SET POLICY
Use the MQSC command SET POLICY to set a security policy.
Using MQSC commands
For information on how you use MQSC commands, see Performing local administration tasks using MQSC commands.
IBM® i | UNIX and Linux® | Windows | z/OS® |
---|---|---|---|
Important: You must have an IBM MQ Advanced Message Security (AMS) license installed to issue this command. If you attempt to issue the SET POLICY command without an AMS license installed, you receive message AMQ7155 - License file not found or not valid.
Parameter descriptions for SET POLICY
- (policy-name)
- Name of the policy, required.
The policy name must match the name of the queue which is to be protected.
- SIGNALG
- Specifies the digital signature algorithm from one of the following values:
- NONE
- MD5
- SHA1
- SHA256
- SHA384
- SHA512
- ENCALG
- Specifies the digital encryption algorithm from one of the following values:
- NONE
- RC2
- DES
- 3DES
- AES128
- AES256
- RECIP (distinguished-name)
- Specifies the message distinguished name (DN) of the recipient, that is, the certificate of a DN provided used to encrypt a given message.
Notes:
- The attributes names for DNs must be provided in capital letters.
- Commas must be used as a name separator.
- You must specify at least one recipient, if you use any encryption algorithm other than NONE.
You can specify multiple RECIP parameters on the same policy.
- SIGNER (distinguished-name)
- Specifies a signature DN that is validated during the message retrieval. Only messages signed by the user, with a DN provided, are accepted during retrieval.
Notes:
- The attributes name for DNs must be provided in capital letters.
- Commas must be used as a name separator.
- You can specify signature DNs, only if you use any signature algorithm other than NONE.
You can specify multiple SIGNER parameters on the same policy.
- ENFORCE
- Specifies that all messages must be protected when retrieved from the queue.
Any unprotected message encountered is moved to the SYSTEM.PROTECTION.ERROR.QUEUE.
ENFORCEis the default value.
- TOLERATE
- Specifies that the messages that are not protected when retrieved from the queue can ignore the policy.
TOLERATE is optional and exists to facilitate staged implementation, where:
- Policies have been applied to queues, but those queues might already contain unprotected messages, or
- Queues might still receive messages from remote systems that do not yet have the policy set.
- ACTION
- Specify the action for the parameters supplied, as they apply to any existing policy, using one of the following values:
- REPLACE
- Has the effect of replacing any existing policy with the parameters supplied.
- ADD
- Has the effect that signers and recipients parameters have an additive effect. That is, if a signer or recipient is specified, and does not already exist in a preexisting policy, the signer or recipient value is added to the existing policy definition.
- REMOVE
- Has the opposite effect of ADD. That is, if any of the signer or recipient values specified exist in a preexisting policy, those values are removed from the policy definition.
REPLACE is the default value.