IBM Support

IBM MQ AMS application failing or getting delay when accessing AMS protected queue

Question & Answer


Question

Why is IBM MQ AMS application failing or getting delay when accessing AMS protected queue?

Answer

This can be caused by the client or queue manager (if doing MCA Interception) unable to reach OCSP or CRL responders to validate the certificate(s) in use. This check is usually done via http call based on the contents of the certificates being used.

Many times, machines are locked down and can not access the OCSP/CRL responders.

There are configuration options for the keystore.conf file, which allow you to configure a proxy host, if that is available to access the http OCSP/CRL responders.

If a proxy is available, add the following to the keystore.conf:

   ocsp.http.proxy.host=< OCSP_proxy >
   ocsp.http.proxy.port=< port_number >

settings for CRL checking also in the knowledgecenter at:

CRL settings are here in the KC:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q014850_.htm

OCSP settings are here in the KC:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q014820_.htm

If needed you can disable these checks by adding the following into your keystore.conf file:

   ocsp.enable=off
   crl.cdp=off

If having similar issues for normal SSL channels, see the dwanswers at:

Getting Delay or AMQ9716: Remote SSL certificate revocation status check failed when trying to start a MQ SSL channel, why?

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008QNAAY","label":"Security->Advanced Message Security (AMS)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
22 June 2020

UID

ibm16237080

Page Feedback