Mapping credentials for a file server by using the ProtocolBridgeCredentials.xml file
Map user credentials in Managed File Transfer to user credentials on the file server by using the default credential mapping function of the protocol bridge agent. Managed File Transfer provides an XML file that you can edit to include your credential information.
The ProtocolBridgeCredentials.xml file
must be manually created by the user. By default, the location of
this file is the home directory of the user who started the protocol
bridge agent, but this can be stored anywhere on the
file system accessible by the agent. To specify a different location,
add the <credentialsFile> element to the ProtocolBridgeProperties.xml file.
For example,
<tns:credentialsFile path="/example/path/to/ProtocolBridgeCredentials.xml"/>Before we can use a protocol bridge agent, set up credential mapping by editing this file to include host, user, and credential information. For more information and samples, see Protocol bridge credentials file format. When you create the ProtocolBridgeCredentials.xml file on a z/OS® platform using IBM® WebSphere MQ Version 7.5 or earlier, you must set a file tag before you edit the file. Run the following command to mark the file as having ASCII contents:
chtag -t -c ISO8859-1 ProtocolBridgeCredentials.xmlNote: On z/OS, we can store the protocol bridge credential file on a data set, where the name of the .xml file can be specified by the user.
Procedure
- Edit the line <tns:server name="server name"> to change
the value of the name attribute to the server name in the
ProtocolBridgeProperties.xml file.
Protocol bridge agents that are created for WebSphere MQ File Transfer Edition Version 7.0.4 and earlier do not have a ProtocolBridgeProperties.xml file (or related user exits), so for WebSphere MQ File Transfer Edition Version 7.0.4, Fix Pack 1 and later the server name is automatically assigned the server's host name. Therefore, if we use an updated ProtocolBridgeCredentials.xml file with <server> entries, a name corresponding to the server's host name will match.
We can use the pattern attribute to specify that we used a server name that contains wildcards or regular expressions. For example,<tns:server name="serverA*" pattern="wildcard">
- Edit the line <tns:server name="server name"> to change
the value of the name attribute to the server name in the
ProtocolBridgeProperties.xml file.
- Insert user ID and credential information into the file
as child elements of <tns:server>. You
can insert one or many of the following elements into the file:
- If the protocol file server is an FTP, FTPS, or SFTP server, we can use
passwords to authenticate the user requesting the transfer. Insert the following lines into the
file:
<tns:user name="FTE User ID" serverUserId="Server User ID" serverPassword="Server Password"> </tns:user>
Then change the value of the attributes.- name is a Java regular expression to match the MQMD user ID associated with the MFT transfer request
- serverUserId is the value that is passed to the protocol file server as the login user ID. If the serverUserId attribute is not specified, the MQMD user ID associated with the MFT transfer request is used instead
- serverPassword is the password that is associated with the serverUserId.
The name attribute can contain a Java regular expression. The credential mapper attempts to match the MQMD user ID of the MFT transfer request to this regular expression. The protocol bridge agent attempts to match the MQMD user ID to the regular expression in the name attribute of the <tns:user> elements in the order that the elements exist in the file. When a match is found the protocol bridge agent does not look for more matches. If a match is found, the corresponding serverUserId and serverPassword values are passed to the protocol file server as the login user ID and password. The MQMD user ID matches are case-sensitive.
- If the protocol file server is an SFTP server, we can use public and private keys to
authenticate the user requesting the transfer. Insert the following lines into the file and change
the value of the attributes. The <tns:user> element can contain one or many <tns:privateKey> elements.
<tns:user name="FTE User ID" serverUserId="Server User ID" hostKey="Host Key"> <tns:privateKey associationName="association" keyPassword="Private key password"> Private key file text </tns:privateKey> </tns:user>
- name is a Java regular expression to match the MQMD user ID associated with the MFT transfer request
- serverUserId is the value that is passed to the protocol file server as the login user ID. If the serverUserId attribute is not specified, the MQMD user ID associated with the MFT transfer request is used instead
- hostKey is the expected key that is returned from the server when logging on
- key is the private key of the serverUserId
- keyPassword is the password for the key to generate public keys
- associationName is a value that is used to identify for trace and logging purposes
For more information about using private keys with a protocol bridge agent, see Example: How to configure a protocol bridge agent to use private key credentials with a UNIX SFTP server.
When the transfer request is written to the command queue, the MQMD user ID might be converted to uppercase if the source agent command queue is on a z/OS or IBM i system. As a result the MQMD user ID for the same originating user might arrive at the credentials exit in the original case or converted to uppercase depending on the source agent that is specified in the transfer request. The default credential mapping exit performs case-sensitive matches against the supplied MQMD user ID, which you might need to allow for in the mapping file.
- If the protocol file server is an FTP, FTPS, or SFTP server, we can use
passwords to authenticate the user requesting the transfer. Insert the following lines into the
file: