+

Search Tips | Advanced Search

Protecting passwords in IBM MQ component configuration files

In order to use certain features of IBM MQ, passwords might have to be supplied either directly into IBM MQ or inside configurations files read by that feature. From Version 9.2.0, a new password protection system is being implemented to allow the protection of passwords within these configuration files.

We should protect passwords in configuration files. The following list explains the common terminology used for each component described:

    Initial key
    The encryption key you provide for use in the encryption process.
    For each of the components listed, we can supply an initial key file that contains an encryption key to use, when protecting or reading passwords stored in the configuration file of that component.
    The file must contain a single line of at least one character.
    There is no limit or requirement on the length of the encryption key, however, your key file should contain at least 16 characters. For example, your file could contain the following:
    Th1sIs@n3Ncypt|onK$y
    In addition, the initial key file you provide should:

    • Contain a unique encryption key
    • Be adequately protected using the operating system permissions.

    Default initial key
    The default encryption key used, if we do not supply an initial key when encrypting data. However, we should not use the default initial key.

    Plain text string
    The string that is encrypted, commonly a password

    Encoded password
    A string that contains the encrypted password in a format understood by IBM MQ.Important: Encoded password strings that you have generated for use with one component cannot be copied to the configuration file of another component for use. Each password for each component must be protected using the component specific utility.

Details of how to protect passwords for each component of IBM MQ that supports password protection are listed in the following sections:


Advanced Message Security - Java

Advanced Message Security (AMS) Java clients require access to a keystore which contains private keys in order to protect message.

In order to access the keystores, the password for that keystore must be provided in the AMS configuration file called a keystore.conf. Use the runamscred command to protect the sensitive information contained in the keystore.conf file. For example:
runamscred -f <keystore configuration file>
The runamscred command protects sensitive parameters within the file specified, using the -f flag. Attention:
  1. runamscred can only protect information intended for use with the JKS and JCEKS prefixes.
  2. We should verify that all the necessary sensitive information has been protected after running runamscred.
  3. We can supply the protected file as normal to AMS enabled applications.

To override or provide the initial key file to use during runtime of AMS applications, or when protecting a keystore configuration file using runamscred, use one of the following four mechanisms. In order of priority, these are the:

  1. -sf parameter (runamscred only)
  2. MQS_AMSCRED_KEYFILE environment variable
  3. amscred.keyfile parameter in the configuration file
  4. Default initial key file if none of the above options is specified.

    We should not use this last option.

Prior to IBM MQ Version 9.2 a different password protection system was used to protect passwords in AMS Java configuration files.

By default, the runamscred program protects passwords using the new system. This means new configuration files are not compatible with older versions of AMS Java. To protect configuration files with the old password protection system, use the -sp 0 flag.


Managed File Transfer

Managed File Transfer (MFT) stores credentials required to access queue managers or other resources in several XML property files:

  • MQMFTCredentials.xml - Credentials for connecting to agent, coordination and command queue managers and passwords for connecting to keystores for secure communications.
  • ProtocolBridgeCredentials.xml - Credentials for connecting to Protocol Servers, such as FTP/SFTP/FTPS.
  • ConnectDirectCredentials.xml - Credentials for Connect:Direct agent to connect to a Connect:Direct node.

See Improvements to Managed File Transfer security from IBM MQ Version 9.2 for more information. To protect sensitive information stored in these files, use the fteObfuscate command within the file specified, using the -f flag. For example:

fteObfuscate -f <File to protect>
To provide an initial key file to use during the protection of our MFT configurations, use the -sf flag:
fteObfuscate -f <File to protect> -sf <initial key file>
If we do not provide an initial key, a default key is used to protect the sensitive information, although we should not use this option. Attention:
  1. We should verify that all the necessary sensitive information has been protected after running fteObfuscate.
  2. We can supply the protected file as normal to MFT.

At runtime, provide the initial key file to use through the following three mechanisms. In order of priority, these are:

  1. Use JVM property com.ibm.wqmfte.cred.keyfile.
  2. In the agent, logger, command,s and coordination property files.
  3. In the installation.properties file.

Prior to IBM MQ Version 9.2, a different credential protection system was used to protect credentials in the MFT configuration files.

By default, fteObfuscate protects credentials using the new system; this means configuration files are not compatible with older versions of MFT.

To protect configuration files with the old credentials protection system, use the -sp 0 flag.


IBM MQ Internet Pass-Thru

IBM MQ Internet Pass-Thru (MQIPT) configuration files can contain passwords for keystores, which are required for supporting secure communications.

We can protect these passwords using the mqiptPW command supplied with MQIPT.
mqiptPW
To protect a password with a specific initial key, supply the -sf flag:
mqiptPW -sf <intial keyfile>

See Specify the password encryption key for more information.

If we do not provide an initial key, a default key is used to protect the sensitive information, although we should not use this option.

mqiptPW prompts you to securely enter a password to protect, and returns a string that needs to be copied into the MQIPT configuration file.

At runtime, provide the initial key file to use through the following four mechanisms. In order of priority, these are:
  1. Through the -sf parameter when starting MQIPT.
  2. In the MQS_MQIPTCRED_KEYFILE environment variable.
  3. In the com.ibm.mq.ipt.cred.keyfile Java property.
  4. In a file named mqipt_cred.key in the MQIPT home directory, that is the directory that contains the MQIPT configuration and log files, and others.

Prior to IBM MQ Version 9.2, a different credential protection system was used to protect credentials in the MQIPT configuration files.

By default, mqiptPW protects credentials using the new system; this means configuration files are not compatible with older versions of MQIPT.

To protect configuration files with the old credentials protection system, use the -sp 0 flag.


IBM MQ Bridge to blockchain

Bridge to blockchain configurations are stored in files that can be generated with the runmqbcb command. While running this command we are asked to securely provide passwords and a location of an initial key file to use.

To override what initial key file to use during runtime or configuration mode use the -sf flag. For example, to generate a configuration with a specific initial key file:
runmqbcb -o <output file> -sf <initial key file>
Or to use a specific initial key file during runtime:
runmqbcb -f <config file> -sf <initial key file>

Prior to IBM MQ Version 9.2, a different credential protection system was used to protect credentials in the Bridge to blockchain configuration files.

By default, runmqbcb protects credentials using the new system; this means configuration files are not compatible with older versions of the Bridge to blockchain.

To protect configuration files with the old credentials protection system, use the -sp 0 flag.


IBM MQ Bridge to Salesforce

Bridge to Salesforce configurations are stored in files that can be generated with the runmqsfb command. While running this command we are asked to securely provide passwords and a location of an initial key file to use.

To override what initial key file to use during runtime or configuration mode use the -sf flag. For example, to generate a configuration with a specific initial key file:
runmqsfb -o <output file> -sf <initial key file>
Or to use a specific initial key file during runtime:
runmqsfb -f <config file> -sf <initial key file>

Prior to IBM MQ Version 9.2, a different credential protection system was used to protect credentials in the Bridge to Salesforce configuration files.

By default, runmqfsb protects credentials using the new system; this means configuration files are not compatible with older versions of the Bridge to Salesforce.

To protect configuration files with the old credentials protection system, use the -sp 0 flag.

Parent topic: Security overview

Last updated: 2020-10-04