fteObfuscate (encrypt sensitive data)

The fteObfuscate command encrypts sensitive data in credentials files. This stops the contents of credentials files being read by someone who gains access to the file. From IBM® MQ 9.2.0, the command provides a more secure credentials protection method to improve the encryption.

Purpose

User name and password properties in credentials files can be encrypted. These properties are transformed to a new related property, with a Cipher suffix. For example:
<!--
  MQMFTCredentials properties before
-->
<tns:logger name="logger1" user="user1" password="passw0rd" />
<tns:file path="$HOME/trust.jks" password="passw0rd" />

<!--
  MQMFTCredentials properties after
-->
<tns:logger name="logger1" userCipher="e71vKCg2pf" passwordCipher="se71vKCg" />
<tns:file path="$HOME/trust.jks" passwordCipher="e71vKCg2pf" />

<!--
  ProtocolBridgeCredentials Properties before
-->
<tns:user name="Fred" serverUserId="fred" serverPassword="passw0rd" />

<!--
  ProtocolBridgeCredentials properties after
-->
<tns:user name="Fred" serverUserIdCipher="e51vVCg2pf" serverPasswordCipher="se51vBCg" />

<!--
  ConnectDirectCredentials properties before
-->
<tns:user name="fteuser" ignorecase="true" pattern="wildcard"
          cdUserId="cdUser" cdPassword="cdPassword" pnodeUserId="pnodeUser"
          pnodePassword="pnodePassword">
  <tns:snode name="snode1" pattern="wildcard" userId="snodeUser" password="snodePassword"/>
</tns:user>

<!--
  ConnectDirectCredentials properties after
-->
<tns:user name="fteuser" ignorecase="true" pattern="wildcard"
          cdUserIdCipher="e71vKCg2pf" cdPasswordCipher="se71vKCg"
          pnodeUserIdCipher="2f1vgCg6df" pnodePasswordCipher="e71vKCg2pf">
  <tns:snode name="snode1" pattern="wildcard" userIdCipher="e51vVCg2pf" passwordCipher="se51vBCg"/>
</tns:user>
From IBM MQ 9.2.0, the preferred formats are:
MFT

<tns:qmgr mqPasswordCipher="mqmftcred!1!kvAzYv/1aCMfSQ5igkFVmQ==!f4rX5KL7aFKHJl7Ln0X+OQ==" 
mqUserIdCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g==" 
name="MFTQM" user="JOHNDOE"/>
ProtocolBridgeCredentials

<tns:agent name="agent3">                                        
  <tns:serverHost name="ftpsServer" 
                            keyStorePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz3VA==!Q40i2rRSEMGwrx6gnRFe8g==" 
trustStorePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGKtz0VA==!Q40i2rRSEMGwrx6gnRFe8g==">
   </tns:serverHost>
 </tns:agent>
ConnectDirectCredentials

<tns:agent name="CDAGENT01">
        <tns:pnode name="cdnode*" pattern="wildcard">
          <tns:user name="MUSR_.*"
            ignorecase="true"
            pattern="regex"
            cdUserIdCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/>            cdPasswordCipher=="!mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/>            pnodeUserIdipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/>            pnodePasswordCipher="mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/>          <tns:snode name="cdnode2" pattern="wildcard" userId="sue" passwordCipher="!mqmftcred!1!w2PQGhQcyq1NwYzGItz0VA==!Q40i2rRSEMGwrx6gnRFe8g=="/>
          </tns:user>
        </tns:pnode>
      </tns:agent>

Syntax

From IBM MQ 9.2.0, the syntax is as follows:

fteObfuscate

Read syntax diagramSkip visual syntax diagramfteObfuscate-f credentials_file_name -sp 2-sp protection_mode-sfcredentials_key_file-ooutput_file_name

Parameters

-f credentials_file_name
Required. Name of the credentials file whose contents will be encrypted.
[Deprecated]Note: This parameter replaces the -credentialsFile parameter that is deprecated from IBM MQ 9.2.0.
-sp protection_mode
Optional. The protection mode to be used for encrypting credentials. The value can be:
0
Use the credentials protection method deprecated at IBM MQ 9.2.0.
1
Use the more secure credentials protection method introduced at IBM MQ 9.2.0. For more information, see Encrypting stored credentials in MFT.
This is the default value before IBM MQ 9.3.0.
[MQ 9.3.0 Jun 2022]From IBM MQ 9.3.0, you can use protection mode 1 for compatibility with versions earlier than IBM MQ 9.3.0. However, consider migrating any stored passwords to the enhanced protection provided by setting protection mode to 2.
[MQ 9.3.0 Jun 2022]2
Use the enhanced credentials protection mode introduced at IBM MQ 9.3.0. For more information, see Encrypting stored credentials in MFT.
This is the default from IBM MQ 9.3.0.
-sf credentials_key_file
Optional. The name of the file containing the credentials key. If this parameter is omitted, the command uses the default credentials key. For more information, see Protecting passwords in IBM MQ component configuration files.
-o output_file_name
Optional. Name of the file to output the protected credentials.
-? or -h
Optional. Displays command syntax.
[MQ 9.3.0 Jun 2022]

Examples: protection mode 2 (default protection mode)

To encrypt credentials in the MQMFTCredentials.xml file using the default protection mode 2 with the latest algorithm and a fixed key, and store them in the enhanced format, issue the following command:
fteObfuscate -f /usr/home/MQMFTCredentials.xml
To encrypt credentials in the MQMFTCredentials.xml file using the default protection mode 2 with the latest algorithm and a user specified key, and store them in the enhanced format, issue the following command: 
fteObfuscate -sf /var/mqmft/credKeyfile.key -f /usr/home/MQMFTCredentials.xml
To encrypt credentials in the MQMFTCredentials.xml file using the default protection mode 2 with the latest algorithm and a user specified key, and output the encrypted credentials to another file, issue the fteObfuscate command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 2 
-f /usr/home/MQMFTCredentials.xml -o /usr/home/enccred.xml
To encrypt credentials in the ProtocolBridgeCredentials.xml file using the default protection mode with the latest algorithm and a user specified key, and store them in the enhanced format, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key 
-f /usr/home/ProtocolBridgeCredentials.xml

Examples: protection mode 1

To encrypt credentials in the MQMFTCredentials.xml file using protection mode 1 with the latest algorithm and a user specified key, and store them in the more secure format introduced at IBM MQ 9.2.0, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1 -f /usr/home/MQMFTCredentials.xml
To encrypt credentials in the MQMFTCredentials.xml file using protection mode 1 with the latest algorithm and a user specified key, and output the encrypted credentials to another file, issue the following command:
fteObfuscate -sf /var/mqmft/credKeyfile.key -sp 1 
-f /usr/home/MQMFTCredentials.xml -o /usr/home/enccred.xml

Examples: protection mode 0

To encrypt credentials in the MQMFTCredentials.xml file using the deprecated algorithm, and store them in the deprecated format, issue the following command:

fteObfuscate -f /usr/home/MQMFTCredentials.xml -sp 0
[z/OS]

Using data sets on z/OS®

Encrypt a data set and output it as an XML file format:
fteObfuscate  -f "//test.creds(creds)" -o enc.xml
Encrypt a data set with the key specified in the data set:
/fteObfuscate -f "//test.creds(creds)" -sf "//test.creds(key)"

Return codes

0
Command completed successfully.
1
Command ended unsuccessfully.