Problems opening protected queues when using JMS
Various problems can arise when you open protected queues when using Advanced Message Security.
You are running JMS and you receive error 2085 (MQRC_UNKNOWN_OBJECT_NAME) together with error JMSMQ2008.
We have verified that we have set up your AMS as described in Quick Start Guide for AMS with Java clients.
A possible cause is that we are using a non-IBM Java Runtime Environment. This is a known limitation described in Known limitations of AMS.
We have not set the AMQ_DISABLE_CLIENT_AMS environment variable.
Resolving the problem
There are four options for working around this problem:
- Start your JMS application under a supported IBM Java Runtime Environment (JRE).
- Move the application to the same machine where your queue manager is running and have it connect using a bindings mode connection.
A bindings mode connection uses platform native libraries to perform the IBM MQ API calls. Accordingly, the native AMS interceptor is used to perform the AMS operations and there is no reliance on the capabilities of the JRE.
- Use an MCA interceptor, because this allows signing and encryption of messages as soon as they arrive at the queue manager, without the need for the client to perform any AMS processing.
Given that the protection is applied at the queue manager, an alternate mechanism must be used to protect the messages in transit from the client to the queue manager. Most commonly this is achieved by configuring TLS encryption on the server connection channel used by the application.
- Set the AMQ_DISABLE_CLIENT_AMS environment variable if we do not want to use AMS.
See Message Channel Agent (MCA) interception for further information.
Note: A security policy must be in place for each queue that the MCA Interceptor will deliver messages onto. In other words, the target queue needs to have an AMS security policy in place with the distinguished name (DN) of the signer and recipient matching that of the certificate assigned to the MCA Interceptor. That is, the DN of the certificate designated by cms.certificate.channel.SYSTEM.DEF.SVRCONN property in the keystore.conf used by the queue manager. Parent topic: Problems and solutions