Working with agent sandboxes
To add an additional level of security to WebSphere® MQ Managed File Transfer, you can restrict the area of a file system that an agent can access.
You cannot use agent sandboxing for agents that transfer to or from IBM® WebSphere MQ queues. Restricting access to IBM WebSphere MQ queues with sandboxing can be implemented instead by using user sandboxing which is the recommended solution for any sandboxing requirements. For more information about user sandboxing, see Working with user sandboxes
sandboxRoot=[!]restricted_directory_name<separator>...<separator>[!]restricted_directory_name
where: restricted_directory_name
is a directory path to be allowed or denied.!
is optional and specifies that the following value forrestricted_directory_name
is denied (excluded). If!
is not specifiedrestricted_directory_name
is an allowed (included) path.<separator>
is the platform-specific separator.
For example, if you want to restrict the access that AGENT1 has to the /tmp directory only, but not allow the subdirectory private to be accessed, set the property as follows in the agent.properties file belonging to AGENT1: sandboxRoot=/tmp:!/tmp/private.
The sandboxRoot property is described in Advanced agent properties.Both agent and user sandboxing are not supported on protocol bridge agents or on Connect:Direct® bridge agents.