How To
Summary
The latest versions of MQIPT (v9.1.x) expect passwords to be encrypted in MQIPT configuration files.
MQIPT v9.1.5+ allows using your own custom passphrase key for additional security.
Objective
Environment
Steps
.
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/ipt4121_.htm
.
(mqipt requires keystore type PKCS12)
.
mqiptKeycmd -keydb -create -db mqipt.pfx -pw passw0rd -type pkcs12
.
then create certificates.... and ensure signers are also in the keystore.
.
Example route from mqipt.config file:
.
[route]
Name=TLS client sample
Active=true
ListenerPort=1415
Destination=mqipt.company2.com
DestinationPort=1414
SSLClient=true
SSLClientCipherSuites=SSL_RSA_WITH_AES_256_CBC_SHA256
SSLClientKeyRing=C:\\MQIPT\\ssl\\mqipt.pfx
SSLClientKeyRingPW=passw0rd
.
You must encrypt/replace passwords..
.
Protect all passwords specified in the configuration file by following the procedure in Encrypting stored passwords.
Encrypt passwords
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.con.doc/q134380_.htm
.
MQ can use its default passphrase.. when encrypting, or you can supply one with -sf option.
.
Run mqiptPW 2 times in a row.. entering same password..
Creates a string to be used, which includes an eyecatcher and the encrypted password.
.
C:\test\mqipt\mqipt915>bin\mqiptPW
[Enter password]
<mqiptPW>1!8fYvkPxvTq5b7ulKv4gcfw==!F/rnByHAy9yLuLuY7yLI3w==
.
C:\test\mqipt\mqipt915>bin\mqiptPW
[Enter password]
<mqiptPW>1!bahL8t2jR2mMVYoDNsgHvQ==!FoMzVLcFoH6bHI9Ghqw4/Q==
.
MQIPT expects passwords to be encrypted. so .. ensure to put appropriate encrypted line in the mqipt.conf file.
.
Example from above:
[route]
Name=TLS client sample
Active=true
ListenerPort=1415
Destination=mqipt.company2.com
DestinationPort=1414
SSLClient=true
SSLClientCipherSuites=SSL_RSA_WITH_AES_256_CBC_SHA256
SSLClientKeyRing=C:\\MQIPT\\samples\\ssl\\mqipt.pfx
SSLClientKeyRingPW=<mqiptPW>1!bahL8t2jR2mMVYoDNsgHvQ==!FoMzVLcFoH6bHI9Ghqw4/Q==
.
-----
If you want to use your own passphrase when encrypting the passwords:
.
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.con.doc/q134380_.htm
.
Optional: Create a file containing the password encryption key
You do not have to specify a password encryption key, however it is more secure to do so. If you do not specify your own encryption key, the default encryption key is used.
If you do this, then the running instance of MQIPT will also need to know about the passphrase file used for encrypting/decrypting passwords.
This is handled by -sf option on mqipt command, environment variable, etc..
.
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.adm.doc/q134390_.htm
.
To use your own passphrase key:
.
1) Create a file.. and put a pass phrase on the first line.
The file must contain at least one character, and only one line of text.
example:
mqipt_password.key:
The brown fox jumped over the moon.
.
2) You can then use that passphrase when encrypting passwords.
.
example:
C:\test\mqipt\mqipt915>bin\mqiptPW -sf mqipt_password.key
[Enter password]
<mqiptPW>1!75xEqe73QGaOm3F1pEk3GA==!p/gK29FAmQlvByY1sksEcQ==
.
3) Then when starting MQIPT.. you must be sure the mqipt instance also knows the passphrase key file, other methods per link above.
.
[MQIPT_INSTALLATION_PATH]\bin\mqipt .\ -sf mqipt_password.key
.
I hope this helps.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
29 April 2020
UID
ibm16202795