Map user credentials in WebSphere® MQ Managed File Transfer to user credentials on
the file server by using the default credential mapping function of
the protocol bridge agent. WebSphere MQ Managed File Transfer provides
an XML file that you can edit to include your credential information.
About this task
The
ProtocolBridgeCredentials.xml file
must be manually created by the user. By default, the location of
this file is the home directory of the user who started the protocol
bridge agent
, but this can be stored anywhere on the
file system accessible by the agent. To specify a different location,
add the <credentialsFile> element to the
ProtocolBridgeProperties.xml file.
For example,
<tns:credentialsFile path="/example/path/to/ProtocolBridgeCredentials.xml"/>
Before
you can use a protocol bridge agent, set up credential mapping by
editing this file to include host, user, and credential information.
For more information and samples, see
Protocol bridge credentials file format.
Procedure
- Edit the line
<tns:server
name="server name">
to change the value
of the name attribute to the server name in the ProtocolBridgeProperties.xml file. Protocol bridge agents that are created for Version 7.0.4
and earlier do not have a ProtocolBridgeProperties.xml file
(or related user exits), so for Version 7.0.4.1 and later the server
name is automatically assigned the server's host name. Therefore,
if you use an updated ProtocolBridgeCredentials.xml file
with <server> entries, a name corresponding to the server's host
name will match.
You can use the pattern attribute to specify
that you used a server name that contains wildcards or regular expressions.
For example,
<tns:server name="serverA*" pattern="wildcard">
- Insert user ID and credential information into the file
as child elements of
<tns:server>
. You
can insert one or many of the following elements into the file:
- If the protocol file server
is an FTP, FTPS, or SFTP server, you can use passwords to authenticate
the user requesting the transfer. Insert the following lines into
the file:
<tns:user name="FTE User ID"
serverUserId="Server User ID"
serverPassword="Server Password">
</tns:user>
Then change the value of the attributes.
name
is a Java regular
expression to match the MQMD user ID associated with the MQMFT transfer request
serverUserId
is the value that is passed to the
protocol file server as the login user ID. If the serverUserId
attribute
is not specified, the MQMD user ID associated with the MQMFT transfer request is
used instead
serverPassword
is the password that is associated
with the serverUserId
.
The name
attribute can contain
a Java regular expression. The
credential mapper attempts to match the MQMD user ID of the MQMFT transfer request to
this regular expression. The protocol bridge agent attempts to match
the MQMD user ID to the regular expression in the name attribute of
the <tns:user> elements in the order that the elements exist in
the file. When a match is found the protocol bridge agent does not
look for more matches. If a match is found, the corresponding serverUserId
and serverPassword
values
are passed to the protocol file server as the login user ID and password.
The MQMD user ID matches are case-sensitive.
- If the protocol file server is an SFTP server, you can use public
and private keys to authenticate the user requesting the transfer.
Insert the following lines into the file and change the value of the
attributes. The <tns:user> element can contain one or many <tns:privateKey>
elements.
<tns:user name="FTE User ID"
serverUserId="Server User ID"
hostKey="Host Key">
<tns:privateKey associationName="association"
keyPassword="Private key password">
Private key file text
</tns:privateKey>
</tns:user>
name
is a Java regular
expression to match the MQMD user ID associated with the MQMFT transfer request
serverUserId
is the value that is passed to the
protocol file server as the login user ID. If the serverUserId
attribute
is not specified, the MQMD user ID associated with the MQMFT transfer request is
used instead
hostKey
is the expected key that is returned
from the server when logging on
key
is the private key of the serverUserId
keyPassword
is the password for the key to generate
public keys
associationName
is a value that is used to identify
for trace and logging purposes
The name
attribute can contain a Java regular expression. The credential mapper
attempts to match the MQMD user ID of the MQMFT transfer request to
this regular expression. The protocol bridge agent attempts to match
the MQMD user ID to the regular expression in the name attribute of
the <tns:user> elements in the order that the elements exist in
the file. When a match is found the protocol bridge agent does not
look for more matches. If a match is found, the corresponding serverUserId
and key
values
are used to authenticate the MQMFT user with the protocol
file server. The MQMD user ID matches are case-sensitive.For more
information about using private keys with a protocol bridge agent,
see Example: How to configure a protocol bridge agent to use private key credentials with a UNIX SFTP server.