manager. However, servers on earlier versions of the product, for example Version 7.1, do not have AMS enabled and this causes 2085 (MQRC_UNKNOWN_OBJECT_NAME) error to be reported.

If this error is reported, when you are trying to connect to a queue manager from an earlier version of the product, we can disable AMS as follows:

  • For Java clients, in any of the following ways:

    • By setting an environment variable AMQ_DISABLE_CLIENT_AMS.
    • By setting the Java system property com.ibm.mq.cfg.AMQ_DISABLE_CLIENT_AMS.
    • By using the DisableClientAMS property, under the Security stanza in the mqclient.ini file.
  • For C clients, in either of the following ways:

    • By setting an environment variable MQS_DISABLE_ALL_INTERCEPT.
    • By using the DisableClientAMS property, under the Security stanza in the mqclient.ini file.
Note: In Version 7.5, you could also use the environment variable AMQ_DISABLE_CLIENT_AMS. for C clients. From IBM MQ Version 8.0, we can no longer use the AMQ_DISABLE_CLIENT_AMS environment variable for C clients. You need to use the MQS_DISABLE_ALL_INTERCEPT environment variable instead.


Procedure

To disable AMS at the client, use one of the following options:

    AMQ_DISABLE_CLIENT_AMS environment variable
    You need to set this variable in the following cases:

    • If you are using Java Runtime Environment (JRE) other than the IBM Java Runtime Environment (JRE)
    • If you are using Version 7.5, or later IBM MQ classes for JMS or IBM MQ classes for Java client.
    Create the AMQ_DISABLE_CLIENT_AMS environment variable and set it to TRUE in the environment where the application is running. For example:
    export AMQ_DISABLE_CLIENT_AMS=TRUE

    Java system property com.ibm.mq.cfg.AMQ_DISABLE_CLIENT_AMS
    For IBM MQ classes for JMS and IBM MQ classes for Java clients, we can set the Java system property com.ibm.mq.cfg.AMQ_DISABLE_CLIENT_AMS to the value TRUE for the Java application.
    For example, we can set the Java system property as a -D option when the Java command is invoked:
    java -Dcom.ibm.mq.cfg.AMQ_DISABLE_CLIENT_AMS=TRUE -cp <MQ_INSTALLATION_PATH>/java/lib/com.ibm.mqjms.jar  my.java.applicationClass
    Alternatively, we can specify the Java system property within a JMS configuration file, jms.config, if the application uses this file.

    MQS_DISABLE_ALL_INTERCEPT environment variable
    You need to set this variable if you are using Version 8.0 or later with native clients and you need to disable AMS at the client.
    Create the environment variable MQS_DISABLE_ALL_INTERCEPT and set it to TRUE in the environment where the client is running. For example:
    export MQS_DISABLE_ALL_INTERCEPT =TRUE
    We can use the MQS_DISABLE_ALL_INTERCEPT environment variable for C clients only. For Java clients, you need to use the AMQ_DISABLE_CLIENT_AMS environment variable instead.

    DisableClientAMS property in the mqclient.ini file
    We can use this option for IBM MQ classes for JMS and IBM MQ classes for Java clients, and for C clients.
    Add the property name DisableClientAMS under the Security stanza of the mqclient.ini file as shown in the following example:
    Security:
DisableClientAMS=Yes
    We can also enable AMS as shown in the following example:
    Security:
DisableClientAMS=No


What to do next

For more information on problems with opening AMS protected queues, see Problems opening protected queues when using JMS.