Set MQM Security Policy (SETMQMSPL)
- Where allowed to run
- All environments (*ALL)
- Threadsafe
- Yes
The Set MQM Security Policy (SETMQMSPL) command sets security policies, that are used by IBM® MQ Advanced Message Security to control how messages should be protected when being put, browsed, or destructively removed from queues.
The policy name associates digital signing and encryption protection for messages with queues matching the policy name.
Parameters
Keyword | Description | Choices | Notes |
---|---|---|---|
POLICY | Policy name | Character value | Required, Key, Positional 1 |
MQMNAME | Message Queue Manager name | Character value, *DFT | Required, Key, Positional 2 |
SIGNAL | Signal algorithm | *NONE, *MD5, *SHA1, *SHA256, *SHA384, *SHA512 | Optional, Positional 3 |
ENCALG | Encryption algorithm | *NONE, *RC2, *DES, *TRIPLEDES, *AES128, *AES256 | Optional, Positional 4 |
SIGNER | Authorized signers | *NONE, Character value | Optional, Positional 5 |
RECIP | Intended recipients | *NONE, Character value | Optional, Positional 6 |
TOLERATE | Tolerate unprotected | *NO, *YES | Optional, Positional 7 |
REMOVE | Remove policy | *NO, *YES | Optional, Positional 8 |
Policy name (POLICY)
Name of the policy, required.
The policy name must match the name of the queue which is to be protected.
The name of the new authentication information object to create.
Message Queue Manager name (MQMNAME)
The name of the queue manager.
The possible values are:
- *DFT
- Use the default queue manager.
- queue-manager-name
- The name of an existing message queue manager. The maximum string length is 48 characters.
Signal algorithm (SIGNALG)
- *NONE
- Messages are not signed.
- *MD5
- Messages are signed using the MD5 message digest algorithm.
- *SHA1
- Messages are signed using the SHA-1 secure hash algorithm.
- *SHA256
- Messages are signed using the SHA-256 secure hash algorithm.
- *SHA384
- Messages are signed using the SHA-384 secure hash algorithm.
- *SHA512
- Messages are signed using the SHA-512 secure hash algorithm.
Encryption algorithm (ENCALG)
- *NONE
- Messages are not encrypted.
- *RC2
- Messages are encrypted using the RC2 Rivest Cipher algorithm.
- *DES
- Messages are encrypted using the DES Data Encryption Standard algorithm.
- *TRIPLEDES
- Messages are encrypted using the Triple DES Data Encryption Standard algorithm.
- *AES128
- Messages are encrypted using the AES 128-bit key Advanced Encryption Standard algorithm.
- *AES256
- Messages are encrypted using the AES 256-bit key Advanced Encryption Standard algorithm.
Authorized signers (SIGNER)
Specifies a list of X500 distinguished names representing authorized message signers that are checked when browsing or destructively removing a message from a queue. If an authorized signer list is specified, only messages that are signed with a certificate identified in the list are accepted during message retrieval, even if the recipient keystore can verify the message signer.
This parameter is valid only when a signature algorithm ( SIGNALG ) has also been specified.
Note that distinguished names are case sensitive, and it is important that you enter the distinguished names exactly as they appear in the digital certificate.
- *NONE
- When handling signed messages, beyond checking the signers certificate validity, the policy does not restrict the identity of the message signer when retrieving messages.
- <x500-distinguished-name>
- When handling signed messages, beyond checking certificate validity, the message must have been signed by a certificate matching one of the distinguished names.
Intended recipients (RECIP)
Specifies a list of X500 distinguished names representing the intended recipients that are used when putting a encrypted message to a queue. If a policy has specified an encryption algorithm (ENCALG) then at least one recipient distinguished name must be specified.
This parameter is valid only when an encryption algorithm ( ENCALG ) has also been specified.
Note that distinguished names are case sensitive, and it is important that you enter the distinguished names exactly as they appear in the digital certificate.
- *NONE
- Messages are not encrypted.
- <x500-distinguished-name>
- When putting messages, the message data is encrypted using the distinguished name as an intended recipient. Only the listed recipients are able to retrieve and decrypt the message.
Tolerate unprotected (TOLERATE)
Specifies whether messages that are not protected can still be browsed or destructively removed from a queue. This parameter can be used to gradually introduce a security policy for applications, allowing any messages that were created before the policy was introduced to be processed.
- *NO
- Messages that do not conform to the current policy are not returned to applications.
- *YES
- Messages that have not been protected are allowed to be retrieved by applications.
Remove policy (REMOVE)
Specifies whether a policy is being created or removed.