mqsicredentials command

Use the mqsicredentials command to encrypt credentials and store them in the IBM® App Connect Enterprise vault. These credentials can then be used by an integration node or integration server to access secured resources.

Supported platforms

  • Windows
  • Linux®
  • AIX®

Purpose

Use the mqsicredentials command to create, update, retrieve, or delete the security credentials for resources that are used by an integration node or integration server. The credentials are stored in an encrypted form in the App Connect Enterprise vault. For more information about storing credentials in the IBM App Connect Enterprise vault, see Configuring encrypted security credentials.

For information about configuring a vault, see mqsivault command.

The security credentials that you set are used for connections to the following resources:
Credential type Resource requiring credentials for access
cd IBM Sterling Connect:Direct® server
cics CICS® Transaction Server for z/OS®
eis External Enterprise Information System (EIS), such as SAP, Siebel, JD Edwards, or PeopleSoft
elk Elasticsearch, Logstash, and Kibana (ELK) server
email Email server
ftp FTP server
http SOAP and HTTP request nodes for static ID identity propagation when using basic authentication (basicAuth): SOAPRequest, SOAPAsyncRequest, HTTPRequest, and HTTPAsyncRequest nodes
httpproxy HTTP proxy server that requires a user name and password
ims IMS Connect server
jdbc JDBC type 4 connection
jms JMS resource
jndi JNDI resource
kafka Kafka cluster that requires a user name and password
kerberos The Kerberos Key Distribution Center (KDC)
keystore Web user interface keystore password
keystorekey The key inside the keystore (for use when the key inside the keystore is protected by a password that is different from the password used to open the keystore)
ldap Lightweight Directory Access Protocol (LDAP) bind credentials
loopback Loopback connector resource
mq Secured IBM MQ queue manager
mqtt Secured MQTT server
odbc ODBC data source name (DSN) that is accessed from a message flow
odm Operational Decision Manager (ODM) Rule Execution Server
rest External REST API
salesforce Salesforce connection
sftp Connection to an SFTP server
smtp Connection to an SMTP server
soap SOAP request and reply nodes for static ID identity propagation when using WS-Security while connecting to or replying from a web service (SOAPRequest, SOAPAsyncRequest, and SOAPReply nodes)
truststore Integration server or integration node truststore
truststorekey The key inside the truststore (for use when the key inside the truststore is protected by a password that is different from the password used to open the truststore)
wsrr WebSphere® Service Registry and Repository
wxs WebSphere eXtreme Scale grid

Syntax

Create or update credentials

Read syntax diagramSkip visual syntax diagrammqsicredentials --work-dir workpathintegrationNodeName --integration-server integrationServerName --all-integration-servers  --integration-connection-file fileName --integration-server integrationServerName --all-integration-servers  --admin-host hostname --admin-port port --integration-server integrationServerName --all-integration-servers  --create  --update  --credential-type type  --credential-name name  --vault-key vaultKey --vaultrc-location mqsivaultrc_file_location --api-key APIKey --username userName --password password --ssh-identity-file file --passphrase phrase  --client-id identity  --client-secret secret  --trace traceFileName

Report

Read syntax diagramSkip visual syntax diagrammqsicredentials --work-dir workpathintegrationNodeName --integration-server integrationServerName --all-integration-servers  --integration-connection-file fileName --integration-server integrationServerName --all-integration-servers  --admin-host hostname --admin-port port --integration-server integrationServerName --all-integration-servers  --report  --credential-type type --credential-name name --vault-key vaultKey --vaultrc-location mqsivaultrc_file_location --trace traceFileName

Delete

Read syntax diagramSkip visual syntax diagrammqsicredentials --work-dir workpathintegrationNodeName --integration-server integrationServerName --all-integration-servers  --integration-connection-file fileName --integration-server integrationServerName --all-integration-servers  --admin-host hostname --admin-port port --integration-server integrationServerName --all-integration-servers  --delete  --credential-type type  --credential-name name  --vault-key vaultKey --vaultrc-location mqsivaultrc_file_location --trace traceFileName

Set as default

Read syntax diagramSkip visual syntax diagrammqsicredentials --work-dir workpathintegrationNodeName --integration-server integrationServerName --all-integration-servers  --integration-connection-file fileName --integration-server integrationServerName --all-integration-servers  --admin-host hostname --admin-port port --integration-server integrationServerName --all-integration-servers  --set-as-default  --credential-type type  --credential-name name  --trace traceFileName

Parameters

--work-dir workpath
(Optional) This parameter specifies the path to the work directory that is used by an independent integration server (not an integration server that is managed by an integration node). If you do not specify the --work-dir parameter, you must specify either the integrationNodeName, --integration-connection-file, or --admin-host and --admin-port parameters.
integrationNodeName
(Optional) The name of the integration node that is associated with the resources for which the credentials are being created, updated, reported, or deleted. If you do not specify this parameter, you must specify either the --integration-connection-file, parameter, the --admin-host and --admin-port parameters, or the --work-dir parameter.
--integration-connection-file fileName
(Optional) This parameter specifies a file containing connection parameters for an integration node or server. If you do not specify the --integration-connection-file parameter, you must specify either the integrationNodeName, the --admin-host and --admin-port parameters, or the --work-dir parameter.
--admin-host hostname
(Optional) This parameter specifies the hostname or IP address of the computer on which the integration node or integration server is running. If you do not specify the --admin-host and --admin-port parameters, you must specify either the integrationNodeName, --integration-connection-file, or --work-dir parameter.
--admin-port port
(Optional) This parameter specifies the port of the integration node or integration server. If you do not specify the --admin-host and --admin-port parameters, you must specify either the integrationNodeName, --integration-connection-file, or --work-dir parameter.
--integration-server IntegrationServerName
(Optional) Specify the name of the integration server that is associated with the resources for which the credentials are being created, updated, reported, or deleted. This parameter applies only to integration servers that are managed by an integration node. Alternatively, you can specify --all-integration-servers.
--all-integration-servers
(Optional) This parameter specifies that the command applies to all integration servers on the integration node. Alternatively, you can specify a named integration server (--integration-server IntegrationServerName). This parameter applies only to integration servers that are managed by an integration node.
--create
(Optional) Specify this parameter to create credentials in the vault, with the name and type specified by the --credential-name and --credential-type parameters.

If you do not specify this parameter, you must specify either --update, --report, --set-as-default, or --delete.

--update
(Optional) Specify this parameter to update the credentials specified by the --credential-name and --credential-type parameters.

If you do not specify this parameter, you must specify either --create, --report, --set-as-default, or --delete.

--report
(Optional) Specify this parameter to show the reportable details of an existing credential, as specified by the --credential-name and --credential-type parameters.

If you do not specify this parameter, you must specify either --create, --update, --set-as-default, or --delete.

--delete
(Optional) Specify this parameter to delete the specified credentials from the vault.

If you do not specify this parameter, you must specify either --create, --update, --set-as-default, or --report.

--set-as-default
(Optional) Use this parameter to specify that the credential that is specified by the --credential-name parameter is to be used as the default for the credential type set by the --credential-type parameter. If you set this parameter, the default credentials section of the integration server's server.conf.yaml file is updated with the specified default; for example:
Defaults:
 Credentials:
   mq: 'mymqcredential'
This credential is then used by default for the specified credential type (in this case, mq) when no credential name has been specified.

If you do not specify this parameter, you must specify either --create, --update, --delete, or --report.

--credential-name credentialName
(Optional) The name of the credential.
--credential-type credentialType
(Optional) This parameter specifies the credential type, which relates to the type of resource that will be connected to by the integration server:
  • cd:

    Specify this value to set credentials for connecting an IBM Sterling Connect:Direct CDOutput node to its Connect:Direct server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a Connect:Direct server.

  • cics:

    Specify this value to set credentials for connecting a CICSRequest node to a CICS Transaction Server for z/OS server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a CICS Transaction Server for z/OS server. Password is optional.

  • eis:

    Specify this value to set credentials for connecting to an external Enterprise Information System (EIS), such as SAP, Siebel, JD Edwards, or PeopleSoft.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an EIS.

  • elk:

    Specify this value to set credentials for connecting to an Elasticsearch, Logstash, and Kibana (ELK) server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an ELK server.

  • email:

    Specify this value to set credentials for connecting to an email server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an email server.

  • ftp:

    Specify this value to set credentials for connecting to an FTP server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an FTP server.

  • http:

    Specify this parameter to set credentials for static ID identity propagation with SOAP or HTTP request nodes when using basic authentication (basicAuth): SOAPRequest, SOAPAsyncRequest, HTTPRequest, and HTTPAsyncRequest nodes.

    You can use the --username userName and --password password parameters to specify the credentials for SOAP or HTTP request nodes.

  • httpproxy:

    Specify this parameter to set credentials for connecting to a secured HTTP proxy server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an HTTP server.

  • ims:

    Specify this value to set credentials for connecting from an IMSRequest node to the IMS server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an IMS server.

  • jdbc:

    Specify this value to set credentials for a JDBC type 4 connection.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a JDBC resource.

  • jms:

    Specify this value to set credentials for connecting to JMS resource.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a JMS resource.

  • jndi:

    Specify this value to set credentials for connecting to a JNDI resource.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a JNDI resource.

  • kafka:

    Specify this value to set credentials for connecting to a secured Kafka cluster.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a Kafka cluster.

  • kerberos:

    Specify this value to set credentials for connecting to the Kerberos Key Distribution Center (KDC).

    You can use the --username userName and --password password parameters to specify the credentials for connecting to a Kerberos KDC.

  • keystore:

    Specify this value to set credentials for opening the web user interface keystore.

    You can use the --password password parameter to specify the credentials for opening the web user interface keystore.

  • keystorekey:

    Specify this value to set credentials for opening a key inside the web user interface keystore.

    You can use the --password password parameter to specify the credentials for opening the key inside the keystore (for use when the key inside the keystore is protected by a password that is different from the password used to open the keystore).

  • ldap:

    Specify this value to set Lightweight Directory Access Protocol (LDAP) bind credentials.

    You can use the --username userName and --password password parameters to specify the credentials for binding to an LDAP server.

  • loopback:

    Specify this value to set credentials for a connection that is made through a LoopBack® connector.

    You can use the following parameters to specify the credentials for connecting through a LoopBack connector:
    • --username userName and --password password
    • --username userName, --password password, --client-id clientIdentity, and --client-secret clientSecret
  • mq:

    Specify this value to set credentials for connecting to a secured IBM MQ queue manager.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an IBM MQ queue manager.

  • mqtt:

    Specify this value to set credentials for connecting to a secured external MQTT server, which the integration server uses to publish its event messages.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an external MQTT server.

  • odbc:

    Specify this value to set credentials for an Open Database Connectivity (ODBC) data source name (DSN) that is accessed from a message flow.

    You can use the --username userName and --password password parameters to specify the credentials for accessing an ODBC DSN from a message flow.

  • odm:

    Specify this value to set credentials for an IBM Operational Decision Manager (ODM) Rule Execution Server that is accessed from a message flow by using an ODM Server policy.

    You can use the --username userName and --password password parameters to specify the credentials for accessing an ODM Rule Execution Server from a message flow.

  • rest:

    Specify this value to set credentials for authenticating a connection to an external REST API.

    You can use the following parameters to specify the credentials for connecting to an external REST API:
    • --api-key APIKey
    • --username userName and --password password
    • --api-key APIKey, --username userName, and --password password
  • salesforce:

    Specify this value to set credentials for authenticating a connection to a Salesforce system.

    You can specify the credentials for accessing a Salesforce system by using the --username userName, --password password, --client-id clientIdentity, and --client-secret clientSecret parameters.

  • sftp:

    Specify this value to set credentials for authenticating a connection to an SFTP server.

    To access an SFTP server, you must specify either the --password password or --ssh-identity-file identityFile parameter, but not both. If you specify an identity file, you must also specify a passphrase by using the --passphrase parameter. If the identify file does not require a passphrase, you must supply an empty passphrase.

  • smtp:

    Specify this value to set credentials for authenticating a connection to an SMTP server.

    You can use the --username userName and --password password parameters to specify the credentials for connecting to an SMTP server.

  • soap:

    Specify this value to set credentials for static ID identity propagation with SOAP request and reply nodes when using WS-Security while connecting to or replying from a web service (SOAPRequest, SOAPAsyncRequest, and SOAPReply nodes).

    You can use the --username userName and --password password parameters to specify the credentials for these connections.

  • truststore:

    Specify this value to set credentials for connecting to an integration server truststore.

    You can use the --password password parameter to specify the credentials for connecting to a truststore.

  • truststorekey:

    Specify this value to set credentials for opening a key inside the integration server truststore.

    You can use the --password password parameter to specify the credentials for opening the key inside the truststore (for use when the key inside the truststore is protected by a password that is different from the password used to open the truststore).

  • wsrr:

    Specify this value to set credentials for connecting to a WebSphere Service Registry and Repository

    You can use the --username userName and --password password parameters to specify the credentials for accessing a WebSphere Service Registry and Repository.

  • wxs:

    Specify this value to set credentials for connecting to a secure WebSphere eXtreme Scale grid.

    You can use the --username userName and --password password parameters to specify the credentials for accessing a WebSphere eXtreme Scale grid.

--vault-key vaultKey
(Optional) The vault key that will be used to access the vault where the credential is stored. You can specify either the --vault-key or --vaultrc-location parameter, or you can set the MQSI_VAULT_KEY or MQSI_VAULTRC_LOCATION environment variable. If you specify none of these, the .mqsivaultrc file will be looked for in your HOME directory.
--vaultrc-location mqsivaultrc_file_location
(Optional) The location of the .mqsivaultrc file that contains the vault key. You can specify either the --vaultrc-location or --vault-key parameter, or you can set the MQSI_VAULT_KEY or MQSI_VAULTRC_LOCATION environment variable. If you specify none of these, the .mqsivaultrc file will be looked for in your HOME directory.
--username userId
(Optional) The user ID to be associated with this resource.
--password password
(Optional) The password to be associated with this resource.

If you specify a password by using the --password parameter and the password includes characters that have special meaning to the command shell, you must use quotation marks around the password or escape the characters. Use single quotation marks on Linux and AIX systems. Use double quotation marks on Windows systems. For a full list of reserved characters, and the rules that are associated with those characters when you use quotation marks and escape characters, see the documentation that is supplied with the shell.

However, you can avoid the need to use quotation marks or to escape special characters if you omit to specify a password with the --password parameter. If you specify the parameter with no password, you are prompted to enter a password during the invocation of the command. The password that you specify after being prompted can include characters that have special meaning to the command shell with no need for you to use quotation marks or to escape these characters.

--client-id clientIdentity
This parameter specifies either of the following values:
  • (Optional) The name of the consumer key of your Salesforce Connected App, to be used for authentication with Salesforce systems
  • (Optional) The name of the client ID of your connected LoopBack application, to be used for authentication with LoopBack connectors
--client-secret clientSecret
This parameter specifies either of the following values:
  • (Optional) The consumer secret of your Salesforce Connected App, to be used for authentication with Salesforce systems.
  • (Optional) The client secret of your connected LoopBack application, to be used for authentication with LoopBack connectors.
--api-key apiKey
(Optional) The API key to be used for authentication with REST APIs. You can specify only a REST API key to be used for authentication, or you can specify a REST API key together with a user ID and password.
--ssh-identity-file identityFile
(Optional) The name of an identity file, in PEM format, to be used for authentication with SFTP in place of a password. You must specify either a password or an identity file, but not both. If you specify an identity file, you can also specify a passphrase with the --passphrase parameter.
--passphrase passphrase
(Optional) The passphrase that is used for authentication with SFTP. This parameter is valid only when the --ssh-identity-file parameter is also specified. The passphrase is used during decryption of the identity file.
--trace traceFileName
(Optional) This parameter writes debug trace information about the command to the specified output file.

Examples

The following examples show the setting of security credentials by using the mqsicredentials command. The security credentials can be set for an independent integration server or an integration server that is managed by an integration node.

ODBC Data source names

The following examples show the use of the mqsicredentials command to associate credentials for ODBC connections:

Create ODBC credentials on integration server myIntegrationServer1, which is managed by integration node myIntegrationNode1, when the integration node and server are running:
mqsicredentials myIntegrationNode1 --create --integration-server myIntegrationServer1 
--credential-type odbc --credential-name myDSN1 --username user1 --password myPassword1
Create ODBC credentials on integration server myIntegrationServer1, which is managed by integration node myIntegrationNode1, when the integration node or server is stopped:
mqsicredentials myIntegrationNode1 --create --integration-server myIntegrationServer1 --vault-key
AAIAmAVaultKey 
--credential-type odbc --credential-name myDSN1 --username user1 --password myPassword1
Delete ODBC credentials on integration server myIntegrationServer1, which is managed by integration node myIntegrationNode1: 
mqsicredentials myIntegrationNode1 --delete --integration-server myIntegrationServer1 
--vault-key myVaultKey --credential-type odbc --credential-name myDSN1

You can delete the credentials only when the integration node is stopped, and you must specify a vault key.

LDAP servers

Create credentials on integration node myIntegrationNode1 to access LDAP:
mqsicredentials myIntegrationNode1 --create --credential-type ldap --credential-name adminAuthentication 
--password myPassword1

Salesforce servers

Create credentials for all integration servers managed by the specified integration node to access Salesforce:
mqsicredentials -i localHost -p 4416 --all-integration-servers --create  --credential-type salesforce 
--credential-name mySF --username sfuser1 --password mysfpassword --client-id myclientid --client-secret myclientsecret