MQIPT global properties
The mqipt.conf configuration file can contain a number of global properties.
The following properties can appear only in the [global] section of mqipt.conf. All the route properties except ListenerPort, Destination, DestinationPort, Name, and OutgoingPort can also appear in the [global] section. If a property appears in both route and [global] sections, the value of the property in the [route] section overrides the global value, but only for the route in question. In this way, the [global] section can be used to establish the default values to be used for those properties not set in the individual [route] sections.
- AccessPW
- The password used to authenticate commands sent to the MQIPT command port using the mqiptAdmin command.
- Authentication is performed for administrative commands received by the command port if both of
the following conditions are true:
- The AccessPW property is specified and set to a value that is not blank.
-
The RemoteCommandAuthentication property is specified and
set to a value other than none.
- CommandPort
- The TCP/IP port number of the unsecured command port. MQIPT accepts administrative commands that are sent by the mqiptAdmin command to this command port.
- Connections to the unsecured command port are not secured with TLS. Data sent
to the command port, including the access password, might be accessed by other users of the network.
To configure a command port that is secured with TLS, set the SSLCommandPort
property instead.
- CommandPortListenerAddress
- The local listener address to be used by the unsecured command port. By setting the local listener address we can restrict inbound connections to the unsecured command port to those from a particular network interface. The default is to listen on all network interfaces.
- ConnectionLog
- Either true or false. When true, MQIPT logs all connection attempts (successful or otherwise) in the logs subdirectory and disconnection events to the file mqiptYYYYMMDDHHmmSS.log (where YYYYMMDDHHmmSS are characters representing the current date and time). The default value of ConnectionLog is true. When this property is changed from true to false, MQIPT closes the existing connection log and creates a new one. The new log is used when the property is reset to true.
- EnableAdvancedCapabilities
- Set this property to true to confirm that advanced capabilities that require IBM MQ Advanced, IBM MQ Appliance or IBM MQ Advanced for z/OS VUE entitlement can be used by MQIPT. If we have appropriate entitlement we can use the advanced capabilities in MQIPT. If advanced capabilities are enabled on a route, the local queue manager that is connected using the MQIPT route is also required to have IBM MQ Advanced, IBM MQ Appliance or IBM MQ Advanced for z/OS VUE entitlement. Routes that use advanced capabilities cannot start unless this property is set to true. When this property is changed from true to false, routes that use advanced capabilities are stopped.
- LocalAdmin
- Specifies whether local administration without a command port is permitted. Administrative commands sent by the mqiptAdmin command using local administration instead of the command port, are not accepted if this property is set to false.
- MaxLogFileSize
- The maximum size (specified in KB) of the connection log file. When the file size increases above this maximum a backup copy (mqipt001.log) is made, and a new file is started. Only two backup files are kept (mqipt001.log and mqipt002.log); each time the main log file fills up, any earlier backups are erased. The default value of MaxLogFileSize is 50; the minimum allowed value is 5.
- RemoteCommandAuthentication
- Specifies whether administrative commands received by the unsecured command port or TLS command
port should be authenticated. Commands are authenticated by checking that the password supplied
matches the password specified in the AccessPW property. The value can be one of
the following values:
- none
- No authentication is performed on commands issued to either of the command ports. Users of the mqiptAdmin command do not need to enter a password. This is the default value.
- optional
- Users of the mqiptAdmin command are not required to provide a password. However, if a password is provided it must be valid.
- required
- Users of the mqiptAdmin command are required to provide a valid password with every command issued to the command ports.
- RemoteShutDown
- Specifies whether MQIPT can be shut down by a stop command sent to the unsecured command port or the TLS command port by the mqiptAdmin command. This property must be set to true for stop commands received by either of the command ports to be processed.
- SecurityManager
- Set this property to true to enable the Java Security Manager for this instance of MQIPT. We must ensure that the correct permissions are granted. See Java Security Manager for more information. The default value for this property is false.
- SecurityManagerPolicy
- The fully-qualified file name of a policy file. If this property is not set then only the default system and user policy files are used. If the Java Security Manager is already enabled, then changes to this property have no effect until the Java Security Manager has been disabled and re-enabled.
- SSLCommandPort
- The TCP/IP port number of the TLS command port. MQIPT accepts administrative commands that are sent by the mqiptAdmin command to this command port. This port only accepts TLS connections. This property must be specified in order to enable the TLS command port.
- SSLCommandPortCipherSuites
- The name of the cipher suites to enable on the TLS command port. More than one cipher suite can be specified by separating the values with commas. Only TLS 1.2 cipher suites that are enabled by default in the Java runtime environment (JRE) supplied with MQIPT can be specified. If this property is not specified, all cipher suites that are enabled in the JRE are enabled on the TLS command port.
- SSLCommandPortListenerAddress
- The local listener address to be used by the TLS command port. By setting the local listener address we can restrict inbound connections to the TLS command port to those from a particular network interface. The default is to listen on all network interfaces.
- SSLCommandPortKeyRing
- The name of the PKCS#12 key ring file that contains the TLS command port server certificate.
- SSLCommandPortKeyRingPW
- The encrypted password to access the TLS command port key ring file or the PKCS #11 key store. The password must be encrypted using the mqiptPW command, and the value of this property set to the string output by mqiptPW.
- SSLCommandPortKeyRingUseCryptoHardware
- Specifies whether cryptographic hardware that supports the PKCS #11 interface is used as the key store for the TLS command port server certificate. Valid values for this property are true and false. If this property is set to true, the SSLCommandPortKeyRing cannot also be specified.
- SSLCommandPortProtocols
- A comma-separated list of protocols to enable on the TLS command port. The only value that can be specified is TLSv1.2.
- SSLCommandPortSiteLabel
- The label name of the server certificate used by the TLS command port. If this property is not specified, any certificate in the TLS command port key store that is compatible with the cipher suite is selected.
- Trace
-
The level of trace for global MQIPT threads that are not associated with a route, and for routes that have no Trace property set. For example, the main MQIPT control thread and the command server threads are not associated with a route and are only traced if trace is enabled in the [global] section. The value of the Trace property in a [route] section overrides the global Trace property, for that route. For information about tracing threads associated with a route, see Trace in the [route] section.
This property should be an integer in the range 0 - 5, where 0 indicates that trace is disabled, and any other value indicates that trace is enabled. The default value is 0.
Parent topic: IBM MQ Internet Pass-Thru configuration reference