setfspass (manage encryption file system passphrases)

Manage the passphrase for an encrypted file system, or schedule a system file system to be encrypted or decrypted.

Purpose

You can encrypt file systems on the appliance. Each encrypted file system has a passphrase that is required to access it. The passphrase for each encrypted file system is stored on the internal encrypted flash device so the file system can be accessed when it needs to be mounted by the firmware. The setfspass command is used to perform the following actions:
  • Store the passphrase that is required to access an encrypted file system, such as for a secondary queue manager instance in a disaster recovery (DR) configuration.
  • Clear a stored passphrase if it is not required, or to prevent access to an encrypted file system until the passphrase is stored again.
  • Update a passphrase if an existing one is exposed, or if a security policy requires the passphrase to be changed regularly.
  • Schedule the encryption or decryption of a system file system when the appliance next restarts, or cancel a scheduled action.
Note: A queue manager file system is optionally encrypted when the queue manager is created, with the passphrase specified on creation. See crtmqm (create queue manager).

Syntax

Read syntax diagramSkip visual syntax diagram setfspass -mQMgrName-u-s-c-pPassphrase1-nNewPassphrase2-fSystemFilestore-u-s-c-e-d-x-pPassphrase3
Notes:
  • 1 not available for use with -c
  • 2 only available for use with -u
  • 3 not available for use with -c or -x

Parameters

-m QMgrName
Specifies the queue manager where the passphrase operation is for a queue manager file store.
-f SystemFilestore
Specifies the system file system where the passphrase operation is for a system file system. Specify one of the following values:
root
The IBM® MQ root file system, which is equivalent to /var/mqm on Linux and UNIX platforms (includes user and key repository backups in mqbackup:///). The root file system does not contain queue manager data. Each queue manager has its own file system.
backup
The IBM MQ queue manager back up file system that is created by createbackupfs (mqbackup:///QMgrs)
diag
The IBM MQ diagnostics file system (mqdiag:///)
errors
The IBM MQ errors file system (mqerr:///), This file system contains system logs and FDC data, but not queue manager logs. Queue manager logs are included in the queue manager file system.
trace
The IBM MQ trace file system (mqtrace:///)
-u [-p passphrase -n NewPassphrase]
Use with the -m or -f parameter to update the passphrase for the specified queue manager file system or system file system. You can either specify the existing passphrase and new passphrase on the command line by using the -p and -n parameters, or be prompted for these values when you run the command. The file system passphrase is updated and the new passphrase is automatically stored on the appliance. In an HA configuration the new passphrase is also stored on the secondary appliance if it is available.
-s [-p passphrase]
Use with the -m or -f parameter to specify that a passphrase for the specified queue manager file system or system file system is stored on the appliance. You can either specify the passphrase on the command line by using the -p parameter, or be prompted for that value when you run the command. In an HA configuration this action only applies to the local appliance.
-c
Use with the -m or -f parameter to specify that a stored passphrase for the specified queue manager file system or system file system is cleared. You must confirm that you want to clear passphrase when you run the command. Clearing a passphrase does not remove the requirement for an encrypted file store to have a passphrase, it just clears the stored copy of the passphrase on the internal flash device that the appliance uses to access the file system when it needs to mount it. In an HA configuration this action only applies to the local appliance.
-e [-p passphrase]
Use with the -f parameter to specify that a system file system should be scheduled for encryption. You can either specify the passphrase on the command line by using the -p parameter, or be prompted for that value when you run the command.
-d [-p passphrase]
Use with the -f parameter to specify that a system file system should be scheduled for decryption. You can either specify the passphrase on the command line by using the -p parameter, or be prompted for that value when you run the command.
-x
Use with the -f parameter to specify that the scheduled encryption or decryption for the system file system should be canceled.

Usage notes

  • This command must be run from the IBM MQ administration mode. If the system is in the IBM MQ administration mode the prompt includes mq. To enter the IBM MQ administration mode, enter mqcli on the command line. To exit the IBM MQ administration mode, enter exit on the command line.

Examples

The following example updates an existing passphrase for the file system for queue manager QM1:
setfspass -m QM1 -u -p Apples_and_pears -n Oranges_are_better
The following example stores the passphrase aa12Ux18gg51on the appliance for the queue manager DRQM2:
setfspass -m DRQM2 -s -p aa12Ux18gg51
The following example schedules the encryption of the errors system file store:
setfspass -f errors 
Enter file system passphrase:
The following example clears the passphrase for the diag file store:
setfspass -f diag -c