Scheduling decryption for system file systems

You can decrypt the appliance IBM® MQ file systems that have previously been encrypted.

About this task

IBM MQ uses certain file systems on the appliance:
root
The IBM MQ root file system, which is equivalent to /var/mqm on Linux and UNIX platforms (includes user and key repository backups in mqbackup:///)
backup
The IBM MQ queue manager back up file system that is created by createbackupfs (mqbackup:///QMgrs)
diag
The IBM MQ diagnostics file system (mqdiag:///)
errors
The IBM MQ errors file system (mqerr:///)
trace
The IBM MQ trace file system (mqtrace:///)

You can schedule any or all of the root, diag, errors, and trace file systems to be decrypted when the appliance next restarts. (You cannot decrypt the backup file system using this method. The use of this file system is intended to be transitory with back up files copied off the appliance. If you have encrypted the backup file system, you can delete it by using the deletebackupfs command and use createbackupfs to recreate it as an unencrypted file system.)

Procedure

  1. Enter the IBM MQ administration mode by entering the following command: 
    mqcli
  2. Specify that a file system is scheduled for decryption by entering the following command: 
    setfspass -f file_system -d [-p passphrase]
    Where file_system is one of root, diag, errors, or trace and passphrase is between 1 and 512 characters. If you do not specify a passphrase as part of the command, you are prompted for a passphrase when you run the command. You should keep a copy of the passphrase somewhere safe.
  3. If you change your mind about decrypting a file system before the appliance next restarts, you can cancel the scheduled decryption by entering the following command: 
    setfspass -x -f file_system
  4. You can check that the file system has been scheduled for decryption by using the status command: 
    status
    Check that the file system has the status decryption pending.
  5. After the appliance restarts, you can check that the file system has been decrypted by using the status command: 
    status
    Check that the file system does not have the encrypted status.