The commandPath property

Use the commandPath property to specify the locations that IBM® MQ Managed File Transfer can run commands from. Take extreme care when you set this property because any command in one of the specified commandPaths can effectively be called from a remote client system that is able to send commands to the agent.

You can specify a command to be run on the system where the agent is running from the managed transfer and managed call functions of IBM MQ Managed File Transfer. For more information, see Program invocation. However, commands must be on paths referenced by the commandPath agent property.

If the command specified is not fully qualified, IBM MQ Managed File Transfer attempts to find a matching command on the command path. If there is more than one matching command on the command path, the first match is used.

By default, the commandPath property is empty so that the agent cannot call any commands.

Specify the commandPath agent property as follows: 
commandPath=command_directory_name 
separator...command_directory_name
Or for z/OS® only, specify: 
commandPath=command_directory_name_or_data_set_name_prefix 
separator...command_directory_name_or_data_set_name_prefix
where:
  • command_directory_name is a directory path for commands that can be run.
  • command_directory_name_or_data_set_name_prefix is a z/OS UNIX System Services directory path for commands that can be run, or a data set name prefix, that starts with //. You can choose to use a fully qualified or unqualified data set name prefix (that is, in the form: //'HLQ...' or //HLQ...). Specify partitioned data sets in the form //'HLQ()...' or //HLQ().... Use data sets to specify JCL script commands only.
  • separator is the platform-specific separator.
For example, on a UNIX system if you want to run commands that are located in the directories /home/user/cmds1 and /home/user/cmds2, set the commandPath agent property as follows: 

commandPath=/home/user/cmds1:/home/user/cmds2
For example, on a Windows system if you want to run commands that are located in the directories C:\File Transfer\commands and C:\File Transfer\agent commands, set the commandPath agent property as follows: 

commandPath=C:\\File Transfer\\commands;C:\\File Transfer\\agent commands
On a Windows system the separator character, backslash (\), must be escaped and be entered as a double backslash (\\). The backslash character (\) can also be replaced with a forward slash (/).
For example, on an IBM 4690 system the separator character is a semicolon (;). To run commands that are located in the directories f:/fteuser/cmds and mqftcmds:/public where mqftcmds is an IBM 4690 logical name defined to a directory that contains the commands, set the commandPath agent property as follows: 

commandPath=f:/fteuser/cmds;mqftcmds:/public
For example, on z/OS if you want to run commands that are:
  • In the directories /home/user/cmds1 and /home/user/cmds2
  • In data sets that start with //'USER.CMD1', //CMD2,
  • Members of a fully qualified PDS named //'USER.CMDS'
set the commandPath agent property as follows: 

commandPath=/home/user/cmds1:/home/user/cmds2://'USER.CMD1'://CMD2://'USER.CMDS()'
[V8.0.0.6 Jan 2017]Important: Extreme care must be taken when you set this property, because any command in one of the specified commandPaths can be called from a remote client system that is able to send commands to the agent. For this reason, by default, when you specify a commandPath, sandboxing is configured so that all commandPath directories (and their subdirectories) are automatically denied access for a transfer:
  • If the agent is configured to use an agent sandbox, the commandPath directories are automatically added to the list of denied directories when the agent starts.
  • If the agent is configured with one or more user sandboxes, the commandPath directories are added as <exclude> elements to the <read> and <write> elements for each user sandbox when the agent starts up.
  • If the agent is not configured to use either an agent sandbox, or user sandboxes, then a new agent sandbox is created when the agent starts up that has the commandPath directories specified as denied directories.
[V8.0.0.6 Jan 2017]You can override this behavior for compatibility with the following releases:
  • IBM WebSphere® MQ File Transfer Edition.
  • The IBM WebSphere MQ V7.5.0.1 Managed File Transfer component (or earlier).
  • The IBM WebSphere MQ V7.5.0.2 Managed File Transfer component (or later) on an installation that does not have the installation property enableFunctionalFixPack=7502 set.
You can override this behavior by adding the following property to the agent.properties file:
addCommandPathToSandbox=false
[V8.0.0.6 Jan 2017]When the addCommandPathToSandbox property is present and set to false, the following behavior occurs:
  • If the agent is configured to use an agent sandbox, and the sandbox does not have any allowed directories specified, the commandPath directories are automatically added to the list of denied directories when the agent starts.
  • If the agent is configured to use an agent sandbox, and the sandbox has one or more allowed directories specified, the commandPath directories are not added to the list of denied directories when the agent starts.
  • If the agent is configured with one or more user sandboxes, the user sandboxes are not changed, and the commandPath directories are not added as <exclude> elements to the <read> and <write> elements for each user sandbox.
  • If the agent is not configured to use either an agent sandbox, or user sandboxes, then a new agent sandbox is created when the agent starts up that has the commandPath directories specified as denied directories.

The commandPath property is described in The agent.properties file.