mqsivault command

Use the mqsivault command to configure an IBM® App Connect Enterprise vault for storing encrypted credentials, which can be used to access secured resources.

Supported platforms

  • Windows
  • Linux®
  • AIX®

Purpose

You can configure an IBM App Connect Enterprise vault to symmetrically encrypt and store credentials, which can then be used to access secured resources (from a message flow, for example).

You can use the mqsivault command to create or destroy a vault, to import or export the contents of a vault, to change or verify a vault key, or to retrieve and display credentials from the vault. The vault stores the records in encrypted form. Credentials that are stored in the vault can be used by an integration node or by one or more integration servers to access secured resources from a message flow.

You can configure a vault to be used by a specific independent integration server, by an integration node and the integration servers that it manages, or by any integration server. For more information about configuring vaults and credentials, see the following topics:

Syntax

Create or destroy a vault

Read syntax diagramSkip visual syntax diagrammqsivault --work-dir workpath --ext-vault-dir externalDirectoryVaultPathintegrationNodeName --create  --vault-key vaultKey --ext-vault-key externalDirectoryVaultKey --vault-options no-export --destroy  --trace traceFileName

Change or verify a vault key

Read syntax diagramSkip visual syntax diagrammqsivault --work-dir workpath --ext-vault-dir externalDirectoryVaultPathintegrationNodeName --change-vault-key  --old oldVaultKey --new newVaultKey --verify-key  --vault-key vaultKey --ext-vault-key externalDirectoryVaultKey --trace traceFileName

Retrieve vault credentials

Read syntax diagramSkip visual syntax diagrammqsivault --work-dir workpath --ext-vault-dir externalDirectoryVaultPathintegrationNodeName --integration-server integrationServerName --decode recordURI --vault-key vaultKey --ext-vault-key externalDirectoryVaultKey --trace traceFileName

Import or export the contents of a vault

Read syntax diagramSkip visual syntax diagrammqsivault --work-dir workpath --ext-vault-dir externalDirectoryVaultPathintegrationNodeNameintegrationServerName --vault-key vaultKey --ext-vault-key externalDirectoryVaultKey--export--import--archive-location archiveLocation--archive-key archiveKey --trace traceFileName

Add, update, or delete a vault key in a .mqsivaultrc file

Read syntax diagramSkip visual syntax diagrammqsivault --work-dir workpath --ext-vault-dir externalDirectoryVaultPathintegrationNodeName --vaultrc-store-key  --vault-key vaultKey --vaultrc-store-ext-key  --ext-vault-dir extVaultDir --ext-vault-key extVaultKey --vaultrc-remove-key  --vaultrc-remove-ext-key  --ext-vault-dir extVaultDir --vaultrc-location mqsivaultrc_file_location  --trace traceFileName

Add, update, or delete a default vault key in a .mqsivaultrc file

Read syntax diagramSkip visual syntax diagrammqsivault --vaultrc-store-default-key  --vault-key vaultKey --vaultrc-remove-default-key  --vaultrc-location mqsivaultrc_file_location  --trace traceFileName

Parameters

integrationNodeName
(Optional) This parameter specifies the name of the integration node to which the vault applies. If this parameter is specified, a single vault is created and shared by all integration servers that are managed by the specified integration node, and each integration server uses the same vault key to access the credentials that are stored in the vault.
--work-dir workpath
(Optional) This parameter specifies the work directory for the independent integration server to which the vault applies.
--ext-vault-dir externalDirectoryVaultPath
(Optional) This parameter specifies the path to the directory that contains the external directory vault. This directory must already exist.
--archive-key archiveKey
(Optional) This parameter specifies the archive key that is used to protect the records in the archive.
--archive-location archiveLocation
(Optional) This parameter specifies the location of the .zip archive file to be exported from a vault or imported into a vault (by specifying the --export or --import parameter).
--change-vault-key
(Optional) Specify this parameter to change an existing vault key to a new one. If you specify this parameter, you must also specify the --old and --new parameters.
--create
(Optional) Specify this parameter to create a vault.
--decode recordURI
(Optional) Specify this parameter to retrieve the named record from the vault and display it on the screen. For example, --decode credentials/jdbc/test_id.

The contents of the vault cannot be retrieved and displayed if the --vault-options no-export parameter has been set for the vault.

--destroy
(Optional) Specify this parameter to delete the vault and all the data stored in it.
--export
(Optional) Specify this parameter to copy the contents of a vault into a .zip archive file. The location of the .zip archive file to be exported is specified by the --archive-location parameter.

The contents of the vault are decrypted using the supplied vault key and then re-encrypted using the supplied archive key before being stored in the .zip archive file. If an archive file already exists (as a result of an earlier invocation of the mqsivault export command), the contents of the existing archive are not deleted. If the existing archive file already contains any entries that are being exported from the vault in the current invocation of the command, the entries in the existing archive are overwritten with the new entries exported from the vault. The contents of the vault are not changed by the export process.

The contents of the vault cannot be exported if the --vault-options no-export parameter has been set for the vault.

--ext-vault-key externalDirectoryVaultKey
(Optional) This parameter specifies the vault key to be used for an external directory vault. If no value is specified for the vault key, you are prompted to enter it.
--import
(Optional) Specify this parameter to import a .zip archive file and extract the contents into an existing vault. The location of the .zip archive file to be imported is specified by the --archive-location parameter.

The contents of the archive file are decrypted using the supplied archive key and then stored in the vault using the vault encryption. If the imported archive file contains entries that already exist in the vault, the entries in the vault are overwritten with the entries imported from the archive. The contents of the archive are not changed by the import process.

--integration-server integrationServerName
(Optional) Use this parameter to specify the name of an integration server. It is valid only when used with the --decode option.
--new newVaultKey
(Optional) This parameter specifies the new vault key, which is to replace the current vault key specified by the --old parameter.
--old oldVaultKey
(Optional) This parameter specifies the current key that is used to access the vault, and will be replaced by the new vault key specified by the --new parameter.
--trace traceFileName
(Optional) This parameter writes debug trace information about the command to the specified output file.
--vault-key vaultKey
(Optional) This parameter specifies the vault key for a local integration node vault or a local independent integration server vault. If no value is specified for the vault key, you are prompted to enter it.
--vault-options vaultOptions
(Optional) This parameter sets options for the vault. To prevent the retrieval, display, and export of credentials in a vault, specify --vault-options no-export. You can specify this parameter only when you run the command to create the vault; you cannot change options after the vault has been created.
--vaultrc-location mqsivaultrc_file_location
(Optional) This parameter specifies the location of the .mqsivaultrc file used to locate the vault key.
--vaultrc-store-key
(Optional) Specify this parameter to add or update a vault key for an integration node or server into a .mqsivaultrc file.
--vaultrc-remove-key
(Optional) Specify this parameter to remove a vault key for an integration node or server from a .mqsivaultrc file.
--vaultrc-store-default-key
(Optional) Specify this parameter to add or update a default vault key into a .mqsivaultrc file.
--vaultrc-remove-default-key
(Optional) Specify this parameter to remove the default vault key from a .mqsivaultrc file.
--vaultrc-store-ext-key
(Optional) Specify this parameter to add or update the external directory vault key in a .mqsivaultrc file.
--vaultrc-remove-ext-key
(Optional) Specify this parameter to remove the external directory vault key from a .mqsivaultrc file.
--verify-key
(Optional) Specify this parameter to verify that the supplied vault key is valid to use for accessing the vault.