[MQ 9.2.0 Jul 2020]

Encrypting stored passwords in MQIPT

The MQIPT configuration might include passwords to access various resources, as well as the password to access MQIPT using the command port. From IBM® MQ 9.2.0, all these passwords should be protected by being encrypted.

About this task

In versions earlier than IBM MQ 9.2.0 (or earlier than IBM MQ 9.1.4 for Continuous Delivery), only passwords that are used by MQIPT to access key rings, or cryptographic hardware key stores, can be encrypted. The encrypted passwords are stored in files referenced by any of the SSL*KeyRingPW properties. Other passwords for LDAP servers and the MQIPT access password are stored in plain text in the mqipt.conf configuration file.

From IBM MQ 9.2.0 (or from IBM MQ 9.1.5 for Continuous Delivery), all stored passwords for use by MQIPT should be protected by encrypting the password with the mqiptPW command. The encrypted passwords are stored as property values in the mqipt.conf configuration file. MQIPT is able to distinguish between encrypted passwords, plain text passwords, and file names in property values. You should encrypt all passwords stored for use by MQIPT in this way as it is the most secure protection method.

The method of encrypting key store passwords used in MQIPT prior to IBM MQ 9.2.0 (or prior to IBM MQ 9.1.4 for Continuous Delivery) is deprecated, but can still be used for configuration properties that were available prior to IBM MQ 9.2.0. To improve the protection of key ring passwords, re-encrypt any key ring passwords that have previously been encrypted, using the latest protection method.
[MQ 9.2.0 Jul 2020][MQ 9.2.0 Jul 2020]Note: The SSLCommandPortKeyRingPW property in the mqipt.conf configuration file, and the SSLClientCAKeyRingPW property in the mqiptAdmin properties file, cannot refer to password files. The values of these properties must be set to the encrypted password string output by the mqiptPW command.

If a plain text or weakly protected password is present in the MQIPT configuration, a warning message is issued either when MQIPT starts or when a route starts.

Use this procedure to encrypt a password to be stored for use by MQIPT using the latest protection method. To encrypt a key ring password in MQIPT before IBM MQ 9.2.0 (or IBM MQ 9.1.4 or earlier for Continuous Delivery), follow the steps in Encrypting a key ring password before MQIPT in IBM MQ 9.2.0.

Procedure

  1. Optional: Create a file containing the password encryption key, if you do not already have one.
    MQIPT uses an encryption key to encrypt passwords. You can specify your own encryption key in a file. The file must contain at least one character, and only one line of text.

    The same password encryption key is used to encrypt and decrypt all stored passwords for an instance of MQIPT. Therefore, you need only a single password encryption key file for each MQIPT installation.

    [MQ 9.2.0 Jul 2020][MQ 9.2.0 Jul 2020]You can use a different password encryption key to encrypt passwords stored in the mqiptAdmin properties file than the encryption key used to encrypt passwords in the MQIPT configuration.

    If you are planning to run MQIPT as a service that is automatically started, you must create the password encryption key file with the default name of mqipt_cred.key, and place it in the MQIPT home directory.

    You do not have to specify a password encryption key, however it is more secure to do so. If you do not specify your own encryption key, the default encryption key is used.
    Note: You must ensure that appropriate file permissions are set on the password encryption key file to prevent any unauthorized users from reading the encryption key. Only the user that runs the mqiptPW command and the user under which MQIPT runs need authority to read the password encryption key.
  2. Encrypt the password using the mqiptPW command.
    The syntax of the mqiptPW command is described in mqiptPW (encrypt stored password).
    If you created a password encryption key file in step 1, specify the file name using the -sf parameter to mqiptPW. For example, the following command can be issued to encrypt a password using the encryption key in the file specified by the -sf parameter:
    mqiptPW -sf /opt/mqipt/mqipt_password.key
  3. Enter the password to be encrypted when prompted.
    The encrypted password will be output by mqiptPW.
  4. Copy the encrypted password into the appropriate property in the mqipt.conf configuration file, or the mqiptAdmin properties file.
    For example, the following line specifies an encrypted password for the MQIPT access password:
    AccessPW=<mqiptPW>1!QL+2Jvj/tigKKlD7Nz8Oqw==!AMDBefOUrmPf5i1OuqV5MA==
  5. Start MQIPT. If you created a password encryption key file in step 1 with a name other than the default name, specify the name of the encryption key file when starting MQIPT.
    You can specify the name of the password encryption key file using the -sf parameter when starting MQIPT. For example, issue the following command to start MQIPT using the encryption key in the file specified by the -sf parameter:
    mqipt /opt/mqipt -sf /opt/mqipt/mqipt_password.key

    For information about other methods to specify the password encryption key file name when starting MQIPT, see Specifying the password encryption key.

    [MQ 9.2.0 Jul 2020][MQ 9.2.0 Jul 2020]You can specify the name of the password encryption key file for the mqiptAdmin command using the PasswordProtectionKeyFile property in the mqiptAdmin properties file.