Display and dumping security policies in AMS

Display and dumping security policies in AMS

Use the dspmqspl command to display a list of all security policies or details of a named policy depending on the command-line parameters you supply.

Before starting

To display security policies details, the queue manager must exist, and be running.
We must have the necessary authority to connect to the queue manager and create a security policy.

On z/OS, grant the authorities documented in The message security policy utility (CSQ0UTIL).
On other platforms other than z/OS, we must grant the necessary +connect, +inq and +chg authorities using the setmqaut command.

For more information about configuring security see Set up security.

Here is the list of dspmqspl command flags:

Command flag Explanation

-m Queue manager name (mandatory).

-p Policy name.

-export Adding this flag generates output which can easily be applied to a different queue manager.

Example
The following example shows how to create two security policies for venus.queue.manager:
setmqspl -m venus.queue.manager -p AMS_POL_04_ONE -s sha256 -a "CN=signer1,O=IBM,C=US" -e NONE
setmqspl -m venus.queue.manager -p AMS_POL_06_THREE -s sha256 -a "CN=another signer,O=IBM,C=US" -e NONE
This example shows a command that displays details of all policies defined for venus.queue.manager and the output it produces:
dspmqspl -m venus.queue.manager

Policy Details:
Policy name: AMS_POL_04_ONE
Quality of protection: INTEGRITY
Signature algorithm: SHA256
Encryption algorithm: NONE
Signer DNs:
  CN=signer1,O=IBM,C=US
Recipient DNs: -
Toleration: 0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Policy Details:
Policy name: AMS_POL_06_THREE
Quality of protection: INTEGRITY
Signature algorithm: SHA256
Encryption algorithm: NONE
Signer DNs:
  CN=another signer,O=IBM,C=US
Recipient DNs: -
Toleration: 0
This example shows a command that displays details of a selected security policy defined for venus.queue.manager and the output it produces:
dspmqspl -m venus.queue.manager -p AMS_POL_06_THREE

Policy Details:
Policy name: AMS_POL_06_THREE
Quality of protection: INTEGRITY
Signature algorithm: SHA256
Encryption algorithm: NONE
Signer DNs:
  CN=another signer,O=IBM,C=US
Recipient DNs: -
Toleration: 0
In the next example, first, we create a security policy and then, we export the policy using the -export flag:
setmqspl -m venus.queue.manager -p AMS_POL_04_ONE -s SHA256 -a "CN=signer1,O=IBM,C=US" -e NONE

dspmqspl -m venus.queue.manager -export
On z/OS, the exported policy information is written by CSQ0UTIL to the EXPORT DD.
On platforms other than z/OS, redirect the output to a file, for example:
dspmqspl -m venus.queue.manager -export > policies.[bat|sh]
To import a security policy:

On Windows, run policies.bat.
On UNIX:

Log on as a user that belongs to the mqm IBM MQ administration group.
Issue . policies.sh.

On z/OS use the CSQ0UTIL utility, specifying to SYSIN the data set containing the exported policy information.

Parent topic: Manage security policies

Related information

Complete list of dspmqspl command attributes

Last updated: 2020-10-04

Command flag	Explanation
-m	Queue manager name (mandatory).
-p	Policy name.
-export	Adding this flag generates output which can easily be applied to a different queue manager.