fteObfuscate: encrypt sensitive data
The fteObfuscate command encrypts sensitive data in credentials files. This stops the contents of credentials files being read by someone who gains access to the file. From IBM MQ Version 9.2, the command has been enhanced to improve the encryption.
Purpose
User name and password properties in credentials files can be obfuscated. These properties are transformed to a new related property, with a Cipher suffix. For example:<!-- MQMFTCredentials properties before --> <tns:logger name="logger1" user="user1" password="passw0rd" /> <tns:file path="$HOME/trust.jks" password="passw0rd" /> <!-- MQMFTCredentials properties after --> <tns:logger name="logger1" userCipher="e71vKCg2pf" passwordCipher="se71vKCg" /> <tns:file path="$HOME/trust.jks" passwordCipher="e71vKCg2pf" /> <!-- ProtocolBridgeCredentials Properties before --> <tns:user name="Fred" serverUserId="fred" serverPassword="passw0rd" /> <!-- ProtocolBridgeCredentials properties after --> <tns:user name="Fred" serverUserIdCipher="e51vVCg2pf" serverPasswordCipher="se51vBCg" /> <!-- ConnectDirectCredentials properties before --> <tns:user name="fteuser" ignorecase="true" pattern="wildcard" cdUserId="cdUser" cdPassword="cdPassword" pnodeUserId="pnodeUser" pnodePassword="pnodePassword"> <tns:snode name="snode1" pattern="wildcard" userId="snodeUser" password="snodePassword"/> </tns:user> <!-- ConnectDirectCredentials properties after --> <tns:user name="fteuser" ignorecase="true" pattern="wildcard" cdUserIdCipher="e71vKCg2pf" cdPasswordCipher="se71vKCg" pnodeUserIdCipher="2f1vgCg6df" pnodePasswordCipher="e71vKCg2pf"> <tns:snode name="snode1" pattern="wildcard" userIdCipher="e51vVCg2pf" passwordCipher="se51vBCg"/> </tns:user>From IBM MQ Version 9.2 the preferred formats are:
- MFT
-
<tns:qmgr mqPasswordCipher="mqmftcred!1!kvAzYv/1aCMfSQ5igkFVmQ==!f4rX5KL7aFKHJl7Ln0X+OQ==" mqUserIdCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g==" name="MFTQM" user="JOHNDOE"/>
- ProtocolBridgeCredentials
-
<tns:agent name="agent3"> <tns:serverHost name="ftpsServer" keyStorePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz3VA==!Q40i2rRSEMGwrx6gnRFe8g==" trustStorePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGKtz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="> </tns:serverHost> </tns:agent>
- ConnectDirectCredentials
-
<tns:agent name="CDAGENT01"> <tns:pnode name="cdnode*" pattern="wildcard"> <tns:user name="MUSR_.*" ignorecase="true" pattern="regex" cdUserIdCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> cdPasswordCipher=="!mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> pnodeUserIdipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> pnodePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> <tns:snode name="cdnode2" pattern="wildcard" userId="sue" passwordCipher="!mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> </tns:user> </tns:pnode> </tns:agent>
Syntax from IBM MQ Version 9.2
fteObfuscate
Parameters
- -f credentials_file_name
- Required. Name of the credentials file whose contents will be encrypted.
- -sp protection mode
- Optional. The protection mode to be used for encrypting credentials. The value can be:
- 0
- Use the deprecated credentials protection method.
- 1
- Default. Use the more secure credentials protection method.
- -sf credentials_keyfile
- Optional. The name of the file containing the credentials key. If this parameter is omitted, the command uses the default credentials key.
- -o outputFileName
- Optional. Name of the file to output the protected credentials.
- -? or -h
- Optional. Displays command syntax.
Examples
To encrypt a password in the MQMFTCredentials.xml file using the old algorithm, and store it in the old format, issue the following command:fteObfuscate -f /usr/home/MQMFTCredentials.xml -sp 0To encrypt a password in the MQMFTCredentials.xml file using the old algorithm, and store it in the new format, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 0 -f /usr/home/MQMFTCredentials.xmlTo encrypt a password in the MQMFTCredentials.xml file using the new algorithm, and store it in the new format, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1 -f /usr/home/MQMFTCredentials.xmlNote: You do not have to specify the level of protection if we are using the more secure version of the command, so the following command is identical to the previous command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -f /usr/home/MQMFTCredentials.xmlTo encrypt a password in the MQMFTCredentials.xml file using the old algorithm, and store it in the old format, issue the following command:
fteObfuscate -f /usr/home/MQMFTCredentials.xmlTo encrypt a password in the ProtocolBridgeCredentials.xml file using the default protection, new algorithm, and store it in the new format, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -f /usr/home/ProtocolBridgeCredentials.xmlTo encrypt credentials in the MQMFTCredentials.xml file and output to another file, this time specifying the default protection, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1 -f /usr/home/MQMFTCredentials.xml -o /usr/home/enccred.xml
Use data sets on z/OS
Encrypt a data set and output it as an XML file format:fteObfuscate -f "//test.creds(creds)" -o enc.xmlEncrypt a data set with the key specified in the data set:
/fteObfuscate -f "//test.creds(creds)" -sf "//test.creds(key)"
Return codes
- 0
- Command completed successfully.
- 1
- Command ended unsuccessfully.
Parent topic: MFT commands
Related reference
Related information