When you use TLS on your client connection from MO71 or MQEdit to your queue manager, there are now (as of IBM MQ V9.3.0) a few different ways you can provide the password for your Key Database (KDB) file, and the latest versions of MO71 and MQEdit take advantage of one of these.
The original way of doing so was to create the KDB using the -stashed parameter, and then you would end up with both a KDB file and an STH file with the same name (excluding stem) and you would tell the MQ Client that name. From that name it could create the name of the KDB file (by adding .kdb) and it could create the name of the stash file (by adding .sth). MO71 and MQEdit could either be given the name in the client connection dialog, or it could be set up outside of the application, using the mqclient.ini file (or environment variables). See later section.
In IBM MQ V9.3.0, the possibility to provide the KDB password to the MQ client instead of using a stash file was introduced. One way to do this was to store the password in the mqclient.ini file (or in an environment variable) alongside the name of the KDB. Of course, storing the password in the clear in such a location would not be recommended! So, IBM MQ supplies a mechanism to encrypt the password when storing it in such a way.
To encrypt your password, run the runmqicred program and type in the password when prompted:-
5724-H72 (C) Copyright IBM Corp. 1994, 2022.
Credentials are encrypted using the default encryption key. For more secure
protection of stored credentials, use a custom, strong encryption key.
This will output to you the encrypted version of your password (using the default encryption key – more in a moment).
Add this to your mqclient.ini file along with the name of the KDB (with or with the .kdb extension – also new in V9.3.0).
Make sure the MQCLNTCF environment variable is set to point to your mqclient.ini (or that the MQ client can find it another way) and run MO71 or MQEdit. You can either configure the channel through the client connection dialog (while omitting to specify the KDB) or you can use a CCDT.
Encrypted Password using your own Encryption Key
If you wish to use your own custom, strong encryption key as mentioned in the output of the runmqicred program, you can write that key into a small file (with no new line on the end), e.g.:
To encrypt your password with this key, run the runmqicred program as follows:-
runmqicred -sf h:\mykey.txt
and type in the password when prompted:-
5724-H72 (C) Copyright IBM Corp. 1994, 2022.
And then add the location of that file and your newly generated encrypted password into your mqclient.ini as follows:-
This may seem like it has exactly the same problem as the stash file, that is, if someone can steal the KDB file, they can also steal the stash file; but in this case, the key file can live in a completely different location to the KDB file, changing the pattern somewhat.
What has been shown here using the mqclient.ini can also be done using environment variables.
MO71 and MQEdit Prompt for Password
If your preference is not to store the password to your KDB anywhere (other than in your head or that post-it note stuck to the side of your monitor) then a third option is available where MO71 and MQEdit can prompt you for the password when they need it. To configure this, open your client connection dialog, from the Location dialog, ensure your KDB file name (with or without the KDB extension) is referenced in the “SSL/TLS Key Repository” field, and select “Prompt for Password” in the “SSL/TLS Key Repos Auth Method” field. The other option in this combo-box is “IBM MQ Configured” which you should select if you prefer the MQ Client to get the password from one of the above mentioned places that are configured in MQ (environment variable, mqclient.ini file or Stash File).
Tell MO71/MQEdit that you will supply the password when it is needed
MO71 and MQEdit will only prompt you for the password once per run of the application. The password is remembered in memory and used for all locations specifying the same KDB.
MO71/MQEdit will prompt for the password of the KDB file when it is needed
If you change the password of the KDB and don’t want to cycle the application, you can use the “Forget KDB Password” button found on the Security tab of the Location dialog.
Use the Forget KDB Password to cause MO71/MQEdit to ask again next time it needs the password
Since there are a number of ways to supply the password for the KDB, you’ll be wondering how they interact with one another. What happens if I have two or more of the above in place? What is the precedence? The password will be used from the sources in the following precedence order.
- MQCONNX MQSCO fields
this is where the prompted for password in MO71/MQEdit is put.
- MQKEYRPWD environment variable
- mqclient.ini file field SSLKeyRepositoryPassword
- Stash File
So now you have plenty of options to provide the password. Hopefully one of these will meet your needs.
The new versions can be downloaded from the MO71 Download Page and MQEdit Download Page. Any current licensed users of MO71/MQEdit can run the new version on their existing licence. If you don’t have a licence and would like to try out MO71 or MQEdit then send an email to firstname.lastname@example.org and a 1-month trial licence will be sent to you.