Specify the password encryption key
From Version 9.1.5, if the MQIPT configuration contains passwords that are encrypted using an encryption key other than the default key, we must provide the password encryption key in a file that MQIPT can read when it starts.
The password encryption key file
Passwords that are encrypted to be stored and used by MQIPT can be encrypted using an encryption key that you provide. If we do not provide an encryption key, the default encryption key is used. You do not have to specify a password encryption key, however it is more secure to do so. If we do not specify your own encryption key, the default encryption key is used.
If you provide a password encryption key, it must be stored in a file that can be accessed by the mqiptPW command used to encrypt passwords and MQIPT. The only restrictions on the contents of the file are that it must contain at least one character, and only one line of text.Note: We must ensure that appropriate file permissions are set on the password encryption key file to prevent any unauthorized users from reading the encryption key. Only the user that runs the mqiptPW command and the user under which MQIPT runs need authority to read the password encryption key.The same password encryption key is used to encrypt and decrypt all stored passwords for an instance of MQIPT. Therefore, we need only a single password encryption key file for each MQIPT installation.
If the password encryption key for an MQIPT installation is changed, all encrypted passwords must be re-encrypted using the new encryption key.
Starting MQIPT
The default name of the password encryption key file is MQIPT_HOME_DIR/mqipt_cred.key, where MQIPT_HOME_DIR is the directory where the mqipt.conf configuration file is stored. If we are planning to run MQIPT as a service that is automatically started, we must create the password encryption key file with the default name.
If the password encryption key file is created with a name other than the default name, the name of the file must be provided to MQIPT when it is started. The name of the password encryption key file can be specified using any of the following methods, in order of preference:- the -sf parameter on the mqipt command used to start MQIPT.
- the MQS_MQIPTCRED_KEYFILE environment variable.
- the com.ibm.mq.ipt.cred.keyfile Java property.
If no password encryption key file name is provided, the default file name will be used, if the file exists. If the default password encryption key file does not exist, the default password encryption key is used.
Parent topic: Start and stop MQIPT