Working with MFT agent sandboxes

To add an additional level of security to Managed File Transfer, we can restrict the area of a file system that an agent can access.

We cannot use agent sandboxing for agents that transfer to or from IBM MQ queues. Restricting access to IBM MQ queues with sandboxing can be implemented instead by using user sandboxing which is the recommended solution for any sandboxing requirements. For more information about user sandboxing, see Working with MFT user sandboxes

To enable agent sandboxing, add the following property to the agent.properties file for the agent you want to restrict:
sandboxRoot=[!]restricted_directory_nameseparator...separator[!]restricted_directory_name
where:

  • restricted_directory_name is a directory path to be allowed or denied.
  • ! is optional and specifies that the following value for restricted_directory_name is denied (excluded). If ! is not specified restricted_directory_name is an allowed (included) path.
  • separator is the platform-specific separator.

For example, if you want to restrict the access that AGENT1 has to the /tmp directory only, but not allow the subdirectory private to be accessed, set the property as follows in the agent.properties file belonging to AGENT1: sandboxRoot=/tmp:!/tmp/private.

The sandboxRoot property is described in Advanced agent properties.

Both agent and user sandboxing are not supported on protocol bridge agents or on Connect:Direct® bridge agents.

Working in a sandbox on UNIX, Linux, and Windows platforms

On UNIX, Linux , and Windows platforms, sandboxing restricts which directories a Managed File Transfer Agent can read from and write to. When sandboxing is activated, the Managed File Transfer Agent can read and write to the directories specified as allowed, and any subdirectories that the specified directories contain unless the subdirectories are specified as denied in the sandboxRoot. Managed File Transfer sandboxing does not take precedence over operating system security. The user that started the Managed File Transfer Agent must have the appropriate operating system level access to any directory to be able to read from or write to the directory. A symbolic link to a directory is not followed if the directory linked to is outside the specified sandboxRoot directories (and subdirectories).

Working in a sandbox on z/OS

On z/OS®, sandboxing restricts the data set name qualifiers that the Managed File Transfer Agent can read from and write to. The user that started the Managed File Transfer Agent must have the correct operating system authorities to any data sets involved. If you enclose a sandboxRoot data set name qualifier value in double quotation marks, the value follows the normal z/OS convention and is treated as fully qualified. If you omit the double quotation marks, the sandboxRoot is prefixed with the current user ID. For example, if you set the sandboxRoot property to the following: sandboxRoot=//test, the agent can access the following data sets (in standard z/OS notation) //username.test.** At run time, if the initial levels of the fully resolved data set name do not match the sandboxRoot, the transfer request is rejected.

Working in a sandbox on IBM i systems

For files in the integrated file system on IBM i systems, sandboxing restricts which directories a Managed File Transfer Agent can read from and write to. When sandboxing is activated, the Managed File Transfer Agent can read and write to the directories specified as allowed, and any subdirectories that the specified directories contain unless the subdirectories are specified as denied in the sandboxRoot. Managed File Transfer sandboxing does not take precedence over operating system security. The user that started the Managed File Transfer Agent must have the appropriate operating system level access to any directory to be able to read from or write to the directory. A symbolic link to a directory is not followed if the directory linked to is outside the specified sandboxRoot directories (and subdirectories).