Securing Managed File Transfer
Directly after installation and with no modification, Managed File Transfer has a level of security that might be suitable for test or evaluation purposes in a protected environment. However, in a production environment, we must consider appropriately controlling who can start file transfer operations, who can read and write the files being transferred, and how to protect the integrity of files.
- Improvements to Managed File Transfer security from IBM MQ Version 9.2
Managed File Transfer ( MFT) requires several user IDs and credentials, which are stored in two XML files, and we can obfuscate these using the fteObfuscate command. This command has been enhanced to improve the protection of the stored credentials. - MFT and IBM MQ connection authentication
Connection authentication allows a queue manager to be configured to authenticate applications by using a provided user ID and password. If the associated queue manager has security enabled, and requires credential details (user ID and password), the connection authentication feature must be enabled before a successful connection to a queue manager can be made. Connection authentication can be run in compatibility mode or MQCSP authentication mode. - MFT sandboxes
We can restrict the area of the file system that the agent can access as part of a transfer. The area that the agent is restricted to is called the sandbox. We can apply restrictions to either the agent or to the user that requests a transfer. - Configure SSL or TLS encryption for MFT
Use SSL or TLS with IBM MQ and Managed File Transfer to prevent unauthorized connections between agents and queue managers, and to encrypt message traffic between agents and queue managers. - Connect to a queue manager in client mode with channel authentication
IBM WebSphere MQ Version 7.1 introduced channel authentication records to control more precisely access at a channel level. This change in behavior means that by default newly created IBM WebSphere MQ Version 7.1 or later queue managers reject client connections from the Managed File Transfer component. - Configure SSL or TLS between the Connect:Direct bridge agent and the Connect:Direct node
Configure the Connect:Direct bridge agent and the Connect:Direct node to connect to each other through the SSL protocol by creating a keystore and a truststore, and by setting properties in the Connect:Direct bridge agent properties file.
Parent topic: Securing IBM MQ
Related tasks
Related information
- Restricting group authorities for MFT-specific resources
- Manage authorities for MFT-specific resources
- Authorities for MFT to access file systems
- commandPath MFT property
- Authority to publish MFT Agents log and status messages