Additional checks for wildcard transfers

From IBM® MQ 8.0.0, Fix Pack 6, if an agent has been configured with a user or agent sandbox in order to restrict the locations that the agent can transfer files to and from, you can specify that additional checks are to be made on wildcard transfers for that agent.

additionalWildcardSandboxChecking property

To enable additional checking for wildcard transfers, add the following property to the agent.properties file for the agent that you want to check.


additionalWildcardSandboxChecking=true

When this property is set to true, and the agent makes a transfer request that attempts to read a location that is outside the defined sandbox for file matching of the wildcard, the transfer fails. If there are multiple transfers within one transfer request, and one of these requests fails due to it attempting to read a location outside of the sandbox, the entire transfer fails. If checking fails, the reason for failure is given in an error message.

If the additionalWildcardSandboxChecking property is omitted from an agent's agent.properties file or is set to false, no additional checks are made on wildcard transfers for that agent.

Error messages for wildcard checking

From Version 8.0.0, Fix Pack 6, the messages that are reported when a wildcard transfer request is made to a location outside a configured sandbox location have changed.

The following message occurs when a wildcard file path in a transfer request is located outside of the restricted sandbox:

BFGSS0077E: Attempt to read file path: <path> has been denied. 
The file path is located outside of the restricted transfer sandbox.

The following message occurs when a transfer within a multiple transfer request contains a wildcard transfer request where the path is located outside of the restricted sandbox:

BFGSS0078E: Attempt to read file path: <path> has been ignored as another transfer 
item in the managed transfer attempted to read outside of the restricted transfer sandbox.

The following message occurs when a file is located outside of the restricted sandbox:

BFGSS0079E: Attempt to read file <file path> has been denied. 
The file is located outside of the restricted transfer sandbox.

The following message occurs in a multiple transfer request where another wildcard transfer request has caused this one to be ignored:

BFGSS0080E: Attempt to read file: <file path> has been ignored as another transfer 
item in the managed transfer attempted to read outside of the restricted transfer sandbox.

In the case of single file transfers that do not include wildcards, the message that is reported when the transfer involves a file that is located outside of the sandbox is unchanged from earlier releases:

Fails with BFGIO0056E: Attempt to read file "<FILE>" has been denied. 
The file is located outside of the restricted transfer sandbox.