runmqccred (obfuscate passwords for mqccred exit)
Obfuscate passwords in the .ini file used by the mqccred security exit.
Purpose
Use the runmqccred command to process the mqccred exit .ini file to change all plain text passwords into an obfuscated form. This command should be run before using the .ini with the exit to ensure the exit runs successfully.
Syntax
Optional Parameters
- -f
- Specify a specific file to edit, other than the default file.
By default, the program locates the .ini file in the same way as the channel exit.
- -p
- By default the program fails with an error, if the filemode enables others to access the file you edited.
Usage notes
The runmqccred program locates the ini file in the same way as the channel exit. The program also writes console messages saying which file is being modified, and any success or failure status.
Note that the channel exit can work with either Password or OPW attributes, but the expectation is that we will protect passwords.
Important: The runmqccred program works only from IBM MQ Version 8.0 or later. We must run the program on a Version 8.0 or later system and then transfer the output .ini file manually to a system running a previous version if we want to use clients there.By default the exit only works when there are no plain text passwords in the file. We can override this by using the NOCHECKS SCYDATA option.
The runmqccred program also checks that the .ini file does not have excessive permissions set that allow other users to access it. By default the program fails with an error if the filemode enables others to access it. Use the -p flag to continue processing even when the error appears.
The runmqccred program is installed in the following folder:
- Windows platforms
- The MQ_INSTALLATION_PATH\Tools\c\Samples\mqccred\
- UNIX
- The MQ_INSTALLATION_PATH/usr/mqm/samp/mqccred/
If the file permissions are not secure enough runmqccred produces this message:
Configuration file 'C:\Users\User1\.mqs\mqccred.ini' is not secure. Other users may be able to read it. No changes have been made to the file. Use the -p option for runmqccred to bypass this error.We can bypass this issue with the -p flag, but the exit will fail to run when put into production if you have not resolved this issue. When runmqccred runs successfully it informs you how many passwords have been obfuscated.
File 'C:\Users\User1\.mqs\mqccred.in' processed successfully. Plaintext passwords found: 3Parent topic: IBM MQ control commands reference