Supplying an initial key for an IBM MQ MQI client on IBM i

If you supply variables to an IBM® MQ MQI client that have been encrypted using the IBM MQ Password Protection System, you might need to supply the corresponding initial key that was used to encrypt the value.

If you did not specify an initial key when encrypting the value, you do not need to provide any initial key value to the IBM MQ client. However, if you used a unique initial key you can provide the initial key to the IBM MQ client using the following methods:

Supplying the initial key using the MQCSP structure
Supplying the initial key using the MQS_MQI_KEYFILE environment variable
Supplying the initial key using the client configuration file

Supplying the initial key using the MQCSP structure

To supply the initial key using the MQCSP structure, you must use a combination of the following three variable string fields:

InitialKeyLength: The length of the initial key
InitialKeyPtr: A pointer to the location in memory containing the initial key
InitialKeyOffset: The location of the initial key in memory, represented as number of bytes from the start of the MQCSP structure.

Note: You can supply only one of InitialKeyPtr or InitialKeyOffset.

For example:

char * initialKey = "myInitialKey";
MQCSP  cspOptions = {MQCSP_DEFAULT};


cspOptions.InitialKeyPtr = initialKey;
cspOptions.InitialKeyLength = (MQLONG)strlen(cspOptions.InitialKeyPtr);
cspOptions.Version = MQCSP_VERSION_2;

Supplying the initial key using the MQS_MQI_KEYFILE environment variable

If an initial key is not supplied to the client using the MQCSP structure, IBM MQ checks the MQS_MQI_KEYFILE environment variable. You should set this environment variable to the location of a file containing a single line of text, consisting of the initial key you want to use.

For example, if a file called mykey.key exists in the root directory, and contains the initial key, you should set the environment variable as follows:

export MQS_MQI_KEYFILE=/mykey.key

set MQS_MQI_KEYFILE=C:\mykey.key

Supplying the initial key using the client configuration file

If an initial key is not supplied to the client using a previous mechanism, IBM MQ checks the MQIInitialKeyFile attribute of the Security stanza of the mqclient.ini file. You should set this attribute to the location of a file containing a single line of text, consisting of the initial key you want to use.

For example, if a file called mykey.key exists in the root directory, and contains the initial key, the client configuration file should contain the following:

Security:
    MQIInitialKeyFile=/mykey.key