Working with agent sandboxes

To add an additional level of security to WebSphere® MQ Managed File Transfer, you can restrict the area of a file system that an agent can access.

You cannot use agent sandboxing for agents that transfer to or from IBM® WebSphere MQ queues. Restricting access to IBM WebSphere MQ queues with sandboxing can be implemented instead by using user sandboxing which is the recommended solution for any sandboxing requirements. For more information about user sandboxing, see Working with user sandboxes

To enable agent sandboxing, add the following property to the agent.properties file for the agent you want to restrict: 
sandboxRoot=[!]restricted_directory_name<separator>...<separator>[!]restricted_directory_name
where:
  • restricted_directory_name is a directory path to be allowed or denied.
  • ! is optional and specifies that the following value for restricted_directory_name is denied (excluded). If ! is not specified restricted_directory_name is an allowed (included) path.
  • <separator> is the platform-specific separator.

For example, if you want to restrict the access that AGENT1 has to the /tmp directory only, but not allow the subdirectory private to be accessed, set the property as follows in the agent.properties file belonging to AGENT1: sandboxRoot=/tmp:!/tmp/private.

The sandboxRoot property is described in Advanced agent properties.

Both agent and user sandboxing are not supported on protocol bridge agents or on Connect:Direct® bridge agents.

Working in a sandbox on UNIX, Linux, and Windows platforms

On UNIX, Linux®, and Windows platforms, sandboxing restricts which directories a WebSphere MQ Managed File Transfer agent can read from and write to. When sandboxing is activated, the WebSphere MQ Managed File Transfer agent can read and write to the directories specified as allowed, and any subdirectories that the specified directories contain unless the subdirectories are specified as denied in the sandboxRoot. WebSphere MQ Managed File Transfer sandboxing does not take precedence over operating system security. The user that started the WebSphere MQ Managed File Transfer agent must have the appropriate operating system level access to any directory to be able to read from or write to the directory. A symbolic link to a directory is not followed if the directory linked to is outside the specified sandboxRoot directories (and subdirectories).

Working in a sandbox on IBM 4690 systems

For information about how paths specified in the sandboxRoot property are interpreted on IBM 4690, see Working in a sandbox on IBM 4690.