The message security policy utility (CSQ0UTIL)
The Advanced Message Security policy utility is provided to manage security policies that specify the cryptographic encryption and signature algorithms for encrypting and authenticating messages that flow through queues.
Use this utility program, we can display, define, alter, delete and export security policies.
The CSQ0UTIL utility program runs as a z/OS batch utility that accepts SYSIN command input. Sample JCL to run the utility is provided in member CSQ40CFG of thlqual.SCSQPROC.
-------------------------------------------------------------------------------- //CSQ40CFG JOB 1,CSQ0,CLASS=A,MSGCLASS=X //CSQ40CFG EXEC PGM=CSQ0UTIL, // PARM='ENVAR("_CEE_ENVFILE_S=DD:ENVARS") /' //STEPLIB DD DSN=thlqual.SCSQANLE,DISP=SHR // DD DSN=thlqual.SCSQAUTH,DISP=SHR //ENVARS DD DSN=thlqual.SCSQPROC(CSQ40ENV),DISP=SHR //SYSPRINT DD SYSOUT=* //SYSIN DD * dspmqspl -m qmgr /* --------------------------------------------------------------------------------The utility accepts the following commands:
- dspmqspl
- Display or export information about one or more security policies.
- setmqspl
- Define, alter or remove a security policy
For information on how to use these commands to manage security policies see Manage security policies.
General usage notes
When specifying distinguished names (DNs) that have embedded blanks, we must enclose the entire DN in double quotes ("). For example:-a "CN=John Smith,O=IBM,C=US" -r "CN=JSmith,O=IBM Australia,C=AU"
Arguments that would exceed column 80 of a SYSIN input record can be continued on subsequent SYSIN records provided those arguments are enclosed in double quotes ("), and relevant continuations resume in column 1 of subsequent SYSIN records.
When exporting policy information using dspmqspl with the -export parameter the output is written to an additional DD named EXPORT. The EXPORT DD can be SYSOUT=*, a sequential data set, or the member of a partitioned data set. The record format is fixed block and the logical record length is 80. The output is in the form of one or more setmqspl commands that can subsequently be used as input to CSQ0UTIL.
To use this utility we need authority to connect to the queue manager as a batch application. This authority is granted by giving READ access to the hlq.BATCH profile in the MQCONN class.
You also need authority to put messages to the queue SYSTEM.PROTECTION.POLICY.QUEUE. This authority is granted by giving UPDATE access to the hlq.SYSTEM.PROTECTION.POLICY.QUEUE profile in the MQQUEUE class.
If command events have been enabled for the queue manager you also need put authority to the queue SYSTEM.ADMIN.COMMAND.EVENT. If configuration events have been enabled for the queue manager we need put authority to the queue SYSTEM.ADMIN.CONFIG.EVENT.
Parent topic: Use the IBM MQ utilities on z/OSRelated reference
Related information