MQIPT global properties

The following properties can appear only in the [global] section of mqipt.conf. All the route properties except ListenerPort, Destination, DestinationPort, Name, and OutgoingPort can also appear in the [global] section. If a property appears in both route and [global] sections, the value of the property in the [route] section overrides the global value, but only for the route in question. In this way, the [global] section can be used to establish the default values to be used for those properties not set in the individual [route] sections.

AccessPW

The password used to authenticate commands sent to the MQIPT command port using the mqiptAdmin command.

The value can be either a password that has been encrypted using the mqiptPW command, or a plain text password. Plain text passwords can only contain alphanumeric characters. You are strongly encouraged to encrypt passwords that are stored in the MQIPT configuration. For more information on encrypting passwords in the MQIPT configuration, see Encrypting stored passwords.

Authentication is performed for administrative commands received by the command port if both of the following conditions are true:

• The AccessPW property is specified and set to a value that is not blank.
• The RemoteCommandAuthentication property is specified and set to a value other than none.

CommandPort

The TCP/IP port number of the unsecured command port. MQIPT accepts administrative commands that are sent by the mqiptAdmin command to this command port.

Connections to the unsecured command port are not secured with TLS. Data sent to the command port, including the access password, might be accessed by other users of the network. To configure a command port that is secured with TLS, set the SSLCommandPort property instead.

If the CommandPort property is not specified, MQIPT does not listen for administrative commands on the unsecured command port. To use the default port number, 1881, used by default by the mqiptAdmin command, set CommandPort to 1881.

CommandPortListenerAddress

The local listener address to be used by the unsecured command port. By setting the local listener address you can restrict inbound connections to the unsecured command port to those from a particular network interface. The default is to listen on all network interfaces.

ConnectionLog

Either true or false. When true, MQIPT logs all connection attempts (successful or otherwise) in the logs subdirectory and disconnection events to the file mqiptYYYYMMDDHHmmSS.log (where YYYYMMDDHHmmSS are characters representing the current date and time). The default value of ConnectionLog is true. When this property is changed from true to false, MQIPT closes the existing connection log and creates a new one. The new log is used when the property is reset to true.

EnableAdvancedCapabilities

Set this property to true to confirm that advanced capabilities that require IBM® MQ Advanced, IBM MQ Appliance, IBM MQ Advanced for z/OS®, or IBM MQ Advanced for z/OS VUE entitlement can be used by MQIPT. If you have appropriate entitlement you can use the advanced capabilities in MQIPT. If advanced capabilities are enabled on a route, the local queue manager that is connected using the MQIPT route is also required to have IBM MQ Advanced, IBM MQ Appliance, IBM MQ Advanced for z/OS, or IBM MQ Advanced for z/OS VUE entitlement. Routes that use advanced capabilities cannot start unless this property is set to true. When this property is changed from true to false, routes that use advanced capabilities are stopped.

LocalAdmin

Specifies whether local administration without a command port is permitted. Administrative commands sent by the mqiptAdmin command using local administration instead of the command port, are not accepted if this property is set to false.

Valid values for this property are true and false. The default value is true.

MaxLogFileSize

The maximum size (specified in KB) of the connection log file. When the file size increases above this maximum a backup copy (mqipt001.log) is made, and a new file is started. Only two backup files are kept (mqipt001.log and mqipt002.log); each time the main log file fills up, any earlier backups are erased. The default value of MaxLogFileSize is 50; the minimum allowed value is 5.

RemoteCommandAuthentication

Specifies whether administrative commands received by the unsecured command port or TLS command port should be authenticated. Commands are authenticated by checking that the password supplied matches the password specified in the AccessPW property. The value can be one of the following values:

none

No authentication is performed on commands issued to either of the command ports. Users of the mqiptAdmin command do not need to enter a password. This is the default value.

optional

Users of the mqiptAdmin command are not required to provide a password. However, if a password is provided it must be valid.

required

Users of the mqiptAdmin command are required to provide a valid password with every command issued to the command ports.

The AccessPW property must also be specified to enable authentication for the command ports.

RemoteShutDown

Specifies whether MQIPT can be shut down by a stop command sent to the unsecured command port or the TLS command port by the mqiptAdmin command. This property must be set to true for stop commands received by either of the command ports to be processed.

Valid values for this property are true and false. The default value is false.

SecurityManager

Set this property to true to enable the Java security manager for this instance of MQIPT. You must ensure that the correct permissions are granted. See Java security manager for more information. The default value for this property is false.

This property is deprecated for removal in a future release.

SecurityManagerPolicy

The fully-qualified file name of a Java security manager policy file. If this property is not set then only the default system and user policy files are used. If the Java security manager is already enabled, then changes to this property have no effect until the Java security manager has been disabled and re-enabled.

This property is deprecated for removal in a future release.

SSLCommandPort

The TCP/IP port number of the TLS command port. MQIPT accepts administrative commands that are sent by the mqiptAdmin command to this command port. This port only accepts TLS connections. This property must be specified in order to enable the TLS command port.

SSLCommandPortCipherSuites

The name of the cipher suites to enable on the TLS command port. More than one cipher suite can be specified by separating the values with commas. Only TLS 1.2 and TLS 1.3 cipher suites that are enabled by default in the Java runtime environment (JRE) supplied with MQIPT can be specified. If this property is not specified, all cipher suites that are enabled in the JRE are enabled on the TLS command port.

SSLCommandPortListenerAddress

The local listener address to be used by the TLS command port. By setting the local listener address you can restrict inbound connections to the TLS command port to those from a particular network interface. The default is to listen on all network interfaces.

SSLCommandPortKeyRing

The name of the PKCS#12 key ring file that contains the TLS command port server certificate.

On Windows platforms, you must use a double backslash (\\) as the file separator.

SSLCommandPortKeyRingPW

The encrypted password to access the TLS command port key ring file or the PKCS #11 key store. The password must be encrypted using the mqiptPW command, and the value of this property set to the string output by mqiptPW.

SSLCommandPortKeyRingUseCryptoHardware

Specifies whether cryptographic hardware that supports the PKCS #11 interface is used as the key store for the TLS command port server certificate. Valid values for this property are true and false. If this property is set to true, the SSLCommandPortKeyRing cannot also be specified.

Use of cryptographic hardware in MQIPT is an IBM MQ Advanced feature. The EnableAdvancedCapabilities property must be set to true to confirm that you have IBM MQ Advanced entitlement.

SSLCommandPortProtocols

A comma-separated list of protocols to enable on the TLS command port. One or more of the following values can be specified.

Table 1. Permitted values for command port TLS protocols

Value	Protocol
TLSv1.2	TLS 1.2
TLSv1.3	TLS 1.3

In versions earlier than IBM MQ 9.2.5, if you do not specify this property, the only protocol enabled by default is TLS 1.2. From IBM MQ 9.2.5, if you do not specify this property, TLS 1.2 and TLS 1.3 are enabled by default.

SSLCommandPortSiteLabel

The label name of the server certificate used by the TLS command port. If this property is not specified, any certificate in the TLS command port key store that is compatible with the cipher suite is selected.

Trace

The level of trace for global MQIPT threads that are not associated with a route, and for routes that have no Trace property set. For example, the main MQIPT control thread and the command server threads are not associated with a route and are only traced if trace is enabled in the [global] section. The value of the Trace property in a [route] section overrides the global Trace property, for that route. For information about tracing threads associated with a route, see Trace in the [route] section.

The value of this property can be one of the following:

0

Trace is not enabled

Any positive integer

Trace is enabled

The default value is 0.

TraceFileCount

The number of trace files in the rotating set of files used by MQIPT to write trace data.

The minimum allowed value is 3. The default value is 25.

If you change the value of this property, the current trace file is closed, and the next file in the rotating set of trace files is opened.

TraceFileSize

The maximum size of the trace files produced by MQIPT, specified in MB.

The minimum allowed value is 1. The default value is 200.

If you change the value of this property, the current trace file is closed, and the next file in the rotating set of trace files is opened.