setmqspl (set security policy)
Use the setmqspl command to define a new security policy, alter an already existing one, or remove an existing policy.
|-m||Queue manager name.
This flag is mandatory for all actions on security policies.
Set the policy name to the name of the queue you want the policy to apply to.
|-e||Digital encryption algorithm.
Advanced Message Security supports the following encryption algorithms: RC2, DES, 3DES, AES128, AES256. The default value is NONE.
Important: The name of the encryption algorithm must be provided in uppercase
|-r||The distinguished name (DN) of the message recipient (if provided, the
certificate pertaining to the DN is used to encrypt a given message). Recipients can be specified,
only if the encryption algorithm is different from NONE. Multiple recipients can be
included for a message. Each DN must be provided with a separate -r flag.
|-a||Signature DN that is validated during message retrieval. Only messages signed
by a user with a provided DN are accepted during the retrieval. Signature DNs can be specified only
if the signature algorithm is different from NONE. Multiple authorized signers can
be specified, each authorized signer needs to have a separate -a flag.
Important: The attribute in the DN name must be in uppercase. Specify
The attribute values in the DN are case sensitive so, for
|-s||Digital signature algorithm.
Advanced Message Security supports the following values: MD5, SHA1, SHA256, SHA384, and SHA512. All must be in uppercase. The default value is NONE.
|-t||The toleration flag indicates whether messages that do not meet the
requirements of the policy can still be successfully browsed or retrieved by an application.
Toleration may be useful for example when introducing a policy to a queue which already contains
unprotected messages. Valid values include:
|-c||The key reuse count can be provided as an integer from 1 through 9,999,999.
Special values are:
If you omit the -c parameter when defining a policy, a key reuse count of 0 is assumed for backwards compatibility with previous versions of Advanced Message Security and IBM WebSphere® MQ Extended Security Edition.
Only the policy name flag, -p is valid for use in combination with this flag.
setmqspl -m QMGR -p PROT -s SHA256 setmqspl -m QMGR -p PROT -s SHA256 -a "CN=Alice, O=IBM, C=US" setmqspl -m QMGR -p PROT -s SHA256 -e AES128 -a "CN=Alice, O=IBM, C=US" -r "CN=Bob, O=IBM, C=GB" setmqspl -m QMGR -p PROT -e AES128 -r "CN=Bob, O=IBM, C=GB" -c 50
- No recipients
setmqspl -m QMGR -p PROT -e AES128
- Key reuse not valid for an
setmqspl -m QMGR -p PROT -s SHA256 -c 1
- Key reuse is not valid for a
setmqspl -m QMGR -p PROT -s SHA256 -e AES128 -r "CN=Bob, O=IBM, C=GB" -c 1
On z/OS®, you can use the setmqspl command with the CSQ0UTIL utility. For more information, see The message security policy utility (CSQ0UTIL).