[UNIX, Linux, Windows, IBM i]

SET POLICY on Multiplatforms

Use the MQSC command SET POLICY to set a security policy.

Using MQSC commands

For information on how you use MQSC commands, see Performing local administration tasks using MQSC commands.

Important: You must have an Advanced Message Security (AMS) license installed to issue this command. If you attempt to issue the SET POLICY command without an AMS license installed, you receive message AMQ7155 - License file not found or not valid.

SET POLICY

Read syntax diagramSkip visual syntax diagram SET POLICY ( policy-name ) SIGNALG( NONE)SIGNALG(MD5SHA1SHA256SHA384SHA512) ENCALG(NONE)ENCALG(RC2DES3DESAES128AES256) SIGNER(distinguished-name)RECIP(distinguished-name)ENFORCETOLERATEKEYREUSE(DISABLED)KEYREUSE(UNLIMITED)KEYREUSE(integer)ACTION(REPLACE)ACTION(ADD)ACTION(REMOVE)

Parameter descriptions for SET POLICY

(policy-name)
Name of the policy, required.

The policy name must match the name of the queue which is to be protected.

SIGNALG
Specifies the digital signature algorithm from one of the following values:
  • NONE
  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512
The default value is NONE.
ENCALG
Specifies the digital encryption algorithm from one of the following values:
  • NONE
  • RC2
  • DES
  • 3DES
  • AES128
  • AES256
The default value is NONE.
RECIP (distinguished-name)
Specifies the message distinguished name (DN) of the recipient, that is, the certificate of a DN provided used to encrypt a given message.
Notes:
  1. The attributes names for DNs must be provided in capital letters.
  2. Commas must be used as a name separator.
  3. You must specify at least one recipient, if you use any encryption algorithm other than NONE.

You can specify multiple RECIP parameters on the same policy.

SIGNER (distinguished-name)
Specifies a signature DN that is validated during the message retrieval. Only messages signed by the user, with a DN provided, are accepted during retrieval.
Notes:
  1. The attributes name for DNs must be provided in capital letters.
  2. Commas must be used as a name separator.
  3. You can specify signature DNs, only if you use any signature algorithm other than NONE.

You can specify multiple SIGNER parameters on the same policy.

ENFORCE
Specifies that all messages must be protected when retrieved from the queue.

Any unprotected message encountered is moved to the SYSTEM.PROTECTION.ERROR.QUEUE.

ENFORCE is the default value.

TOLERATE
Specifies that the messages that are not protected when retrieved from the queue can ignore the policy.
TOLERATE is optional and exists to facilitate staged implementation, where:
  • Policies have been applied to queues, but those queues might already contain unprotected messages, or
  • Queues might still receive messages from remote systems that do not yet have the policy set.
KEYREUSE
Specify the number of times that an encryption key can be re-used, in the range 1-9999999, or the special values DISABLED or UNLIMITED.

Note that this is a maximum number of times a key can be reused, therefore a value of 1 means, at most, two messages can use the same key.

DISABLED
Prevents a symmetric key from being reused
UNLIMITED
Allows a symmetric key to be reused any number of times.

DISABLED is the default value.

Attention: Key reuse is valid only for CONFIDENTIALITY policies, that is, SIGNALG set to NONE and ENCALG set to an algorithm value. For all other policy types, you must omit the parameter, or set the KEYREUSE value to DISABLED.
ACTION
Specify the action for the parameters supplied, as they apply to any existing policy, using one of the following values:
REPLACE
Has the effect of replacing any existing policy with the parameters supplied.
ADD
Has the effect that signers and recipients parameters have an additive effect. That is, if a signer or recipient is specified, and does not already exist in a preexisting policy, the signer or recipient value is added to the existing policy definition.
REMOVE
Has the opposite effect of ADD. That is, if any of the signer or recipient values specified exist in a preexisting policy, those values are removed from the policy definition.

REPLACE is the default value.