Configuring MQMFTCredentials.xml
on z/OS
If Managed File Transfer (MFT) is configured with security enabled, connection authentication requires all MFT agents, and commands that connect to a queue manager, to supply user ID and password credentials.
Similarly, MFT loggers might be required to specify a user ID and password when connecting to a database.
This credential information can be stored in the MFT credentials file. Note that the credentials files are optional, however, it is easier to define the file or files that you require before you customize the environment.
In addition to this, if you have credentials files, you receive fewer warning messages. The warning messages inform you that MFT considers that queue manager security is off, and therefore you are not supplying authentication details.
You can find a sample credentials file in the MQ_INSTALLATION_PATH/mqft/samples/credentials directory.
MQMFTCredentials.xml
file:
<?xml version="1.0" encoding="IBM-1047"?>
<tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MFTCredentials"
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://wmqfte.ibm.com/MFTCredentials MFTCredentials.xsd">
<tns:qmgr name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" mqPassword="cXXXX" />
<tns:qmgr name="MQPI" user="ADMIN" mqUserId="JOHNDOEI" mqPassword="yXXXX" />
<tns:qmgr name="MQPH" mqUserId="NONEH" mqPassword="yXXXX" />
<tns:qmgr name="MQPI" mqUserId="NONEI" mqPassword="yXXXX" />
</tns:mqmftCredentials>
When a job with userid ADMIN needs to connect to queue manager MQPH, it passes user ID JOHNDOEH and uses password cXXXX.
If the job is run by any other user ID, and connects MQPH, that job passes user ID NONEH and password yXXXX.
The default location for the MQMFTCredentials.xml
file is the user's home
directory on z/OS® Unix System Services (USS). It is
also possible to store the file in either a different location on USS, or in a member within a
partitioned data set.
Type of command | Property file | Property name |
---|---|---|
Command which connects to the coordination queue manager | coordination.properties | coordinationQMgrAuthenticationCredentialsFile |
Command which connects to the command queue manager | connection.properties | connectionQMgrAuthenticationCredentialsFile |
Command that connects to an agent process | agent.properties | agentQMgrAuthenticationCredentialsFile |
Command that connects to a logger process | logger.properties | loggerQMgrAuthenticationCredentialsFile |
Type of command | Property file | Property name |
---|---|---|
MFT agents | agent.properties | agentQMgrAuthenticationCredentialsFile |
MFT loggers | logger.properties | loggerQMgrAuthenticationCredentialsFile |
For details about what commands and processes connect to which queue manager, see Which MFT commands and processes connect to which queue manager.
- Create a PDSE with format VB and logical record length (Lrecl) 200.
- Create a member within the data set, make a note of the data set and member, and add the
following code to the member:
<?xml version="1.0" encoding="IBM-1047"?> <tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MQMFTCredentials" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://wmqfte.ibm.com/MFTCredentials MQMFTCredentials.xsd"> <!—-credentials information goes here--> </tns:mqmftCredentials>
You can protect the credentials file using a security product, for example, RACF®, but the user IDs running the Managed File Transfer commands, and administering the agent and logger processes, need read access to this file.
<tns:qmgr name="MQPI" user="JOHNDOE2" mqUserId="JOHNDOE1" mqPassword="yXXXX" />
and creates
<tns:qmgr mqPasswordCipher="e977c61e9b9c363c" mqUserIdCipher="c394c5887867157c"
name="MQPI" user="JOHNDOE2"/>
<!-- name="MQPI" user="ADMIN" mqUserId="JOHNDOE1 -->
These comments are unchanged by the obscuring process.
Note that the content is obscured, not strongly encrypted. You should limit which user IDs have access to the file.