setmqspl (set security policy)
Use the setmqspl command to define a new security policy, replace an already existing one, or remove an existing policy.
Before you begin
- The queue manager on which you want to operate must be running.
- You must grant the necessary +connect, +inq and +chg authorities, using the setmqaut command, to connect to the queue manager and create a security policy.
For more information about configuring security see Setting up security.
Syntax
Command flag | Explanation |
---|---|
-m | Queue manager name. This flag is mandatory for all actions on security policies. |
-p | Policy name. Set the policy name to the name of the queue you want the policy to apply to. |
-e | Digital encryption algorithm. Advanced Message Security supports the following encryption algorithms: RC2, DES, 3DES, AES128, AES256. The default value is NONE. Important:
|
-r | The distinguished name (DN) of the message recipient (if provided, the
certificate pertaining to the DN is used to encrypt a given message). Recipients can be specified,
only if the encryption algorithm is different from NONE. Multiple recipients can be
included for a message. Each DN must be provided with a separate -r flag. Important:
|
-a | Signature DN that is validated during message retrieval. Only messages signed
by a user with a provided DN are accepted during the retrieval. Signature DNs can be specified only
if the signature algorithm is different from NONE. Multiple authorized signers can
be specified, each authorized signer needs to have a separate -a flag. Important: The attribute in the DN name must be in uppercase. Specify
CN=
rather than cn= . The attribute values in the DN are case sensitive so, for
example, |
-s | Digital signature algorithm. Advanced Message Security supports the following values: MD5, SHA1, SHA256, SHA384, and SHA512. All must be in uppercase. The default value is NONE. Important:
|
-t | The toleration flag indicates whether messages that do not meet the
requirements of the policy can still be successfully browsed or retrieved by an application.
Toleration may be useful for example when introducing a policy to a queue which already contains
unprotected messages. Valid values include:
|
-c | The key reuse count can be provided as an integer from 1 through 9,999,999.
Special values are:
If you omit the -c parameter when defining a policy, a key reuse count of 0 is assumed for backwards compatibility with previous versions of Advanced Message Security and IBM WebSphere® MQ Extended Security Edition. Note that a non-zero key reuse count is only valid for a confidentiality policy. If you attempt to create or modify an integrity or privacy policy, with a non-zero key reuse count, you receive error message AMQ9091: Key reuse is not valid for policy and the policy operation fails. |
-remove | Delete policy. Only the policy name flag, -p is valid for use in combination with this flag. |
Examples
setmqspl -m QMGR -p PROT -s SHA256
setmqspl -m QMGR -p PROT -s SHA256 -a "CN=Alice, O=IBM, C=US"
setmqspl -m QMGR -p PROT -s SHA256 -e AES128 -a "CN=Alice, O=IBM, C=US" -r "CN=Bob, O=IBM, C=GB"
setmqspl -m QMGR -p PROT -e AES128 -r "CN=Bob, O=IBM, C=GB" -c 50
- No recipients
specified:
setmqspl -m QMGR -p PROT -e AES128
- Key reuse not valid for an
Integrity
policy:setmqspl -m QMGR -p PROT -s SHA256 -c 1
- Key reuse is not valid for a
Privacy
policy:setmqspl -m QMGR -p PROT -s SHA256 -e AES128 -r "CN=Bob, O=IBM, C=GB" -c 1
On z/OS, you can use the setmqspl command with the CSQ0UTIL utility. For more information, see The message security policy utility (CSQ0UTIL).