SET POLICY

Use the MQSC command SET POLICY to set a security policy.

Using MQSC commands

For information on how you use MQSC commands, see Performing local administration tasks using MQSC commands.

IBM® i UNIX and Linux® Windows z/OS®
X X X  
Important: You must have an IBM MQ Advanced Message Security (AMS) license installed to issue this command. If you attempt to issue the SET POLICY command without an AMS license installed, you receive message AMQ7155 - License file not found or not valid.

SET POLICY

Read syntax diagramSkip visual syntax diagram SET POLICY ( policy-name ) SIGNALG( NONE)SIGNALG(MD5SHA1SHA256SHA384SHA512) ENCALG(NONE)ENCALG(RC2DES3DESAES128AES256) SIGNER(distinguished-name)RECIP(distinguished-name)ENFORCETOLERATEACTION(REPLACE)ACTION(ADD)ACTION(REMOVE)

Parameter descriptions for SET POLICY

(policy-name)
Name of the policy, required.

The policy name must match the name of the queue which is to be protected.

SIGNALG
Specifies the digital signature algorithm from one of the following values:
  • NONE
  • MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512
The default value is NONE.
ENCALG
Specifies the digital encryption algorithm from one of the following values:
  • NONE
  • RC2
  • DES
  • 3DES
  • AES128
  • AES256
The default value is NONE.
RECIP (distinguished-name)
Specifies the message distinguished name (DN) of the recipient, that is, the certificate of a DN provided used to encrypt a given message.
Notes:
  1. The attributes names for DNs must be provided in capital letters.
  2. Commas must be used as a name separator.
  3. You must specify at least one recipient, if you use any encryption algorithm other than NONE.

You can specify multiple RECIP parameters on the same policy.

SIGNER (distinguished-name)
Specifies a signature DN that is validated during the message retrieval. Only messages signed by the user, with a DN provided, are accepted during retrieval.
Notes:
  1. The attributes name for DNs must be provided in capital letters.
  2. Commas must be used as a name separator.
  3. You can specify signature DNs, only if you use any signature algorithm other than NONE.

You can specify multiple SIGNER parameters on the same policy.

ENFORCE
Specifies that all messages must be protected when retrieved from the queue.

Any unprotected message encountered is moved to the SYSTEM.PROTECTION.ERROR.QUEUE.

ENFORCEis the default value.

TOLERATE
Specifies that the messages that are not protected when retrieved from the queue can ignore the policy.
TOLERATE is optional and exists to facilitate staged implementation, where:
  • Policies have been applied to queues, but those queues might already contain unprotected messages, or
  • Queues might still receive messages from remote systems that do not yet have the policy set.
ACTION
Specify the action for the parameters supplied, as they apply to any existing policy, using one of the following values:
REPLACE
Has the effect of replacing any existing policy with the parameters supplied.
ADD
Has the effect that signers and recipients parameters have an additive effect. That is, if a signer or recipient is specified, and does not already exist in a preexisting policy, the signer or recipient value is added to the existing policy definition.
REMOVE
Has the opposite effect of ADD. That is, if any of the signer or recipient values specified exist in a preexisting policy, those values are removed from the policy definition.

REPLACE is the default value.