commandPath MFT property

Use the commandPath property to specify the locations that Managed File Transfer can run commands from. Take extreme care when you set this property because any command in one of the specified commandPaths can effectively be called from a remote client system that is able to send commands to the agent.

We can specify a command to be run on the system where the agent is running from the managed transfer and managed call functions of Managed File Transfer. See Program invocation nested elements for information. However, commands must be on paths referenced by the commandPath agent property.

If the command specified is not fully qualified, Managed File Transfer attempts to find a matching command on the command path. If there is more than one matching command on the command path, the first match is used.

By default, the commandPath property is empty so that the agent cannot call any commands.

Specify the commandPath agent property as follows:
commandPath=command_directory_name 
separator...command_directory_name
Or for z/OS only, specify:
commandPath=command_directory_name_or_data_set_name_prefix 
separator...command_directory_name_or_data_set_name_prefix
where:

  • command_directory_name is a directory path for commands that can be run.
  • command_directory_name_or_data_set_name_prefix is a z/OS UNIX System Services directory path for commands that can be run, or a data set name prefix, that starts with //. We can choose to use a fully qualified or unqualified data set name prefix (that is, in the form: //'HLQ...' or //HLQ...). Specify partitioned data sets in the form //'HLQ()...' or //HLQ().... Use data sets to specify JCL script commands only.
  • separator is the platform-specific separator.

For example, on a UNIX system if we want to run commands that are located in the directories /home/user/cmds1 and /home/user/cmds2, set the commandPath agent property as follows:

commandPath=/home/user/cmds1:/home/user/cmds2
For example, on a Windows system if we want to run commands that are located in the directories C:\File Transfer\commands and C:\File Transfer\agent commands, set the commandPath agent property as follows:
commandPath=C:\\File Transfer\\commands;C:\\File Transfer\\agent commands
On a Windows system the separator character, backslash (\), must be escaped and be entered as a double backslash (\\). The backslash character (\) can also be replaced with a forward slash (/). For example, on z/OS if we want to run commands that are:

  • In the directories /home/user/cmds1 and /home/user/cmds2
  • In data sets that start with //'USER.CMD1', //CMD2,
  • Members of a fully qualified PDS named //'USER.CMDS'

set the commandPath agent property as follows:

commandPath=/home/user/cmds1:/home/user/cmds2://'USER.CMD1'://CMD2://'USER.CMDS()'
Important: Extreme care must be taken when you set this property, because any command in one of the specified commandPaths can be called from a remote client system that is able to send commands to the agent. For this reason, by default, when you specify a commandPath, sandboxing is configured so that all commandPath directories (and their subdirectories) are automatically denied access for a transfer:

  • If the agent is configured to use an agent sandbox, the commandPath directories are automatically added to the list of denied directories when the agent starts.
  • If the agent is configured with one or more user sandboxes, the commandPath directories are added as <exclude> elements to the <read> and <write> elements for each user sandbox when the agent starts up.
  • If the agent is not configured to use either an agent sandbox, or user sandboxes, then a new agent sandbox is created when the agent starts up that has the commandPath directories specified as denied directories.

We can override this behavior for compatibility with the following releases:

  • IBM WebSphere MQ File Transfer Edition. Note that IBM WebSphere MQ File Transfer Edition (FTE) is no longer a supported product. To migrate from FTE to the Managed File Transfer component in IBM MQ, see Migrating Managed File Transfer.
  • The IBM WebSphere MQ Version 7.5.0, Fix Pack 1Managed File Transfer component (or earlier).
  • The IBM WebSphere MQ Version 7.5.0, Fix Pack 2 Managed File Transfer component (or later) on an installation that does not have the installation property enableFunctionalFixPack=7502 set.

We can override this behavior by adding the following property to the agent.properties file:

addCommandPathToSandbox=false
When the addCommandPathToSandbox property is present and set to false, the following behavior occurs:

  • If the agent is configured to use an agent sandbox, and the sandbox does not have any allowed directories specified, the commandPath directories are automatically added to the list of denied directories when the agent starts.
  • If the agent is configured to use an agent sandbox, and the sandbox has one or more allowed directories specified, the commandPath directories are not added to the list of denied directories when the agent starts.
  • If the agent is configured with one or more user sandboxes, the user sandboxes are not changed, and the commandPath directories are not added as <exclude> elements to the <read> and <write> elements for each user sandbox.
  • If the agent is not configured to use either an agent sandbox, or user sandboxes, then a new agent sandbox is created when the agent starts up that has the commandPath directories specified as denied directories.

Parent topic: Managed File Transfer security reference


Related information