MFT and IBM MQ connection authentication

Managed File Transfer Version 8.0 or later supports the IBM MQ Version 8.0 or later security features, with the default mode of disabled. If the associated queue manager has security enabled, and requires credential details (user ID and password), this feature must enabled before a successful connection to a queue manager can be made.

Many Managed File Transfer commands support the following methods:

    Details supplied by command line arguments.
    The credential details can be specified using arguments -mquserid and -mqpassword. If the -mqpassword is not supplied, then the user will be asked for the password where the input is not displayed.

    Details supplied from a credentials file: MQMFTCredentials.xml.
    The credential details can be predefined in a MQMFTCredentials.xml file either as clear text or obfuscated text. The location of the MQMFTCredentials.xml file is defined by a property value:
    Table 1. Property values that define the location of the MQMFTCredentials.xml file
    Category Property File Property Name
    Show/List commands Coordination properties coordinationQMgrAuthenticationCredentialsFile
    Modify/create commands Command properties connectionQMgrAuthenticationCredentialsFile
    Agent/clean agent Agent properties agentQMgrAuthenticationCredentialsFile
    Logger Logger properties loggerQMgrAuthenticationCredentialsFile

QMgr defines a single pair of credentials, and has the following format:

<tns:qmgr mquserid="MQ User ID" mqpassword="MQ Password" name="QMgr" user="user running command" />

The user attribute is optional and, if not present, the credentials apply to all users.


Precedence

The precedence of determining the credential details is:
  1. Command line argument.
  2. MQMFTCredentials.xml index by associated queue manager and user running the command.
  3. MQMFTCredentials.xml index by associated queue manager.
  4. Default backward compatibility mode where no credential details are supplied to allow compatibility with previous releases of IBM MQ or IBM WebSphere MQ.
Notes:

  • The fteStartAgent and fteStartLogger commands do not support the command line argument -mquserid, or -mqpassword, and the credential details can only be specified with the MQMFTCredentials.xml file.

  • On z/OSĀ®, the password must be uppercase, even if the user's password has lowercase letters. For example, if the user's password was "password", it would have to be entered as "PASSWORD".