Configuring an IBM App Connect Enterprise vault

You can configure an IBM® App Connect Enterprise vault to symmetrically encrypt and store credentials, which can then be used to access secured resources from a message flow.

Before you begin

You must install IBM App Connect Enterprise 12.0.9.0 or later to use this feature.

Watch the following videos, which demonstrate how to use the vaults that are available in IBM App Connect Enterprise:

About this task

You can configure a vault by using the mqsivault command, and then use the mqsicredentials command to encrypt credentials and store them in the vault. Before the IBM App Connect Enterprise vault feature was introduced in V11.0.0.6, credential information was configured by using the mqsisetdbparms command, which obfuscates the credentials by using a private algorithm when storing the credentials on disk, but does not use encryption. The mqsisetdbparms command is still supported, but if you want to use symmetric encryption, you must use the mqsivault and mqsicredentials commands.

You can configure an App Connect Enterprise vault to be used as an integration node vault, an integration server vault, or an external directory vault (in IBM App Connect Enterprise 12.0.9.0 or above):
Integration node vault
In versions of IBM App Connect Enterprise prior to V12.0.9.0, the integration node vault stored credentials that could be used only by the integration node and the integration node-wide HTTP listener. In IBM App Connect Enterprise 12.0.9.0, the integration node vault can be used by the integration node, the integration node-wide HTTP listener, and any integration servers that are managed by the integration node. Credentials that are stored in the integration node vault can be accessed by all the integration servers that are managed by the integration node. This allows credentials to be stored in one place and shared by all integration servers. In IBM App Connect Enterprise 12.0.9.0, you can also configure an integration node to use an external directory vault. Credentials stored in the configured external directory vault are available for use by the integration node, the integration node-wide HTTP listener, and any integration servers that are managed by the integration node.
Integration server vault
An integration server vault is an App Connect Enterprise vault that is configured to be used by a specific integration server, and is located in the integration server's work directory.
External directory vault
An external directory vault is an App Connect Enterprise vault that can be shared by any number of integration servers. The external directory vault is created in a directory that is external to the integration server, rather than the integration server's work directory. You choose the location in the file system in which to create the vault, and then configure each integration server to use it by specifying its unique location. You can also configure integration nodes to use an external directory vault.

For an overview of the methods that you can use to create a vault and create or view credentials, see Configuring encrypted security credentials. For information about configuring credentials by using a command, see the mqsicredentials command. For information about creating a vault by using commands, see the mqsivault command and mqsicreatebroker command.

Procedure

Configure an App Connect Enterprise vault by completing the steps in one of the following topics: