Protocol bridge credentials file format

The ProtocolBridgeCredentials.xml file in the Managed File Transfer Agent configuration directory defines the user names and credential information that the protocol bridge agent uses to authorize itself with the protocol server.

The ProtocolBridgeCredentials.xml file must conform to the ProtocolBridgeCredentials.xsd schema. The ProtocolBridgeCredentials.xsd schema document is located in the MQ_INSTALLATION_PATH/mqft/samples/schema directory of the MQMFT installation. Users are responsible for manually creating the ProtocolBridgeCredentials.xml file, it is no longer created by the fteCreateBridgeAgent command. Sample files are available in the MQ_INSTALLATION_PATH/mqft/samples directory of the MQMFT installation.

V7.5 introduced a new <agent> element that contains the <server> or <serverHost> element for the named agent.

The ProtocolBridgeCredentials.xml file is periodically reloaded by the agent and any valid changes to the file will affect the behavior of the agent. The default reload interval is 30 seconds. This interval can be changed by specifying the agent property xmlConfigReloadInterval in the agent.properties file.


Schema - V7.5 or later

The following schema describes which elements are valid in the ProtocolBridgeCredentials.xml file for V8.

<schema targetNamespace="http://wmqfte.ibm.com/ProtocolBridgeCredentials" elementFormDefault="qualified" 
                xmlns="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://wmqfte.ibm.com/ProtocolBridgeCredentials">

	<!--  
	    <?xml version="1.0" encoding="UTF-8"?>
        <tns:credentials xmlns:tns="http://wmqfte.ibm.com/ProtocolBridgeCredentials" 
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://wmqfte.ibm.com/ProtocolBridgeCredentials 
      ProtocolBridgeCredentials.xsd ">
          <tns:agent name="agent1">                                        
            <tns:serverHost name="myserver">
              <tns:user name="fred" serverPassword="pwd" serverUserId="bill"/>
              <tns:user name="jane" serverUserId="june" hostKey="1F:2e:f3">
                <tns:privateKey associationName="test" keyPassword="pwd2">
                 .... private key ...
                </tns:privateKey>
              </tns:user>
            </tns:serverHost>
          </tns:agent>
             
          <tns:agent name="agent2">                                        
            <tns:server name="server*" pattern="wildcard">
              <tns:user name="fred" serverPassword="pwd" serverUserId="bill"/>
              <tns:user name="jane" serverUserId="june" hostKey="1F:2e:f3">
                <tns:privateKey associationName="test" keyPassword="pwd2">
                 .... private key ...
                </tns:privateKey>
              </tns:user>
            </tns:server>
          </tns:agent>
          
          <tns:agent name="agent3">                                        
            <tns:serverHost name="ftpsServer" 
                            keyStorePassword="keypass" 
                            trustStorePassword="trustpass">
              <tns:user name="fred" serverPassword="pwd" serverUserId="bill"/>
            </tns:serverHost>
          </tns:agent>          
             
        </tns:credentials>
	-->
	
    <element name="credentials" type="tns:credentialsType"/>

    <complexType name="credentialsType">
    	<sequence>
    		<element name="agent" type="tns:agentType" minOccurs="0" maxOccurs="unbounded"/>
    	</sequence>	
    </complexType>	

    <complexType name="agentType">
    	<choice minOccurs="0" maxOccurs="1">
			<element name="serverHost" type="tns:serverHostType" minOccurs="0" maxOccurs="unbounded"/>
			<element name="server" type="tns:serverType" minOccurs="0" maxOccurs="unbounded"/>
		</choice>
		<attribute name="name" type="string" use="required"/>
    </complexType>

    <complexType name="serverHostType">
    	<sequence>
    		<element ref="tns:user" minOccurs="0" maxOccurs="unbounded"/>
    	</sequence>
    	<attribute name="name" type="string" use="required"/>
    	<attribute name="keyStorePassword" type="string" use="optional"/>
    	<attribute name="keyStorePasswordCipher" type="string" use="optional"/>
    	<attribute name="trustStorePassword" type="string" use="optional"/>
    	<attribute name="trustStorePasswordCipher" type="string" use="optional"/>
    </complexType>
    
    <complexType name="serverType">
    	<sequence>
    		<element ref="tns:user" minOccurs="0" maxOccurs="unbounded"/>
    	</sequence>
    	<attribute name="name" type="string" use="required"/>
    	<attribute name="pattern" type="tns:patternType" use="optional" />
    	<attribute name="keyStorePassword" type="string" use="optional"/>
    	<attribute name="keyStorePasswordCipher" type="string" use="optional"/>
    	<attribute name="trustStorePassword" type="string" use="optional"/>
    	<attribute name="trustStorePasswordCipher" type="string" use="optional"/>
    </complexType>
    
    <element name="user" type="tns:userType"/>

    <complexType name="userType">
    	<sequence>
    		<element ref="tns:privateKey" minOccurs="0" maxOccurs="unbounded"/>
    	</sequence>
    	<attribute name="name" type="string" use="required"/>
    	<attribute name="serverUserId" type="string" use="optional"/>
    	<attribute name="serverUserIdCipher" type="string" use="optional"/>
    	<attribute name="serverPassword" type="string" use="optional"/>
    	<attribute name="serverPasswordCipher" type="string" use="optional"/>
    	<attribute name="hostKey" use="optional">
    	    <simpleType>
    			<restriction base="string">
    				<pattern
    					value="([a-fA-F0-9]){2}(:([a-fA-F0-9]){2})*">
    				</pattern>
    			</restriction>
    		</simpleType>
    	</attribute>
    </complexType>

    <element name="privateKey" type="tns:privateKeyType"/>

    <complexType name="privateKeyType">    
    	<simpleContent>      
        	<extension base="string">
    			<attribute name="keyPassword" type="string" use="optional"/>
    			<attribute name="keyPasswordCipher" type="string" use="optional"/>
    			<attribute name="associationName" type="string" use="required"/>  
    		</extension>
    	</simpleContent>
    </complexType>
    
    <!--
		Determines the type of pattern matching to use.
	-->
	<simpleType name="patternType">
		<restriction base="string">
			<enumeration value="regex" />
			<enumeration value="wildcard" />
		</restriction>
	</simpleType>
</schema>


Schema - V7.0.4

The schema for V7.0.4.1 and later, and the schema for V7.0.4 and earlier, are available here: Protocol bridge credentials file format


Understanding the ProtocolBridgeCredentials.xml file

The elements and attributes used in the ProtocolBridgeCredentials.xml file are described in the following list.

    <credentials>
    Group element containing elements that describe the credentials used by a protocol bridge agent to connect to a protocol server.

    <agent>
    Element containing a <server> or <serverHost> definition for a named agent.

    <server>
    The protocol server that the protocol bridge connects to.

    The <server> element is not supported for V7.0.4 or earlier.

    Attribute Description
    name The name of the protocol server.
    pattern If we have used wildcards or regular expressions to specify the pattern of a protocol server name, use either wildcard or regex.
    trustStorePassword or trustStorePasswordCipher Required when the <server> element refers to an FTPS server.

    The password used to access the truststore. If the fteObfuscate command has been used then the cipher version of the attribute must be used.

    keyStorePassword or keyStorePasswordCipher Optional. The password used to access the keystore. If the fteObfuscate command has been used then the cipher version of the attribute must be used.
    <serverHost>
    The host name of the protocol server that the protocol bridge connects to.

    The ProtocolBridgeCredentials.xml file can either contain <serverHost> elements or <server> elements but we cannot use a mixture of the two different types. When you use <serverHost>, the name is matched against the protocol server's host name. When we use <server>, the name is matched against the protocol server's name (as defined in the ProtocolBridgeProperties.xml file).

    Attribute Description
    name The host name or IP address of the protocol server.
    trustStorePassword or trustStorePasswordCipher Required when the <serverHost> element refers to an FTPS server. The password used to access the truststore. If the fteObfuscate command has been used then the cipher version of the attribute must be used.
    keyStorePassword or keyStorePasswordCipher Optional. The password used to access the keystore. This property is optional unless you set the keyStore attribute, in which case it is required. If the fteObfuscate command has been used then the cipher version of the attribute must be used.
    <user>
    A user mapping from a Managed File Transfer user name to a protocol server user name.
    Attribute Description
    name The user name that is used with Managed File Transfer.
    serverUserId or serverUserIdCipher The user name that is used with the protocol server. If the fteObfuscate command has been used then the cipher version of the attribute must be used.
    serverPassword or serverPasswordCipher The password for the user name used on the protocol server. If the fteObfuscate command has been used then the cipher version of the attribute must be used.
    hostKey The server host SSH fingerprint.
    <privateKey>
    The private key of a user.
    Attribute Description
    keyPassword or keyStorePasswordCipher The password for the private key. If the fteObfuscate command has been used then the cipher version of the attribute must be used.
    associationName A name used for trace and logging.