[z/OS]

The message security policy utility (CSQ0UTIL)

The Advanced Message Security policy utility is provided to manage security policies that specify the cryptographic encryption and signature algorithms for encrypting and authenticating messages that flow through queues.

Using this utility program, you can display, define, alter, delete and export security policies.

The CSQ0UTIL utility program runs as a z/OS® batch utility that accepts SYSIN command input. Sample JCL to run the utility is provided in member CSQ40CFG of thlqual.SCSQPROC. 


--------------------------------------------------------------------------------
//CSQ40CFG JOB 1,CSQ0,CLASS=A,MSGCLASS=X
//CSQ40CFG EXEC PGM=CSQ0UTIL,
//        PARM='ENVAR("_CEE_ENVFILE_S=DD:ENVARS") /'
//STEPLIB  DD DSN=thlqual.SCSQANLE,DISP=SHR
//         DD DSN=thlqual.SCSQAUTH,DISP=SHR
//ENVARS   DD DSN=thlqual.SCSQPROC(CSQ40ENV),DISP=SHR
//SYSPRINT DD SYSOUT=*
//SYSIN    DD *
dspmqspl -m qmgr
/*
--------------------------------------------------------------------------------
The utility accepts the following commands:
dspmqspl
Display or export information about one or more security policies.
setmqspl
Define, alter or remove a security policy
For information on how to use these commands to manage security policies see Managing security policies.

General usage notes

When specifying distinguished names (DNs) that have embedded blanks, you must enclose the entire DN in double quotes ("). For example: 

-a "CN=John Smith,O=IBM,C=US"
-r "CN=JSmith,O=IBM Australia,C=AU"

Arguments that would exceed column 80 of a SYSIN input record can be continued on subsequent SYSIN records provided those arguments are enclosed in double quotes ("), and relevant continuations resume in column 1 of subsequent SYSIN records.

When exporting policy information using dspmqspl with the -export parameter the output is written to an additional DD named EXPORT. The EXPORT DD can be SYSOUT=*, a sequential data set, or the member of a partitioned data set. The record format is fixed block and the logical record length is 80. The output is in the form of one or more setmqspl commands that can subsequently be used as input to CSQ0UTIL.

To use this utility you need connect authority to the queue manager and access to the queue SYSTEM.PROTECTION.POLICY.QUEUE. If command events have been enabled for the queue manager you need put authority to the queue SYSTEM.ADMIN.COMMAND.EVENT. If configuration events have been enabled for the queue manager you need put authority to the queue SYSTEM.ADMIN.CONFIG.EVENT.