Protection of database authentication details

If your are using user name and password authentication to connect to the database manager, we can store them in the MQ XA credentials store to avoid storing the password in plain text in the qm.ini file.


Update XAOpenString for the resource manager

To use the credentials store modify XAOpenString in the qm.ini file. The string is used to connect to the database manager. You specify replaceable fields to identify where the user name and password are substituted within the XAOpenString string.

  • The +USER+ field is replaced with the user name value stored in the XACredentials store.
  • The +PASSWORD+ field is replaced with the password value stored in the XACredentials store.

The following examples show how to modify an XAOpenString to use the credentials file to connect to the database.

    Connect to a Db2 database
    XAResourceManager:
  Name=mydb2
  SwitchFile=db2swit
  XAOpenString=db=mydbname,uid=+USER+,pwd=+PASSWORD+,toc=t
  ThreadOfControl=THREAD

    Connect to an Oracle database
    XAResourceManager:  
  Name=myoracle
  SwitchFile=oraswit
  XAOpenString=Oracle_XA+Acc=P/+USER+/+PASSWORD++SesTm=35
            +LogDir=/tmp+threads=true
  ThreadOfControl=THREAD


Work with the credentials for the database to the MQ XA credentials store

After you update the qm.ini file with the replaceable credential strings, we must add the user name and password to the MQ credentials store by using the setmqxacred command. We can also use setmqxacred to modify existing credentials, delete credentials, or list credentials. The following examples give some typical use cases:

    Adding credentials
    The following command securely saves the user name and password for the queue manager QM1 for the resource mqdb2. 
    setmqxacred -m QM1 -x mydb2 -u user1 -p Password2

    Updating credentials
    To update the user name and password used to connect to a database, re-issue the setmqxacred command with the new user-name and password: 
    setmqxacred -m QM1 -x mydb2 -u user3 -p Password4
    We must restart the queue manager for the changes to take effect.

    Delete credentials
    The following command deletes the credentials: 
    setmqxacred -m QM1 -x mydb2 -d

    Listing credentials
    The following command lists credentials: 
    setmqxacred -m QM1 -l

Parent topic: Securing IBM MQ


Related information