Create an MFT credentials file

We can use an MFT credentials file for storing user ID and password information, for connection to IBM MQ and to Db2, and have a credentials file for each agent.

If we have a credentials file for each agent, we can limit by agent which users can access the credentials file.

The MFT credentials file by default is in the user home directory.

<?xml version="1.0" encoding="IBM-1047"?>
<tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MFTCredentials"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://wmqfte.ibm.com/MFTCredentials MFTCredentials.xsd">
<!--      name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" -->

<tns:qmgr name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" mqPassword="cXXXX" />
<!--      name="MQPI" user="ADMIN" mqUserId="JOHNDOE1 -->

<tns:qmgr name="MQPI" user="ADMIN" mqUserId="JOHNDOEI" mqPassword="yXXXX" />
<tns:qmgr name="MQPH"       mqUserId="NONEH" mqPassword="yXXXX" />
<tns:qmgr name="MQPI"       mqUserId="NONEI" mqPassword="yXXXX" />
</tns:mqmftCredentials>

When a job with userid ADMIN needs to connect to queue manager MQPH, it passes user ID JOHNDOEH and uses password cXXXX.

If the job is run by any other user ID, and connects MQPH, that job passes user ID NONEH and password yXXXX.

We can protect this file using a security product, for example, RACF, but the user IDs running the Managed File Transfer commands need read access to this file.

<tns:qmgr name="MQPI" user="JOHNDOE2" mqUserId="JOHNDOE1" mqPassword="yXXXX" />

<tns:qmgr mqPasswordCipher="e977c61e9b9c363c" mqUserIdCipher="c394c5887867157c"
name="MQPI" user="JOHNDOE2"/>

<!--      name="MQPI" user="ADMIN"    mqUserId="JOHNDOE1 -->

These comments are unchanged by the obscuring process.

Note that the content is obscured, not strongly encrypted. We should limit which user IDs have access to the file.

Related concepts

• The MFT credentials file