setmqspl

Use the setmqspl command to define a new security policy, replace an already existing one, or remove an existing policy.

Syntax

Read syntax diagramSkip visual syntax diagram setmqspl -m QMgrName -pPolicyName Policy definition-remove
Policy definition
Read syntax diagramSkip visual syntax diagram -e NONERC21DES3DESAES128AES256 -rRecipientDN-aAuthorDN2 -s NONEMD5SHA1SHA256SHA384SHA512 -t01
Notes:
  • 1 If an encryption algorithm is selected, a recipient DN must also be provided.
  • 2 If an author DN is provided, a signing algorithm must also be selected.
Table 1. setmqspl command flags.
Command flag Explanation
-m Queue manager name.

This flag is mandatory for all actions on security policies.

-p Policy name.

Set the policy name to the name of the queue you want the policy to apply to.

-s Digital signature algorithm.

IBM® MQ Advanced Message Security supports the following values: MD5, SHA1, SHA256, SHA384, and SHA512. All must be in uppercase. The default value is NONE

Important:
  • For the SHA384 and SHA512 cryptographic hash functions, keys used for signing must be longer than 768 bits.
  • The name, or names, of the encryption algorithms must be in uppercase.
  • The signature algorithm cannot be NONE if the encryption algorithm is different from NONE.
-e Digital encryption algorithm.

IBM MQ Advanced Message Security supports the following encryption algorithms: RC2, DES, 3DES, AES128, AES256. The default value is NONE.

Important:
  • The name of the encryption algorithm must be provided in uppercase
  • [z/OS]On z/OS® encryption algorithm RC2 is not supported for confidentiality policies.
-r The distinguished name (DN) of the message recipient (if provided, the certificate pertaining to the DN is used to encrypt a given message). Recipients can be specified, only if the encryption algorithm is different from NONE. Multiple recipients can be included for a message. Each DN must be provided with a separate -r flag.
Important:
  • DN attribute names must be in uppercase.
  • Commas must be used as a name separators.
  • To avoid command interpreter errors, place quotation marks around the DNs.
For example: 

-r "CN=alice, O=ibm, C=US"
-a Signature DN that is validated during message retrieval. Only messages signed by a user with a DN provided are accepted during the retrieval. Signature DNs can be specified only if the signature algorithm is different from NONE. Multiple authors can be included. Each author needs to have a separate -a flag.
Important: DN attribute name must be in uppercase.
-t Toleration flag that indicates whether a policy that is associated with a queue can be ignored when an attempt to retrieve a message from the queue involves a message with no security policy set. Valid values include:
  • 0 (default)
    Toleration flag off.
  • 1
    Toleration flag on.
Toleration is optional and facilitates staged implementation, where policies were applied to queues but those queues may already contain messages that have no policy, or still receive messages from remote systems that do not have the security policy set.
-remove Delete policy.

If specified, only the -p flag remains valid.