Protection of database authentication details

If your are using user name and password authentication to connect to the database manager, you can store them in the MQ XA credentials store to avoid storing the password in plain text in the qm.ini file.

Update XAOpenString for the resource manager

To use the credentials store you must modify XAOpenString in the qm.ini file. The string is used to connect to the database manager. You specify replaceable fields to identify where the user name and password are substituted within the XAOpenString string.
  • The +USER+ field is replaced with the user name value stored in the XACredentials store.
  • The +PASSWORD+ field is replaced with the password value stored in the XACredentials store.

The following examples show how to modify an XAOpenString to use the credentials file to connect to the database.

Connecting to a Db2® database

XAResourceManager:
  Name=mydb2
  SwitchFile=db2swit
  XAOpenString=db=mydbname,uid=+USER+,pwd=+PASSWORD+,toc=t
  ThreadOfControl=THREAD
Connecting to an Oracle database

XAResourceManager:  
  Name=myoracle
  SwitchFile=oraswit
  XAOpenString=Oracle_XA+Acc=P/+USER+/+PASSWORD++SesTm=35
            +LogDir=/tmp+threads=true
  ThreadOfControl=THREAD

Work with the credentials for the database to the MQ XA credentials store

After you update the qm.ini file with the replaceable credential strings, you must add the user name and password to the MQ credentials store by using the setmqxacred command. You can also use setmqxacred to modify existing credentials, delete credentials, or list credentials. The following examples give some typical use cases:

Adding credentials
The following command securely saves the user name and password for the queue manager QM1 for the resource mqdb2.

setmqxacred -m QM1 -x mydb2 -u user1 -p Password2
Updating credentials
To update the user name and password used to connect to a database, re-issue the setmqxacred command with the new user-name and password:

setmqxacred -m QM1 -x mydb2 -u user3 -p Password4
You must restart the queue manager for the changes to take effect.
Deleting credentials
The following command deletes the credentials:

setmqxacred -m QM1 -x mydb2 -d
Listing credentials
The following command lists credentials:

setmqxacred -m QM1 -l