runmqccred (obfuscate passwords for mqccred exit)

Obfuscate passwords in the .ini file used by the mqccred security exit.


Purpose

Use the runmqccred command to process the mqccred exit .ini file to change all plain text passwords into an obfuscated form. This command should be run before using the .ini with the exit to ensure the exit runs successfully.


Syntax

runmqccred -f -p


Optional Parameters

    -f
    Specify a specific file to edit, other than the default file.

    By default, the program locates the .ini file in the same way as the channel exit.

    -p
    By default the program fails with an error, if the filemode enables others to access the file you edited.
    Use the -p flag to continue processing even when the error appears.

    This might be necessary in situations where you might, for example, have mounted a UNIX filesystem onto your Windows machine using NFS, or some other protocol, and are trying to use the .ini file from there (perhaps to share the same .ini file across multiple accounts).

    Since NFS does not support the Windows NT FS Access Control Lists, the exit would fail unless you bypass the permissions check.


Usage notes

The runmqccred program locates the ini file in the same way as the channel exit. The program also writes console messages saying which file is being modified, and any success or failure status.

Note that the channel exit can work with either Password or OPW attributes, but the expectation is that you will protect passwords.

Important: The runmqccred program works only from IBM MQ Version 8.0 or later. You must run the program on a Version 8.0 or later system and then transfer the output .ini file manually to a system running a previous version if you want to use clients there.

By default the exit only works when there are no plain text passwords in the file. We can override this by using the NOCHECKS SCYDATA option.

The runmqccred program also checks that the .ini file does not have excessive permissions set that allow other users to access it. By default the program fails with an error if the filemode enables others to access it. Use the -p flag to continue processing even when the error appears.

The runmqccred program is installed in the following folder:

    Windows platforms
    The MQ_INSTALLATION_PATH\Tools\c\Samples\mqccred\

    UNIX
    The MQ_INSTALLATION_PATH/usr/mqm/samp/mqccred/

If the file permissions are not secure enough runmqccred produces this message:

Configuration file 'C:\Users\User1\.mqs\mqccred.ini' is not secure.
Other users may be able to read it. No changes have been made to the file.
Use the -p option for runmqccred to bypass this error.
We can bypass this issue with the -p flag, but the exit will fail to run when put into production if we have not resolved this issue. When runmqccred runs successfully it informs you how many passwords have been obfuscated.
File 'C:\Users\User1\.mqs\mqccred.in' processed successfully.
Plaintext passwords found: 3