Configuring encrypted security credentials
You can configure integration nodes and integration servers to connect to secured resources by using credentials that are stored in encrypted form in an IBM® App Connect Enterprise vault.
Before you can store encrypted credentials for an integration node or integration server, you must configure an App Connect Enterprise vault. You can configure security credentials by using commands, the IBM App Connect Enterprise Toolkit, or the administration REST API, and you can view credentials by using the Toolkit or the web user interface. The encrypted credentials are stored in a vault, which can be an integration server vault, an integration node vault, or an external directory vault. An external directory vault can be shared by multiple integration servers and integration nodes. You can configure these vaults by using commands, or the IBM App Connect Enterprise Toolkit. For more information about configuring a vault, see Configuring an IBM App Connect Enterprise vault.
Alternatively, you can use the mqsisetdbparms command to associate credentials with resources that are accessed by an integration server or an integration node. For more information, see mqsisetdbparms command.
Managing credentials by using the IBM App Connect Enterprise Toolkit
You can use the IBM App Connect Enterprise Toolkit to create an external directory vault and to create, view, update, or delete credentials in the vault. You can also use the Toolkit to manage credentials in an integration server vault. For information about using the Toolkit to create a vault and manage credentials, see Managing credentials in an external directory vault by using the IBM App Connect Enterprise Toolkit.
Managing vaults and credentials by using the ibmint security commands
| Command name | Topic reference |
|---|---|
| ibmint create vault | ibmint create vault command |
| ibmint delete vault | ibmint delete vault command |
| ibmint display credentials | ibmint display credentials command |
| ibmint display credential-types | ibmint display credential-types command |
| ibmint export credentials | ibmint export credentials command |
| ibmint import credentials | ibmint import credentials command |
| ibmint set credential | ibmint set credential command |
| ibmint unset credential | ibmint unset credential command |
| ibmint update vault-key | ibmint update vault-key command |
| ibmint update vaultrc | ibmint update vaultrc command |
Creating a vault by using the mqsivault command
- Integration node vault (for use by an integration node and its managed integration servers)
- Integration server vault (for use by a specific integration server)
- External directory vault (for use by any number of integration servers)
You can use the mqsivault command to create or destroy a vault, to change or verify a vault key, or to retrieve credentials from the vault. The vault stores the credentials in encrypted form, and the integration node or server uses them to access secured resources.
You can copy the contents of a vault into another vault by using the import and export options of the mqsivault command. You can use the --export parameter to copy the contents of a vault into a temporary archive (.zip file) and then use the --import parameter to import the contents of the archive file into the target vault. The vault entries are stored in the archive using an archive key to symmetrically encrypt and decrypt the values.
For more information about how to use this command, see mqsivault command.
Creating a vault by using the mqsicreatebroker command
If you create an integration node by running the mqsicreatebroker command, you can create a vault for that integration node by specifying either the --vault-key or --vaultrc-location parameter. For more information about how to use the command, see mqsicreatebroker command.
Configuring encrypted credentials by using the mqsicredentials command
You can use the mqsicredentials command to create, report, update, and delete credentials for a specific integration server or for an integration node and the integration servers that it manages. You can also use the mqsicredentials command for credentials in an external directory vault, to create, report, update, and delete credentials for all the integration servers that are configured to use that external directory vault.
For information about how to use the command, see mqsicredentials command.
Creating and viewing credentials by using the administration REST API
You can use the IBM App Connect Enterprise administration REST API to create or report security credentials for an integration node or server. For information about using the administration REST API, see REST API for administering integration servers.
Viewing credentials by using the web user interface
You can use the IBM App Connect Enterprise web user interface to view credentials for an integration node or server.
To display information about the credential, start the web user interface to view the relevant integration server, and then click the tile for the credential that you want to view. The properties for that credential are displayed, including the user name, authentication type, credentials provider, whether the credential is read-only, and whether a password has been set.
Credentials stored in the vault are encrypted using AES-256 encryption. The
provided vault key serves as both the encryption and decryption key for securing the
credentials.
For information about how to start the web user interface, see Accessing the web user interface.