![[AIX]](ngaix.gif)
![[MQ 9.4.0 Jun 2024]](ng940.gif)
![[Linux]](nglinux.gif)
Token authentication error codes
Use the codes and explanations to understand and correct errors that can be caused when using authentication tokens.
These tables document error codes, in decimal form, that are displayed in messages AMQ5783E, AMQ5784E, and AMQ5786E.
| Error code (decimal) | Explanation | Response |
|---|---|---|
| 101 | A required claim or header parameter is missing from the authentication token. The name of the missing claim or header parameter is included in the message explanation. | Ensure that the authentication token contains all the required header parameters and claims. For more information about the requirements for authentication tokens that are supplied to IBM® MQ, see Working with authentication tokens. |
| 102 | A claim or header parameter in the authentication token has an incorrect data type. For example, a string was specified as the value of claim that must be specified as an integer. The name of the claim or header parameter with the incorrect data type is included in the message explanation. | Ensure that the value of the specified header parameter or claim has the data type required by IBM MQ. For more information about the requirements for authentication tokens that are supplied to IBM MQ, see Working with authentication tokens. |
| 103 | The value of the authentication token's type header parameter is incorrect. The value of the token's "typ" (type) header parameter must be "JWT". | Obtain an authentication token with the correct value for the type header parameter. |
| 104 | The format of the authentication token does not conform to the JSON Web Signature (JWS) standard. | Obtain an authentication token that conforms to the JSON Web Signature (JWS) standard from your token issuer. That is, a JSON Web Token (JWT) that is secured with a digital signature or Message Authentication Code (MAC). |
| 105 | The header or payload of the authentication token is not valid JSON. | Obtain a correctly formatted JWT from your token issuer. |
| 106 | Validation of the authentication token's signature failed. | Ensure that the queue manager's token authentication key repository contains either the authentication token issuer's public key certificate or the symmetric key that is used to sign the authentication token. The CertLabel attribute in the AuthToken stanza of the qm.ini file must reference the label of the certificate or symmetric key. Issue the REFRESH SECURITY TYPE(CONNAUTH) MQSC command to bring changes to the queue manager's token authentication configuration into effect. |
| 107 | The queue manager is configured to adopt the user ID in the authentication token as the context for the application. The UserClaim attribute in the AuthToken stanza of the qm.ini file specifies the name of the claim that contains the user ID to be adopted. However, the claim is not present in the authentication token that is supplied by the application. | Obtain an authentication token that contains a claim with the name that the UserClaim attribute in the AuthToken stanza of the qm.ini file specifies. The value of the claim must be set to the user ID to be adopted as the context for the application. |
| 108 | The queue manager is configured to adopt the user ID in the authentication token as the context for the application. The UserClaim attribute in the AuthToken stanza of the qm.ini file specifies the name of the claim that contains the user ID to be adopted. However, the value of this claim in the authentication token does not meet the requirements for user IDs in authentication tokens. | Ensure that the value of the token user claim meets the restrictions for user IDs in authentication tokens. For more information, see User IDs in authentication tokens. |
| 109 | The algorithm used to sign the token is not supported. The value of the token's "alg" header parameter, which specifies the algorithm that is used to sign the token, is included in the message explanation. | Obtain a token from your token issuer that is signed with an algorithm that IBM MQ supports. For more information about the signing algorithms that are supported, see Working with authentication tokens. |
| 110 | No appropriate secret was found to validate an authentication token presented to the queue manager. The key ID claim name and value found in the token are included in the error message. | If the error returned to the client is MQRC_SECURITY_ERROR, check connectivity between your queue manager and authentication server. If the error returned to the client is MQRC_NOT_AUTHORIZED, confirm that this key is configured on the authentication server and included in the JKWS document it provides to configure token based authentication. |
| 111 | No corresponding issuer information found for the issuer set in the incoming JWT token. | Ensure that a JWKS stanza for this issuer name has been configured in the qm.ini file for this queue manager. If JWKS is not in use, ensure that a certificate has been configured in a local keystore which can validate signatures for this issuer, and the AuthInfo stanza of qm.ini configured to access this keystore. |
| Error code (decimal) | Explanation | Response |
|---|---|---|
| 201 | The queue manager is not configured for token authentication, or
there is an error in the queue manager token authentication configuration. This error might be
caused by one the following problems:
|
Specify valid token authentication configuration in the AuthToken stanza of the qm.ini file. For more information about the AuthToken stanza, see AuthToken stanza of the qm.ini file. Issue the REFRESH SECURITY TYPE(CONNAUTH) MQSC command to bring changes to the queue manager's token authentication configuration into effect. |
| 202 | The connection authentication configuration is incompatible with token authentication. For example, the queue manager is configured for LDAP authentication. | Ensure that the queue manager connection authentication configuration is compatible with token authentication. The AUTHINFO object that is referenced by the queue manager's CONNAUTH attribute must be of type IDPWOS. Issue the REFRESH SECURITY TYPE(CONNAUTH) MQSC command to bring changes to the queue manager's connection authentication configuration into effect. |
| 203 | An error occurred when accessing the key repository specified by the KeyStore attribute in the AuthToken stanza of the qm.ini file. | Ensure that the KeyStore attribute of the
AuthToken stanza specifies the path to a valid CMS or PKCS#12 key repository
file, and that the mqm user has read permissions for the file. For more information about setting
access permissions for the key repository file, see Accessing and securing your key database files on AIX® and Linux®
systems. The queue manager must be able to access the key repository password in one of the
following locations:
|
| 204 | A certificate that is specified with the CertLabel attribute in the AuthToken stanza of the qm.ini file cannot be loaded from the key repository. | Ensure that each CertLabel attribute in the AuthToken stanza of the qm.ini file references the correct label of a certificate or symmetric key in the key repository that is specified by using the KeyStore attribute. For more information about the AuthToken stanza that is used to configure token authentication, see AuthToken stanza of the qm.ini file. |
| 205 | The queue manager's security policy configuration, which is specified by using the SecurityPolicy attribute in the Service stanza of the qm.ini file, is incompatible with token authentication. When the queue manager is configured for token authentication, the security policy is automatically set to UserExternal. However, the security policy cannot be changed if the SecurityPolicy attribute in the Service stanza of the qm.ini file is explicitly set to group. | Remove the SecurityPolicy attribute from the Service stanza of the qm.ini file. For more information about the SecurityPolicy attribute, see SecurityPolicy. |
| 206 | The queue manager's connection authentication configuration is set to adopt the context of authenticated users as the context for the connected application. However, the UserClaim attribute that specifies the claim that contains the user ID in the authentication token is not specified in the AuthToken stanza of the qm.ini file. | To adopt a user that is specified in a claim in an authentication
token as the context for the connected application, specify the name of the claim that contains the
user ID to adopt in the UserClaim attribute in the
AuthToken stanza of the qm.ini file. For more information
about the UserClaim attribute, see UserClaim. If you do not want to adopt a user that is specified in credentials that are
supplied by a connecting application as the context for the application, alter the AUTHINFO object
that is referenced by the queue manager's CONNAUTH attribute to specify
Issue the REFRESH SECURITY TYPE(CONNAUTH) MQSC command to bring changes to the queue manager's token authentication and connection authentication configuration into effect. |
| 207 | The CertLabel attribute in the AuthToken stanza of the qm.ini file specifies more than the maximum number of certificate labels. Up to 32 certificate labels can be specified with the CertLabel attribute. | Specify up to 32 certificate labels to be used for token authentication with the CertLabel attribute in the AuthToken stanza of the qm.ini file. Issue the REFRESH SECURITY TYPE(CONNAUTH) MQSC command to bring changes to the queue manager's token authentication configuration into effect. |
| 208 | The file containing the encrypted key repository password, which is specified with the KeyStorePwdFile attribute in the AuthToken stanza of the qm.ini file, cannot be read, or the contents of the file are invalid. | Ensure that the key repository password file specified with the KeyStorePwdFile attribute in the AuthToken stanza of the qm.ini file exists. The mqm user must have read permissions for the file, and the file must contain a single line of text that is the encrypted password output by the runqmcred command. |
| 209 | An error occurred when accessing the stash for the key repository specified by the KeyStore attribute in the AuthToken stanza of the qm.ini file. | Ensure that a stash file is present for the key repository specified by the KeyStore attribute. It must be in the same directory as the key repository, have the same name as the key repository, and have the file extension .sth. |
| Error code (decimal) | Explanation | Response |
|---|---|---|
| 301 | An unexpected error occurred when processing the authentication token. | Check for preceding error messages in the queue manager error log. Check for an FDC file that contains more detail about the problem. If the problem cannot be resolved, contact IBM support. |
| Error code (decimal) | Explanation | Response |
|---|---|---|
| 401 | Data returned from the JWKS endpoint does not constitute valid JSON. | Ensure that the JWKS endpoint path is correct and that the data returned is a valid JSON document containing JWKS key data. |
| 402 | The remote file/URL was not found (HTTP 404 response) | Ensure that the remote file that is pointed to by the JWKS Endpoint URL is present and that the Endpoint URL is valid. |
| 403 | Certificate verification of the peer has failed during the SSL/TLS handshake. | Check for the AMQ5788 error message in the queue manager error log. This error message contains the reason for the certificate verification failure. Correct the error. |
| 404 | Host verification has failed - the certificate does not belong to the specified host. | Ensure that the certificate presented by the authentication server correctly includes the hostname as configured in the endpoint URL. |
| 405 | Generic communication error with the remote host. | Ensure communication with the remote host is possible. Check for preceding error messages in the queue manager error log. Check for an FDC file that contains more detail about the problem. If the problem cannot be resolved, contact IBM support. |
| 406 | Failed initializing the secure communication library. | Review previous errors and contact IBM support for assistance if required. |
| 407 | Missing one or more of the required attributes in the retrieved JWKS payload. The required attributes are use, alg, kid, n, and e. | Check that the JWKS payload contains one or more of the required attributes listed. |
| 408 | More than 32 certificates were returned in the JWKS payload. Any additional certificates after the first 32 certificates are ignored. | Ensure the JWKS payload contains no more than 32 certificates. |
| 409 | No certificates were returned in the JWKS payload. | Ensure the JWKS payload contains the certificates required to validate the JWT token supplied by the client. |
| 410 | The JWKS endpoint SSL certificate revocation status is unknown. | Ensure the system hosting the revocation endpoint specified in the certificate is accessible by the queue manager. |
| Error code (decimal) | Explanation | Response |
|---|---|---|
| 501 | The HTTPS Key store file is not accessible. | Ensure that an HTTPS Key store file exists at the default
location QMdata/SSL/mqdefcer.p12 or another location specified by
HTTPSKeyStore in the SSL Stanza of the qm.ini file. Confirm that the
permissions of this file permit read access to the mqm user id. |
| 502 | The HTTPS Stash file is not accessible. | Ensure that an HTTPS Key store stash file exists at the default
location [QM data dir]/SSL/mqdefcer.sth or equivalent if specified by
HTTPSKeyStore in the SSL Stanza of the qm.ini file. Confirm that the
permissions of this file permit read access to the mqm user ID. |