runp11cred (protect PKCS #11 cryptographic hardware passwords)

The runp11cred command protects passwords, before being supplied to PKCS #11 cryptographic hardware configuration strings, using the MQSSLCRYP environment variable or the mqclient.ini SSLCryptoHardware SSL stanza attribute.

Purpose

When run, the runp11cred command prompts to securely read a password to protect. runp11cred then uses an encryption key contained in the file, indicated by one of three options. In order of priority, these are the:

-sf parameter
MQS_SSLCRYP_KEYFILE environment variable
Default initial key file if neither of the above options is specified.

Attention: You should not use the default initial key.

Syntax

Store the encrypted password in the appropriate property in the cryptographic hardware configuration string, stored in either the mqclient.ini file, or the MQSSLCRYP environment variable.

Optional Parameters

-sf keyfile

Path to a file containing the initial key.

-sp int

Algorithm to use for protecting passwords. The value can be:

1: The IBM® MQ 9.2.0 password protection algorithm.
2: Default value: use the more secure credentials protection method.

Examples

>runp11cred

5724-H72 (C) Copyright IBM Corp. 1994, 2024.
Enter password:
*******
Credentials are encrypted using the default encryption key. For more secure
protection of stored credentials, use a custom, strong encryption key.
<P11>!2!N5eSuyDco5urE1GXhvpX7Hdk4bo84OAO8bOZqyZv9P8=!Wtlg2x2SlYmCvhFtkUM5Ag==

>runp11cred -sf
InitialKey.file

5724-H72 (C) Copyright IBM Corp. 1994, 2024.
Enter password:
*******
<P11>!2!8ctSQHBKHOm7cBHbqz11FxOiVGrlka9340DvIR/Dx7g=!SsvlsLVVZrt/3ODvwcoklw==

Return codes

0: Command completed successfully
1: Command completed unsuccessfully