Creating an MFT credentials file
We can use an MFT credentials file for storing user ID and password information, for connection to IBM MQ and to Db2®, and have a credentials file for each agent.
If we have a credentials file for each agent, we can limit by agent which users can access the credentials file.
The MFT credentials file by default is in the user home directory.
An example of the code you require:<?xml version="1.0" encoding="IBM-1047"?> <tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MFTCredentials" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://wmqfte.ibm.com/MFTCredentials MFTCredentials.xsd"> <!-- name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" --> <tns:qmgr name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" mqPassword="cXXXX" /> <!-- name="MQPI" user="ADMIN" mqUserId="JOHNDOE1 --> <tns:qmgr name="MQPI" user="ADMIN" mqUserId="JOHNDOEI" mqPassword="yXXXX" /> <tns:qmgr name="MQPH" mqUserId="NONEH" mqPassword="yXXXX" /> <tns:qmgr name="MQPI" mqUserId="NONEI" mqPassword="yXXXX" /> </tns:mqmftCredentials>When a job with userid ADMIN needs to connect to queue manager MQPH, it passes user ID JOHNDOEH and uses password cXXXX.
If the job is run by any other user ID, and connects MQPH, that job passes user ID NONEH and password yXXXX.
We can protect this file using a security product, for example, RACF®, but the user IDs running the Managed File Transfer commands need read access to this file.
We can obscure information in this file using the JCL in member BFGCROBS. This takes the file and encrypts the IBM MQ user ID and password. For example member BFGCROBS takes the line<tns:qmgr name="MQPI" user="JOHNDOE2" mqUserId="JOHNDOE1" mqPassword="yXXXX" />and creates<tns:qmgr mqPasswordCipher="e977c61e9b9c363c" mqUserIdCipher="c394c5887867157c" name="MQPI" user="JOHNDOE2"/>If you want to keep the user ID to IBM MQ user ID mapping, we can add comments to the file. For example<!-- name="MQPI" user="ADMIN" mqUserId="JOHNDOE1 -->These comments are unchanged by the obscuring process.
Note that the content is obscured, not strongly encrypted. You should limit which user IDs have access to the file.