Encrypting stored passwords in MQIPT
The MQIPT configuration might include passwords to access various resources, as well as the password to access MQIPT using the command port. From IBM® MQ 9.2.0, all these passwords should be protected by being encrypted.
About this task
In versions earlier than IBM MQ 9.2.0 (or earlier than IBM MQ 9.1.4 for Continuous Delivery), only passwords that are used by MQIPT to access key rings, or cryptographic hardware key stores, can be encrypted. The encrypted passwords are stored in files referenced by any of the SSL*KeyRingPW properties. Other passwords for LDAP servers and the MQIPT access password are stored in plain text in the mqipt.conf configuration file.
From IBM MQ 9.2.0 (or from IBM MQ 9.1.5 for Continuous Delivery), all stored passwords for use by MQIPT should be protected by encrypting the password with the mqiptPW command. The encrypted passwords are stored as property values in the mqipt.conf configuration file. MQIPT is able to distinguish between encrypted passwords, plain text passwords, and file names in property values. You should encrypt all passwords stored for use by MQIPT in this way as it is the most secure protection method.
If a plain text or weakly protected password is present in the MQIPT configuration, a warning message is issued either when MQIPT starts or when a route starts.
Use this procedure to encrypt a password to be stored for use by MQIPT using the latest protection method. To encrypt a key ring password in MQIPT before IBM MQ 9.2.0 (or IBM MQ 9.1.4 or earlier for Continuous Delivery), follow the steps in Encrypting a key ring password before MQIPT in IBM MQ 9.2.0.