Encrypting stored passwords
The MQIPT configuration might include passwords to access various resources, as well as the password to access MQIPT using the command port. From IBM MQ Version 9.2.0, all these passwords should be protected by being encrypted.
In versions earlier than Version 9.2.0 (or earlier than Version 9.1.4 for Continuous Delivery), only passwords that are used by MQIPT to access key rings, or cryptographic hardware key stores, can be encrypted. The encrypted passwords are stored in files referenced by any of the SSL*KeyRingPW properties. Other passwords for LDAP servers and the MQIPT access password are stored in plain text in the mqipt.conf configuration file.
From Version 9.2.0 (or from Version 9.1.5 for Continuous Delivery), all stored passwords for use by MQIPT should be protected by encrypting the password with the mqiptPW command. The encrypted passwords are stored as property values in the mqipt.conf configuration file. MQIPT is able to distinguish between encrypted passwords, plain text passwords, and file names in property values. We should encrypt all passwords stored for use by MQIPT in this way as it is the most secure protection method.
The method of encrypting key store passwords used in MQIPT prior to Version 9.2.0 (or prior to Version 9.1.4 for Continuous Delivery) is deprecated, but can still be used for configuration properties that were available prior to Version 9.2.0. To improve the protection of key ring passwords, re-encrypt any key ring passwords that have previously been encrypted, using the latest protection method. Note: The SSLCommandPortKeyRingPW property in the mqipt.conf configuration file, and the SSLClientCAKeyRingPW property in the mqiptAdmin properties file, cannot refer to password files. The values of these properties must be set to the encrypted password string output by the mqiptPW command.If a plain text or weakly protected password is present in the MQIPT configuration, a warning message is issued either when MQIPT starts or when a route starts.
Use this procedure to encrypt a password to be stored for use by MQIPT using the latest protection method. To encrypt a key ring password in MQIPT before Version 9.2.0 (or Version 9.1.4 or earlier for Continuous Delivery), follow the steps in Encrypting a key ring password before MQIPT Version 9.2.0.
Procedure
- Optional:
Create a file containing the password encryption key, if we do not already have
one. MQIPT uses an encryption key to
encrypt passwords. We can specify your own encryption key in a file. The file must contain at least
one character, and only one line of text.
The same password encryption key is used to encrypt and decrypt all stored passwords for an instance of MQIPT. Therefore, we need only a single password encryption key file for each MQIPT installation.
We can use a different password encryption key to encrypt passwords stored in the mqiptAdmin properties file than the encryption key used to encrypt passwords in the MQIPT configuration.
If we are planning to run MQIPT as a service that is automatically started, we must create the password encryption key file with the default name of mqipt_cred.key, and place it in the MQIPT home directory.
You do not have to specify a password encryption key, however it is more secure to do so. If we do not specify your own encryption key, the default encryption key is used.Note: We must ensure that appropriate file permissions are set on the password encryption key file to prevent any unauthorized users from reading the encryption key. Only the user that runs the mqiptPW command and the user under which MQIPT runs need authority to read the password encryption key. - Encrypt the password using the mqiptPW command. The syntax
of the mqiptPW command is described in mqiptPW (encrypt stored
password).If you created a password encryption key file in step 1, specify the file name using the -sf
parameter to mqiptPW. For example, the following command can be issued to encrypt
a password using the encryption key in the file specified by the -sf
parameter:
mqiptPW -sf /opt/mqipt/mqipt_password.key
- Enter the password to be encrypted when prompted. The encrypted password will be output by mqiptPW.
- Copy the encrypted password into the appropriate property in the
mqipt.conf configuration file, or the mqiptAdmin properties
file. For example, the following line specifies an encrypted password for the MQIPT access
password:
AccessPW=<mqiptPW>1!QL+2Jvj/tigKKlD7Nz8Oqw==!AMDBefOUrmPf5i1OuqV5MA==
- Start MQIPT. If you created a password
encryption key file in step 1 with a name other than the
default name, specify the name of the encryption key file when starting MQIPT. We can specify the name of the password
encryption key file using the -sf parameter when starting MQIPT. For example, issue the following command to start
MQIPT using the encryption key in the file specified
by the -sf
parameter:
mqipt /opt/mqipt -sf /opt/mqipt/mqipt_password.key
For information about other methods to specify the password encryption key file name when starting MQIPT, see Specify the password encryption key.
We can specify the name of the password encryption key file for the mqiptAdmin command using the PasswordProtectionKeyFile property in the mqiptAdmin properties file.
- Encrypting a key ring password before MQIPT Version 9.2.0
Before Version 9.2.0 (and in Version 9.1.4 and earlier for Continuous Delivery), encrypted passwords that are used to access the key rings used by MQIPT are stored in files.
Parent topic: Configure IBM MQ Internet Pass-Thru