To add an additional level of security to WebSphere® MQ
File Transfer Edition, you can restrict the
area of a file system that an agent can access.
To enable agent sandboxing,
add the following property to the
agent.properties file
for the agent you want to restrict:
sandboxRoot=[!]restricted_directory_name<separator>...<separator>[!]restricted_directory_name
where:
- restricted_directory_name is
a directory path to be allowed or denied.
- ! is optional and specifies that the following
value for restricted_directory_name is
denied (excluded). If ! is not specified restricted_directory_name is
an allowed (included) path.
- <separator> is the platform-specific
separator.
For example,
if you want to restrict the access that AGENT1 has to the /tmp directory
only, but not allow the subdirectory private to
be accessed, set the property as follows in the agent.properties file belonging
to AGENT1: sandboxRoot=/tmp:!/tmp/private.
The
sandboxRoot property is described in
Advanced
agent properties.
You cannot use agent sandboxing
for agents that transfer to or from WebSphere MQ queues. Restricting access
to WebSphere MQ queues with sandboxing
can be implemented instead by using user sandboxing which is the recommended
solution for any sandboxing requirements. For more information about user sandboxing, see Working with user sandboxes
Both agent and
user sandboxing are not supported on protocol bridge agents or on Connect:Direct® bridge agents.
Working in a sandbox on UNIX, Linux, and Windows platforms
On UNIX, Linux,
and Windows platforms, sandboxing
restricts which directories a WebSphere MQ
File Transfer Edition agent can read from and write to. When sandboxing
is activated, the WebSphere MQ
File Transfer Edition agent
can read and write to the directories specified as allowed, and any
subdirectories that the specified directories contain unless the subdirectories
are specified as denied in the sandboxRoot. WebSphere MQ
File Transfer Edition sandboxing does not take
precedence over operating system security. The user that started the WebSphere MQ
File Transfer Edition agent must have the appropriate
operating system level access to any directory to be able to read
from or write to the directory. A symbolic link to a directory is
not followed if the directory linked to is outside the specified sandboxRoot
directories (and subdirectories).
Working in a sandbox on z/OS
On z/OS®, sandboxing restricts the
data set name qualifiers that the WebSphere MQ
File Transfer Edition agent can read from and
write to. The user that started the WebSphere MQ
File Transfer Edition agent must have the correct
operating system authorities to any data sets involved. If you enclose
a sandboxRoot data set name qualifier in double quotation marks, the
value follows the normal z/OS convention
and is treated as fully qualified. If you omit the double quotation
marks, the sandboxRoot is prefixed with the current user ID. For example,
if you set the sandboxRoot property to the following: sandboxRoot=//test,
the agent can access the following data sets (in standard z/OS notation) //<username>.test.** At
run time, if the initial levels of the fully resolved data set name
do not match the sandboxRoot, the transfer request is rejected.
Working in a sandbox
on IBM i systems
For
files in the integrated file system on IBM® i systems, sandboxing restricts
which directories a WebSphere MQ
File Transfer Edition agent
can read from and write to. When sandboxing is activated, the WebSphere MQ
File Transfer Edition agent can read and write
to the directories specified as allowed, and any subdirectories that
the specified directories contain unless the subdirectories are specified
as denied in the sandboxRoot. WebSphere MQ
File Transfer Edition sandboxing does not take precedence over operating
system security. The user that started the WebSphere MQ
File Transfer Edition agent must have the appropriate
operating system level access to any directory to be able to read
from or write to the directory. A symbolic link to a directory is
not followed if the directory linked to is outside the specified sandboxRoot
directories (and subdirectories).