MFT and IBM MQ connection authentication
Connection authentication allows a queue manager to be configured to authenticate applications by using a provided user ID and password. If the associated queue manager has security enabled, and requires credential details (user ID and password), the connection authentication feature must be enabled before a successful connection to a queue manager can be made. Connection authentication can be run in compatibility mode or MQCSP authentication mode.
Methods of supplying credential details
Many Managed File Transfer commands support the following methods of supplying credential details:
- Details supplied by command line arguments.
- The credential details can be specified by using the -mquserid and -mqpassword parameters. If the -mqpassword is not supplied, then the user is asked for the password where the input is not displayed.
- Details supplied from a credentials file: MQMFTCredentials.xml.
- The credential details can be predefined in a MQMFTCredentials.xml file
either as clear text or obfuscated text. The location of the
MQMFTCredentials.xml file is defined by a property value:
Category Property File Property Name Show/List commands Coordination properties coordinationQMgrAuthenticationCredentialsFile Modify/create commands Command properties connectionQMgrAuthenticationCredentialsFile Agent/clean agent Agent properties agentQMgrAuthenticationCredentialsFile Logger Logger properties loggerQMgrAuthenticationCredentialsFile
QMgr defines a single pair of credentials, and has the following format:
<tns:qmgr mquserid="MQ User ID" mqpassword="MQ Password" name="QMgr" user="user running command" />
The user attribute is optional and, if not present, the credentials apply to all users.
Precedence
The precedence of determining the credential details is:- Command line argument.
- MQMFTCredentials.xml index by associated queue manager and user running the command.
- MQMFTCredentials.xml index by associated queue manager.
- Default backward compatibility mode where no credential details are supplied to allow compatibility with previous releases of IBM MQ or IBM WebSphere MQ.
Notes:
-
The fteStartAgent and fteStartLogger commands do not support the command line argument -mquserid, or -mqpassword, and the credential details can only be specified with the MQMFTCredentials.xml file.
-
On z/OS, the password must be uppercase, even if the user's password has lowercase letters. For example, if the user's password was "password", it would have to be entered as "PASSWORD".
- Configure MQMFTCredentials.xml
If Managed File Transfer is configured with security enabled, connection authentication requires all Managed File Transfer commands that connect with a queue manager to supply user ID and password credentials. We can either apply the required parameters for each command, or define an MFT credentials file. - Enable connection authentication for MFT
Connection authentication of the IBM MQ Explorer MFT Plugin connecting with a coordination queue manager or command queue manager, and connection authentication for a Managed File Transfer agent connecting with a coordination queue manager or command queue manager can be run in compatibility mode or MQCSP authentication mode.
Parent topic: Securing Managed File Transfer
Related information