Securing Managed File Transfer
Directly after installation and with no modification, Managed File Transfer has a level of security that might be suitable for test
or evaluation purposes in a protected environment. However, in a production environment, you must
consider appropriately controlling who can start file transfer operations, who can read and write
the files being transferred, and how to protect the integrity of files.
Encrypting stored credentials in MFT
The Managed File Transfer (MFT ) configuration contains several user IDs and passwords. These credentials are stored in two XML files. You can obfuscate these credentials by using the fteObfuscate command.
MFT and IBM MQ connection authentication
Connection authentication allows a queue manager to be configured to authenticate applications by using a provided user ID and password. If the associated queue manager has security enabled, and requires credential details (user ID and password), the connection authentication feature must be enabled before a successful connection to a queue manager can be made. Connection authentication can be run in compatibility mode or MQCSP authentication mode.
MFT sandboxes
You can restrict the area of the file system that the agent can access as part of a transfer. The area that the agent is restricted to is called the sandbox. You can apply restrictions to either the agent or to the user that requests a transfer.
Configuring SSL or TLS encryption for MFT
You can use SSL or TLS can be used with IBM MQ Managed File Transfer to secure the communication between agents and their agent queue managers, commands and the queue managers that they are connecting to, and the various queue manager to queue manager connections within your topology.
Connecting to a queue manager in client mode with channel authentication
IBM MQ uses channel authentication records to control more precisely access at a channel level. This means that by default newly created queue managers reject client connections from the Managed File Transfer component.
Configuring SSL or TLS between the Connect:Direct bridge agent and the Connect:Direct node
Configure the Connect:Direct® bridge agent and the Connect:Direct node to connect to each other through the SSL protocol by creating a keystore and a truststore, and by setting properties in the Connect:Direct bridge agent properties file.