Set MQM Security Policy (SETMQMSPL)

Where allowed to run: All environments (*ALL)
Threadsafe: Yes

The Set MQM Security Policy (SETMQMSPL) command sets security policies, that are used by Advanced Message Security to control how messages should be protected when being put, browsed, or destructively removed from queues.

The policy name associates digital signing and encryption protection for messages with queues matching the policy name.

Parameters

Keyword	Description	Choices	Notes
POLICY	Policy name	Character value	Required, Key, Positional 1
MQMNAME	Message Queue Manager name	Character value, *DFT	Required, Key, Positional 2
SIGNALG	Signature algorithm	NONE, MD5, SHA1, SHA256, SHA384, SHA512	Optional, Positional 3
ENCALG	Encryption algorithm	NONE, RC2, DES, TRIPLEDES, AES128, AES256	Optional, Positional 4
SIGNER	Authorized signers	*NONE, Character value	Optional, Positional 5
RECIP	Intended recipients	*NONE, Character value	Optional, Positional 6
TOLERATE	Tolerate unprotected	NO, YES	Optional, Positional 7
REMOVE	Remove policy	NO, YES	Optional, Positional 8
KEYREUSE	Key reuse	DISABLED, UNLIMITED, integer value	Optional, Positional 9

Policy name (POLICY)

Name of the policy, required.

The policy name must match the name of the queue which is to be protected.

The name of the new authentication information object to create.

Message Queue Manager name (MQMNAME)

The name of the queue manager.

The possible values are:

*DFT: Use the default queue manager.
queue-manager-name: The name of an existing message queue manager. The maximum string length is 48 characters.

Signature algorithm (SIGNALG)

Specifies the digital signature algorithm from one of the following values:

*NONE: Messages are not signed.
*MD5: Messages are signed using the MD5 message digest algorithm.
*SHA1: Messages are signed using the SHA-1 secure hash algorithm.
*SHA256: Messages are signed using the SHA-256 secure hash algorithm.
*SHA384: Messages are signed using the SHA-384 secure hash algorithm.
*SHA512: Messages are signed using the SHA-512 secure hash algorithm.

Encryption algorithm (ENCALG)

> Specifies the encryption algorithm to use when protecting messages from one of the following values:

*NONE: Messages are not encrypted.
*RC2: Messages are encrypted using the RC2 Rivest Cipher algorithm.
*DES: Messages are encrypted using the DES Data Encryption Standard algorithm.
*TRIPLEDES: Messages are encrypted using the Triple DES Data Encryption Standard algorithm.
*AES128: Messages are encrypted using the AES 128-bit key Advanced Encryption Standard algorithm.
*AES256: Messages are encrypted using the AES 256-bit key Advanced Encryption Standard algorithm.

Authorized signers (SIGNER)

Specifies a list of X500 distinguished names representing authorized message signers that are checked when browsing or destructively removing a message from a queue. If an authorized signer list is specified, only messages that are signed with a certificate identified in the list are accepted during message retrieval, even if the recipient keystore can verify the message signer.

This parameter is valid only when a signature algorithm ( SIGNALG ) has also been specified.

Note that distinguished names are case sensitive, and it is important that you enter the distinguished names exactly as they appear in the digital certificate.

The possible values are:

*NONE: When handling signed messages, beyond checking the signers certificate validity, the policy does not restrict the identity of the message signer when retrieving messages.
x500-distinguished-name: When handling signed messages, beyond checking certificate validity, the message must have been signed by a certificate matching one of the distinguished names.

Intended recipients (RECIP)

Specifies a list of X500 distinguished names representing the intended recipients that are used when putting a encrypted message to a queue. If a policy has specified an encryption algorithm (ENCALG) then at least one recipient distinguished name must be specified.

This parameter is valid only when an encryption algorithm ( ENCALG ) has also been specified.

Note that distinguished names are case sensitive, and it is important that you enter the distinguished names exactly as they appear in the digital certificate.

The possible values are:

*NONE: Messages are not encrypted.
x500-distinguished-name: When putting messages, the message data is encrypted using the distinguished name as an intended recipient. Only the listed recipients are able to retrieve and decrypt the message.

Tolerate unprotected (TOLERATE)

Specifies whether messages that are not protected can still be browsed or destructively removed from a queue. This parameter can be used to gradually introduce a security policy for applications, allowing any messages that were created before the policy was introduced to be processed.

The possible values are:

*NO: Messages that do not conform to the current policy are not returned to applications.
*YES: Messages that have not been protected are allowed to be retrieved by applications.

Remove policy (REMOVE)

Specifies whether a policy is being created or removed.

The possible values are:

*NO: The policy is created or altered if it already exists.
*YES: The policy is removed. The only other parameters that are valid with this parameter value are policy name ( POLICY ) and queue manager name ( MQMNAME ).

Key reuse (KEYREUSE)

Specifies the number of times that an encryption key can be re-used, in the range 1-9,999,999, or the special values *DISABLED or *UNLIMITED.

Note that this is a maximum number of times a key can be reused, therefore a value of 1 means, at most, two messages can use the same key.

*DISABLED: Prevents a symmetric key from being reused
*UNLIMITED: Allows a symmetric key to be reused any number of times.

Attention: Key reuse is valid only for CONFIDENTIALITY policies, that is, SIGNALG set to *NONE and ENCALG set to an algorithm value. For all other policy types, we must omit the parameter, or set the KEYREUSE value to *DISABLED. Parent topic: CL commands reference for IBM i