Refresh Security

The Refresh Security (MQCMD_REFRESH_SECURITY) command refreshes the list of authorizations held internally by the authorization service component.


Optional parameters

    CommandScope (MQCFST)
    Command scope (parameter identifier: MQCACF_COMMAND_SCOPE). This parameter applies to z/OS only. Specifies how the command is executed when the queue manager is a member of a queue sharing group. We can specify one of the following:

    • blank (or omit the parameter altogether). The command is executed on the queue manager on which it was entered.
    • a queue manager name. The command is executed on the queue manager you specify, providing it is active within the queue sharing group. If you specify a queue manager name other than the queue manager on which it was entered, we must be using a queue sharing group environment, and the command server must be enabled.
    • an asterisk (*). The command is executed on the local queue manager and is also passed to every active queue manager in the queue sharing group.

    The maximum length is MQ_QSG_NAME_LENGTH.

    SecurityItem (MQCFIN)
    Resource class for which the security refresh is to be performed (parameter identifier: MQIACF_SECURITY_ITEM). This parameter applies to z/OS only. Use this parameter to specify the resource class for which the security refresh is to be performed. The value can be any of the following values:

      MQSECITEM_ALL
      A full refresh of the type specified is performed. MQSECITEM_ALL is the default value.

      MQSECITEM_MQADMIN
      Specifies that administration type resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MQNLIST
      Specifies that namelist resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MQPROC
      Specifies that process resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MQQUEUE
      Specifies that queue resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MXADMIN
      Specifies that administration type resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MXNLIST
      Specifies that namelist resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MXPROC
      Specifies that process resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MXQUEUE
      Specifies that queue resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

      MQSECITEM_MXTOPIC
      Specifies that topic resources are to be refreshed. Valid only if the value of SecurityType is MQSECTYPE_CLASSES.

    SecurityType (MQCFIN)
    Security type (parameter identifier: MQIACF_SECURITY_TYPE). Use this parameter to specify the type of security refresh to be performed. The value can be any of the following values:

      MQSECTYPE_AUTHSERV
      The list of authorizations held internally by the authorization services component is refreshed. MQSECTYPE_AUTHSERV is not valid on z/OS.

      MQSECTYPE_AUTHSERV is the default on platforms other than z/OS.

      MQSECTYPE_CLASSES
      Permits you to select specific resource classes for which to perform the security refresh.

      MQSECTYPE_CLASSES is valid only on z/OS where it is the default.

      MQSECTYPE_CONNAUTH

      Refreshes the cached view of the configuration for connection authentication.

      On Multiplatforms this is also a synonym for MQSECTYPE_AUTHSERV.

      MQSECTYPE_SSL
      MQSECTYPE_SSL refreshes the locations of the LDAP servers to be used for Certified Revocation Lists and the key repository. It also refreshes any cryptographic hardware parameters specified through IBM MQ and the cached view of the Secure Sockets Layer key repository. It also allows updates to become effective on successful completion of the command. MQSECTYPE_SSL updates all TLS channels currently running, as follows:

      • Sender, server, and cluster-sender channels using TLS are allowed to complete the current batch. In general, they then run the TLS handshake again with the refreshed view of the TLS key repository. However, we must manually restart a requester-server channel on which the server definition has no CONNAME parameter.
      • AMQP channels using TLS are restarted, with any currently connected clients being forcibly disconnected. The client receives an amqp:connection:forced AMQP error message.
      • All other channel types using TLS are stopped with a STOP CHANNEL MODE(FORCE) STATUS(INACTIVE) command. If the partner end of the stopped message channel has retry values defined, the channel tries again and the new TLS handshake uses the refreshed view of the contents of the TLS key repository, the location of the LDAP server to be used for Certification Revocation Lists, and the location of the key repository. If there is a server-connection channel, the client application loses its connection to the queue manager and must reconnect in order to continue.

Parent topic: Definitions of the Programmable Command Formats