Configuring encrypted security credentials

You can configure integration nodes and integration servers to connect to secured resources by using credentials that are stored in encrypted form in an IBM® App Connect Enterprise vault.

You can configure security credentials by using the mqsicredentials command or the administrative REST API, and you can view credentials by using the web user interface. The encrypted credentials are stored in a vault, which might be an integration server vault, an integration node vault, or an external directory vault (which can be accessed by multiple integration servers and integration nodes). You can configure each of these vaults by using the mqsivault command, or you can configure an integration node vault by specifying a vault key on the mqsicreatebroker command. For more information about configuring a vault, see Configuring an IBM App Connect Enterprise vault.

Alternatively, you can use the mqsisetdbparms command to associate credentials with resources that are accessed by an integration server or an integration node. For more information, see mqsisetdbparms command.

The following video demonstrates how to create a vault in IBM App Connect Enterprise and then use it to store security credentials in encrypted form: Storing encrypted security credentials in a vault using App Connect Enterprise.

Note:

This video was created for App Connect Enterprise 11.0, but also applies to App Connect Enterprise 12.0.

Creating a vault by using the mqsivault command

Before you can store encrypted credentials for an integration node or integration server, you must configure an App Connect Enterprise vault. You can use the mqsivault command to configure the following types of vault:
  • Integration node vault (for use by an integration node and its managed integration servers)
  • Integration server vault (for use by a specific integration server)
  • External directory vault (for use by any number of integration servers)

You can use the mqsivault command to create or destroy a vault, to change or verify a vault key, or to retrieve credentials from the vault. The vault stores the credentials in encrypted form, and the integration node or server uses them to access secured resources.

You can copy the contents of a vault into another vault by using the import and export options of the mqsivault command. You can use the --export parameter to copy the contents of a vault into a temporary archive (.zip file) and then use the --import parameter to import the contents of the archive file into the target vault. The vault entries are stored in the archive using an archive key to symmetrically encrypt and decrypt the values.

For more information about how to use this command, see mqsivault command.

Creating a vault by using the mqsicreatebroker command

If you create an integration node by running the mqsicreatebroker command, you can create a vault for that integration node by specifying either the --vault-key or --vaultrc-location parameter. For more information about how to use the command, see mqsicreatebroker command.

Configuring encrypted credentials by using the mqsicredentials command

You can use the mqsicredentials command to create, report, update, and delete credentials for a specific integration server or for an integration node and the integration servers that it manages. You can also use the mqsicredentials command for credentials in an external directory vault, to create, report, update, and delete credentials for all the integration servers that are configured to use that external directory vault.

For information about how to use the command, see mqsicredentials command.

Creating and viewing credentials by using the administration REST API

You can use the IBM App Connect Enterprise administration REST API to create or report security credentials for an integration node or server. For information about using the administration REST API, see REST API for administering integration servers.

Viewing credentials by using the web user interface

You can use the IBM App Connect Enterprise web user interface to view credentials for an integration node or server.

To display information about the credential, start the web user interface to view the relevant integration server, and then click the tile for the credential that you want to view. The properties for that credential are displayed, including the user name, authentication type, credentials provider, whether the credential is read-only, and whether a password has been set. For information about how to start the web user interface, see Accessing the web user interface.