Before IBM® MQ 9.2.4, passphrases for MQTT TLS channels were stored in plain text. From IBM MQ 9.2.4 support for encryption of passphrases for MQTT TLS channels is provided.
About this task
Note that migration of plain text passphrases to an encrypted form is not an automatic process.
You should update your plain text passphrases to an encrypted form, by performing the following
procedure.
Procedure
- Ensure that you know the passphrases for each MQTT TLS channel.
- Stop the MQXR service SYSTEM.MQXR.SERVICE.
- Alter the MQXR service SYSTEM.MQXR.SERVICE to add the STARTARG option
-sf and provide the credentials key file to be used for
encryption.
For example, to encrypt passphrases using the DEFAULT key, issue the
following
command:
STARTARG('-m +QMNAME+ -d "+MQ_Q_MGR_DATA_PATH+" -g "+MQ_DATA_PATH+"
-sf "[DEFAULT]"')
Similarly, to encrypt passphrases with a user defined key
in keyfile.txt, issue the following
command:
STARTARG('-m +QMNAME+ -d "+MQ_Q_MGR_DATA_PATH+" -g "+MQ_DATA_PATH+"
-sf "c:\pathToKeyfile\keyfile.txt"')
- Start the MQXR service SYSTEM.MQXR.SERVICE.
- Change the TLS channel passphrases through IBM MQ Explorer, or by using the MQSC ALTER CHANNEL (MQTT) command.
Passphrases will be encrypted using the credentials key file provided by the
-sf option in step
3.
- Start the channels.
Attention: In the preceding steps, if you do not alter the channel after restarting the
service, a channel with a plain text passphrase fails to start. An error is logged to indicate that
the passphrase needs to be updated.