APAR status
Closed as program error.
Error description
The "Decrypting credentials" section of the "Encrypting stored credentials in MFT" topic in the MQ 9.2 and 9.3 sections of the IBM Documentation site contains the following information: ------------------------------------------------------------ Decrypting credentials You can specify the path to the initial key file in various places. In order to decrypt credentials that were encrypted using an initial key other than the default one, the name of the file containing the initial key needs to be provided to MFT in one of the following ways, in this order of precedence: 1, Using the Java? Virtual Machine (JVM) property com.ibm.wqmfte.cred.keyfile, for example: -Dcom.ibm.wmqfte.cred.keyfile=/usr/hime/credkeyfile.key 2. In agent, logger, commands, and coordination property files. Each of these property files contains an additional specific CredentialKeyFile property. For details of these properties, see: - agent.properties - logger.properties - command.properties - coordination.properties 3. In the installation.properties file Instead of adding properties in individual properties files, you can add the commonCredentialsKeyFile property to the existing common installation.properties file, so that agent, logger and commands can use the same property. ------------------------------------------------------------ Similarly, the "Managed File Transfer" section of the "Protecting passwords in IBM MQ component configuration files" topic in the MQ 9.2 and 9.3 sections of the IBM Documentation site contains the following information: ------------------------------------------------------------ At runtime, provide the initial key file to use through the following three mechanisms. In order of priority, these are: 1. Using JVM property com.ibm.wqmfte.cred.keyfile. 2. In the agent, logger, command,s and coordination property files. 3. In the installation.properties file. ------------------------------------------------------------ In both topics, the Java system property shown in Step 1 is: com.ibm.wqmfte.cred.keyfile Although setting the property works as expected, it is actually misspelt. It should be: com.ibm.wmqfte.cred.keyfile
Local fix
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of IBM MQ Managed File Transfer. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: In MQ 9.2 and 9.3 Managed File Transfer (MFT), a new Java system property: com.ibm.wqmfte.cred.keyfile was added to allow users to specify the file containing the initial key that should be used to decrypt credentials. This property was documented in the following topics in the MQ 9.2 and 9.3 sections of the IBM Documentation site: Topic: Encrypting stored credentials in MFT URI of topic in the MQ 9.2 section of the IBM Documentation site: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=transfer-encrypting -stored-credentials-in-mft URI of topic in the MQ 9.3 section of the IBM Documentation site: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=transfer-encrypting -stored-credentials-in-mft Topic: Protecting passwords in IBM MQ component configuration files URI of topic in the MQ 9.2 section of the IBM Documentation site: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=securing-protecting -passwords-in-mq-component-configuration-files URI of topic in the MQ 9.3 section of the IBM Documentation site: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=securing-protecting -passwords-in-mq-component-configuration-files However, the Java system property was misspelt in the product code - it should have been: com.ibm.wmqfte.cred.keyfile
Problem conclusion
To resolve this issue, MQ Managed File Transfer has been updated to use the following Java system properties when checking if a user has specified a file containing the initial key that should be used for encrypting and decrypting credentials: - com.ibm.wmqfte.cred.keyfile - com.ibm.wqmfte.cred.keyfile This allows users to use the correct spelling of the property name, while maintainign backwards compatibility with the old misspelt name. Note that if both Java system properties are set, then the value of the correctly spelt property: - com.ibm.wmqfte.cred.keyfile will be used. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.2 LTS 9.2.0.15 v9.3 LTS 9.3.0.10 v9.x CD 9.3.1 The latest available maintenance can be obtained from 'IBM MQ Recommended Fixes' https://www.ibm.com/support/pages/recommended-fixes-ibm-mq If the maintenance level is not yet available information on its planned availability can be found in 'IBM MQ Planned Maintenance Release Dates' https://ibm.biz/mqplannedmaintenance ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT41304
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-06-22
Closed date
2023-03-29
Last modified date
2024-02-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
04 April 2024