fteObfuscate (encrypt sensitive data)
The fteObfuscate command encrypts sensitive data in credentials files. This stops the contents of credentials files being read by someone who gains access to the file. From IBM® MQ 9.2.0, the command provides a more secure credentials protection method to improve the encryption.
Purpose
User name and password properties in credentials files can be encrypted. These properties are
transformed to a new related property, with a Cipher suffix. For
example:
<!--
MQMFTCredentials properties before
-->
<tns:logger name="logger1" user="user1" password="passw0rd" />
<tns:file path="$HOME/trust.jks" password="passw0rd" />
<!--
MQMFTCredentials properties after
-->
<tns:logger name="logger1" userCipher="e71vKCg2pf" passwordCipher="se71vKCg" />
<tns:file path="$HOME/trust.jks" passwordCipher="e71vKCg2pf" />
<!--
ProtocolBridgeCredentials Properties before
-->
<tns:user name="Fred" serverUserId="fred" serverPassword="passw0rd" />
<!--
ProtocolBridgeCredentials properties after
-->
<tns:user name="Fred" serverUserIdCipher="e51vVCg2pf" serverPasswordCipher="se51vBCg" />
<!--
ConnectDirectCredentials properties before
-->
<tns:user name="fteuser" ignorecase="true" pattern="wildcard"
cdUserId="cdUser" cdPassword="cdPassword" pnodeUserId="pnodeUser"
pnodePassword="pnodePassword">
<tns:snode name="snode1" pattern="wildcard" userId="snodeUser" password="snodePassword"/>
</tns:user>
<!--
ConnectDirectCredentials properties after
-->
<tns:user name="fteuser" ignorecase="true" pattern="wildcard"
cdUserIdCipher="e71vKCg2pf" cdPasswordCipher="se71vKCg"
pnodeUserIdCipher="2f1vgCg6df" pnodePasswordCipher="e71vKCg2pf">
<tns:snode name="snode1" pattern="wildcard" userIdCipher="e51vVCg2pf" passwordCipher="se51vBCg"/>
</tns:user>
From IBM MQ 9.2.0, the
preferred formats are:
- MFT
-
<tns:qmgr mqPasswordCipher="mqmftcred!1!kvAzYv/1aCMfSQ5igkFVmQ==!f4rX5KL7aFKHJl7Ln0X+OQ==" mqUserIdCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g==" name="MFTQM" user="JOHNDOE"/>
- ProtocolBridgeCredentials
-
<tns:agent name="agent3"> <tns:serverHost name="ftpsServer" keyStorePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz3VA==!Q40i2rRSEMGwrx6gnRFe8g==" trustStorePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGKtz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="> </tns:serverHost> </tns:agent>
- ConnectDirectCredentials
-
<tns:agent name="CDAGENT01"> <tns:pnode name="cdnode*" pattern="wildcard"> <tns:user name="MUSR_.*" ignorecase="true" pattern="regex" cdUserIdCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> cdPasswordCipher=="!mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> pnodeUserIdipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> pnodePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> <tns:snode name="cdnode2" pattern="wildcard" userId="sue" passwordCipher="!mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/> </tns:user> </tns:pnode> </tns:agent>
Syntax
From IBM MQ 9.2.0, the syntax is as follows:
Parameters
- -f credentials_file_name
- Required. Name of the credentials file whose contents will be encrypted.
- -sp protection_mode
- Optional. The protection mode to be used for encrypting credentials. The value can be:
- 0
- Use the credentials protection method deprecated at IBM MQ 9.2.0.
- 1
- Use the more secure credentials protection method introduced at IBM MQ 9.2.0. For more information, see Improvements to MFT security.
- 2
- Use the enhanced credentials protection mode introduced at IBM MQ 9.2.4. For more information, see Improvements to MFT security.
- -sf credentials_key_file
- Optional. The name of the file containing the credentials key. If this parameter is omitted, the command uses the default credentials key. For more information, see Protecting passwords in IBM MQ component configuration files.
- -o output_file_name
- Optional. Name of the file to output the protected credentials.
- -? or -h
- Optional. Displays command syntax.
Examples
To encrypt credentials in the MQMFTCredentials.xml file using the old
algorithm, and store them in the old format, issue the following command:
fteObfuscate -f /usr/home/MQMFTCredentials.xml -sp 0
To encrypt a password in the MQMFTCredentials.xml file using the old
algorithm, and store it in the new format, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 0
-f /usr/home/MQMFTCredentials.xml
To encrypt a password in the MQMFTCredentials.xml file using the new
algorithm, and store it in the new format, issue the following
command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1
-f /usr/home/MQMFTCredentials.xml
Note: You
do not have to specify the level of protection if you are using the more secure version of the
command, so the following command is identical to the previous
command:
fteObfuscate -sf /var/mqmft/credKeyfile.key
-f /usr/home/MQMFTCredentials.xml
To encrypt credentials in the MQMFTCredentials.xml file using the new
algorithm, and store them in the new format, issue the following
command:
fteObfuscate -f /usr/home/MQMFTCredentials.xml
To encrypt a password in the ProtocolBridgeCredentials.xml file using the
default protection, new algorithm, and store it in the new format, issue the following
command:
fteObfuscate -sf /var/mqmft/credKeyfile.key
-f /usr/home/ProtocolBridgeCredentials.xml
To encrypt credentials in the MQMFTCredentials.xml file and output to
another file, this time specifying the default protection, issue the following
command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1
-f /usr/home/MQMFTCredentials.xml -o /usr/home/enccred.xml
Using data sets on z/OS®
Encrypt a data set and output it as an XML file
format:
fteObfuscate -f "//test.creds(creds)" -o enc.xml
Encrypt a data set with the key specified in the data
set:
/fteObfuscate -f "//test.creds(creds)" -sf "//test.creds(key)"
Examples of using the command from IBM MQ 9.2.4
To encrypt a password in the MQMFTCredentials.xml file using the new
algorithm, protection mode (
1
) and store it in the new format, issue the following
command:fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1 -f /usr/home/MQMFTCredentials.xml
To encrypt a password in the MQMFTCredentials.xml file using the default
protection (
2
), new algorithm, and store it in the new format, issue the following
command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -f /usr/home/MQMFTCredentials.xml
To encrypt credentials in the MQMFTCredentials.xml file and output to
another file, issue the following
command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 2
-f /usr/home/MQMFTCredentials.xml -o /usr/home/enccred.xml
Return codes
- 0
- Command completed successfully.
- 1
- Command ended unsuccessfully.