IBM MQ Advanced Message Security(IBM MQ AMS) is a component of IBM MQ that provides a high level of protection for sensitive data flowing through the IBM MQ network, while not impacting the end applications. MQ applications can use AMS to send sensitive data, such as high-value financial transactions and personal information, with different levels of protection by using a public key cryptography model. MQ also provides option of handling undelivered messages using dead letter queues. Each queue manager typically has a local queue to use as a dead-letter queue(DLQ), so that messages that cannot be delivered to their correct destination can be stored for later retrieval. We can configure queue manager to use dead-letter queue and specify how messages found on a DLQ are to be processed by the DLQ handler using rules.
DLQ rules can be used within AMS to handle messages which cannot be delivered. Using such a setup can lead to encrypted messages being delivered to the end application which are unreadable. In an AMS setup, consider a scenario where the messages are put to a DLQ due to some failure. As the messages are put to DLQ, the messages are encrypted. Once the messages are put the destination queue by the DLQ handler, the messages are encrypted again. Now the messages are double encrypted, the messages when get are decrypted once. So when the get application tries to get message from the queue the messages are still encrypted which is unreadable by the end user.
Consider a sender-receiver setup with DLQ configured on the receiver queue manager to handle MQRC_Q_FULL condition. user1 puts message to the remote queue on sender queue manager QM1. On the receiver queue manager QM2, the destination queue TESTQ is full so the messages are put to a dead-letter queue. The messages put to dead-letter queue are encrypted which can be verified by using amqsbcg sample code. If we have configured QM2 with DLQ rule with ACTION(RETRY) for queue full condition like “REASON(MQRC_Q_FULL) ACTION(RETRY) RETRY(6)”, when DLQ handler is run MQ will retry to put messages to the destination queue TESTQ. AMS will encrypt the encrypted message again when the messages are put to destination queue TESTQ. So when we try to get these double encrypted messages from the destination queue, we will still be getting an encrypted message.
The above scenario can be solved with following 2 solutions
– Using Alias queue
– Using environment variable MQS_DISABLE_ALL_INTERCEPT
Using alias queue
Define an alias queue targeting the destination queue. Configure DLQ rules to requeue with “ACTION(FWD)” via an alias queue that points at the destination queue. The alias queue name must not have a policy defined.
For example: DEFINE QALIAS(QA) TARGET(TESTQ)
Configure DLQ rule with ACTION(FWD) :
REASON(MQRC_Q_FULL) ACTION(FWD) FWDQ(QA) FWDQM(RECV) RETRY(5)
The above will ensure the encrypted messages in the dead letter queue are forwarded to the destination queue without double encryption
Using environment variable MQS_DISABLE_ALL_INTERCEPT
Setting environment variable MQS_DISABLE_ALL_INTERCEPT to TRUE will ensure there is no encryption/decryption while messages are put/get from a queue. This variable needs to be set only in the environment where dead letter queue handler is running. This way the encrypted messages from the dead letter queue are put to destination queue without any further encryption.
Contributers: Anil Sahu