Creating security policies
Security policies define the way in which a message is protected when the message is put, or how a message must have been protected when a message is received.
Before you begin
- The queue manager must be running.
- The name of a security policy must follow Rules for naming IBM® MQ objects.
- You must have the necessary authority to connect to the queue manager and create a security policy. On z/OS®, grant the authorities documented in The message security policy utility (CSQ0UTIL). On other platforms other than z/OS, you must grant the necessary +connect, +inq and +chg authorities using the setmqaut command. For more information about configuring security see Setting up security.
- On z/OS, ensure the required system objects have been defined according to the definitions in CSQ4INSM.
Example
QMGR
. The policy specifies that messages be signed using the SHA1
algorithm and encrypted using the AES256
algorithm for certificates with DN: CN=joe,O=IBM,C=US and DN: CN=jane,O=IBM,C=US. This policy is attached to MY.QUEUE
:
setmqspl -m QMGR -p MY.QUEUE -s SHA1 -e AES256 -r CN=joe,O=IBM,C=US -r CN=jane,O=IBM,C=US
Here is an example of creating policy on the queue manager QMGR
. The policy specifies that messages be encrypted using the DES
algorithm for certificates with DNs: CN=john,O=IBM,C=US and CN=jeff,O=IBM,C=US and signed with the MD5
algorithm for certificate with DN: CN=phil,O=IBM,C=US
setmqspl -m QMGR -p MY.OTHER.QUEUE -s MD5 -e DES -r CN=john,O=IBM,C=US -r CN=jeff,O=IBM,C=US -a CN=phil,O=IBM,C=US
Note:
- The quality of protection being used for the message put and get must match. If the policy quality of protection that is defined for the message is weaker than that defined for a queue, the message is sent to the error handling queue. This policy is valid for both local and remote queues.