SET POLICY on Multiplatforms

Use the MQSC command SET POLICY to set a security policy.

Use MQSC commands

For information on how we use MQSC commands, see Performing local administration tasks using MQSC commands.

Syntax diagram
Parameter descriptions for SET POLICY

Important: We must have an Advanced Message Security (AMS) license installed to issue this command. If you attempt to issue the SET POLICY command without an AMS license installed, you receive message AMQ7155 - License file not found or not valid.

SET POLICY

Parameter descriptions for SET POLICY

(policy-name)

Name of the policy, required.

The policy name must match the name of the queue which is to be protected.

SIGNALG

Specifies the digital signature algorithm from one of the following values:

NONE
MD5
SHA1
SHA256
SHA384
SHA512

The default value is NONE.

ENCALG

Specifies the digital encryption algorithm from one of the following values:

NONE
RC2
DES
3DES
AES128
AES256

The default value is NONE.

RECIP (distinguished-name)

Specifies the message distinguished name (DN) of the recipient, that is, the certificate of a DN provided used to encrypt a given message. Notes:

The attributes names for DNs must be provided in capital letters.
Commas must be used as a name separator.
We must specify at least one recipient, if we use any encryption algorithm other than NONE.

We can specify multiple RECIP parameters on the same policy.

SIGNER (distinguished-name)

Specifies a signature DN that is validated during the message retrieval. Only messages signed by the user, with a DN provided, are accepted during retrieval. Notes:

The attributes name for DNs must be provided in capital letters.
Commas must be used as a name separator.
We can specify signature DNs, only if we use any signature algorithm other than NONE.

We can specify multiple SIGNER parameters on the same policy.

ENFORCE

Specifies that all messages must be protected when retrieved from the queue.

Any unprotected message encountered is moved to the SYSTEM.PROTECTION.ERROR.QUEUE.

ENFORCE is the default value.

TOLERATE

Specifies that the messages that are not protected when retrieved from the queue can ignore the policy. TOLERATE is optional and exists to facilitate staged implementation, where:

Policies have been applied to queues, but those queues might already contain unprotected messages, or
Queues might still receive messages from remote systems that do not yet have the policy set.

KEYREUSE

Specify the number of times that an encryption key can be re-used, in the range 1-9999999, or the special values DISABLED or UNLIMITED.

Note that this is a maximum number of times a key can be reused, therefore a value of 1 means, at most, two messages can use the same key.

DISABLED: Prevents a symmetric key from being reused
UNLIMITED: Allows a symmetric key to be reused any number of times.

DISABLED is the default value.

Attention: Key reuse is valid only for CONFIDENTIALITY policies, that is, SIGNALG set to NONE and ENCALG set to an algorithm value. For all other policy types, we must omit the parameter, or set the KEYREUSE value to DISABLED.

ACTION

Specify the action for the parameters supplied, as they apply to any existing policy, using one of the following values:

REPLACE: Has the effect of replacing any existing policy with the parameters supplied.
ADD: Has the effect that signers and recipients parameters have an additive effect. That is, if a signer or recipient is specified, and does not already exist in a preexisting policy, the signer or recipient value is added to the existing policy definition.
REMOVE: Has the opposite effect of ADD. That is, if any of the signer or recipient values specified exist in a preexisting policy, those values are removed from the policy definition.

REPLACE is the default value.

Parent topic: MQSC commands