Encryption of passphrases for MQTT TLS channels
IBM® MQ 9.2.4 provides support for encryption of passphrases for MQTT TLS channels. Two additional MQXR service STARTARG options, -sf and -sp have been added.
About this task
The -sf option provides a credentials key file for encryption of MQTT TLS channel passphrases. Note that, for convenience, a default key is provided.
The -sp option specifies the protection mode. The default value is 2 to use the more secure credentials protection method. See Defining the MQXR service manually on Linux or Defining the MQXR service manually on Windows for more information, depending on the operating systems your enterprise uses.
When a channel is created or altered, the passphrases are encrypted using the credentials key file provided for the -sf option. Encrypted passphrases are stored in the platform-specific properties file, mqxr_win.properties or mqxr_unix.properties.
com.ibm.mq.MQXR.channel.SSL.PassPhrase=<MQXR>2!kvAzYv/1aCMfSQ5igkFVmQ==
!f4rX5KL7aFKHJl7Ln0X+OQ==
STARTARG('-m +QMNAME+ -d "+MQ_Q_MGR_DATA_PATH+" -g "+MQ_DATA_PATH+"
-sf "[DEFAULT]"')
where DEFAULT
means the default key is used for
encryption of passphrases.DEFAULT
word has to be
enclosed with square bracket, that is [DEFAULT]
.STARTARG('-m +QMNAME+ -d "+MQ_Q_MGR_DATA_PATH+" -g "+MQ_DATA_PATH+"
-sf "c:\pathOfKeyfile\keyfile.txt"')
Creating the
SYSTEM.MQXR.SERVICE
on Linux®, and Creating
the SYSTEM.MQXR.SERVICE
on Windows are updated to specify the default key to use the default key for encrypting MQTT TLS channels.
You can also define the MQXR service manually by performing a list of steps. For more information, see Defining the MQXR service manually on Windows and Defining the MQXR service manually on Linux.
If you want to change the credentials key file used for encrypting the passphrases, carry out the following procedure.