[AIX][MQ 9.3.4 Oct 2023][Linux]

runqmcred (protect authentication token keystore password)

Use the runqmcred command to encrypt the password for the queue manager keystore that contains the trusted authentication token issuer's public key certificates or symmetric keys.

Purpose

The runqmcred command is used to encrypt the queue manager authentication token keystore. The authentication token keystore contains the public key certificates or symmetric keys for trusted authentication token issuers. The path to the keystore and the file that contains the encrypted password are specified in the AuthToken stanza in the qm.ini file. The queue manager uses the information in the AuthToken stanza to verify that the token that an application provides for authentication purposes is issued by a trusted issuer.

The command is provided because the use and storing of unencrypted passwords is not secure.

An encryption key, which is known as the initial key, is used to encrypt the password. You can provide a file that contains the initial key when you run the runqmcred command. Create the initial key file before you run the command. If you do not provide the initial key, a default initial key is used.
CAUTION:
Do not use the default initial key to encrypt passwords as it does not protect passwords securely.
Important: If you supply an initial key file that contains the encryption key, the same initial key must be specified in the queue manager INITKEY attribute so that the queue manager can decrypt the password. If the queue manager INITKEY attribute is already set, use the same initial key when you run the runqmcred command. For more information about the queue manager INITKEY attribute, see INITKEY.

Syntax

Read syntax diagramSkip visual syntax diagram runqmcred -sfkeyfile

Optional Parameters

-sf keyfile
Path to a file that contains the initial key that is used to encrypt the password. Create this file that contains the initial key before you run the runqmcred command. The same initial key must be specified in the queue manager INITKEY attribute. The file must contain a single line of at least one character.
If this parameter is not specified, a default initial key is used.

Examples

The following example encrypts the authentication token keystore passwords using the initial key that you provide.

Use the -sf argument to provide the initial key file path. You are prompted to enter the password you want to encrypt.
runqmcred -sf /home/initial.key
The encrypted password is output on the last line. Copy the encrypted password into a file and include the path in the KeyStorePwdFile attribute of the AuthToken stanza in the qm.ini file.
5724-H72 (C) Copyright IBM Corp. 1994, 2025.
Enter password:
*************
<QM>!2!UnH/9hRXEGA0cenLVSGCW9a0s5A2vHDkTiA7vRv8ogc=!yhlsHFw7MIh48SvaYeTwRQ==
The following example encrypts the authentication token keystore password using a default initial key.
runqmcred
Copy the encrypted password that is output on the last line into a file. Include the path to the file in the KeyStorePwdFile attribute of the AuthToken stanza in the qm.ini file.
5724-H72 (C) Copyright IBM Corp. 1994, 2025.
Credentials are encrypted using the default encryption key. For more secure
protection of stored credentials, use a custom, strong encryption key.
Enter password:
*************
<QM>!2!b5rb01sMzFzc1ClZeQMryruWFM3HSm8DKyEaZK7qzWY=!TrWdU57DCDXM0Qah99I/Lg==

Return codes

0
Command completed successfully.
1
Command completed unsuccessfully.