mqsisetdbparms command
Use the mqsisetdbparms command to associate a specific user ID and password (or SSH identity file) with one or more resources that are accessed by the integration node.
Supported platforms
- Windows
- Linux® and UNIX systems
- z/OS®. Run this command by customizing and submitting BIPSDBP.
Purpose
- A CICSConnection configurable service
- An ODBC data source name (DSN) that is accessed from a message flow
- An EmailServer configurable service
- An FtpServer configurable service
- An IMSConnect configurable service
- A JDBCProvider configurable service
- A JMS or JNDI resource, for example a JMSProviders configurable service
- Kerberos Key Distribution Center (KDC) client credentials for SOAPRequest nodes with a WS-Security policy set and bindings that specify Kerberos
- Lightweight Directory Access Protocol (LDAP) bind credentials for the integration node security manager
- An MQTT server that requires a user name and password
- An HTTP proxy server that requires a user name and password
- A Kafka cluster that requires a user name and password
- A secured WebSphere® MQ queue manager
- An SMTP configurable service
- The integration node keystore password
- The web user interface keystore password
- An account name, with a user name and password, for the WebSphere Adapters
- A WebSphere Service Registry and Repository (WSRR) configurable service
- A WXSServer configurable service
- SOAPRequest nodes
- SalesforceRequest nodes
- LoopBackRequest nodes
- AppConnectRESTRequest nodes
- RESTRequest and RESTAsyncRequest nodes.
The user ID and password pair is created in the DSN folder under the integration node registry folder.
You can run the mqsisetdbparms command while the integration node is running. However, you must stop and start each integration server that uses a particular ResourceName, before that information is read and used by that integration server.
If you are using the mqsisetdbparms command on Linux or a UNIX console, add an escape character if you use one or more of the reserved characters. For example, you must specify these values:
mqsisetdbparms DUMMYBROKER -n ftp::DUMMYFTP -u dummy\\user -p abcdef
Do not use the following format:
mqsisetdbparms DUMMYBROKER -n ftp::DUMMYFTP -u dummy\user -p abcdef
If you use the latter format, the backslash character (\) in the user ID or password is ignored. The example causes the FTP connection through the FileInput node to fail with incorrect user credentials.
For a full list of reserved characters, and the rules that are associated with those characters when you use quotation marks and escape characters, see the documentation that is supplied with the shell.
To check any credentials that you set by using mqsisetdbparms, use the mqsireportdbparms command; see mqsireportdbparms command.
Syntax
Create
Alter
Delete
Adapter connection
Parameters
- integrationNodeName
- (Required) The name of the integration node for which settings are to be created, altered, or deleted.
- -n ResourceName or AdapterName
- (Required) This parameter identifies one of the following resources:
- The ODBC data source for which the user ID and password pair are to be created or
modified. The ResourceName takes one of the following forms:
datasource_name
odbc::datasource_name
odbc::datasource_name::integrationserver_name
dsn::DSN
(a fixed ResourceName literal used to define default user ID and password values for ODBC connections)
Data source names are used by the following nodes:- Compute
- Database
- DatabaseRetrieve
- DatabaseRoute
- DataDelete
- DataInsert
- DataUpdate
- Filter
- Mapping
- Warehouse
If you use the same datasource_name to refer to the same database instance from multiple nodes, the same user ID and password pairing is used. To define default values for user ID and password for the integration node to use for all data source names for which you have not set specific values, specify
dsn::DSN
as the ResourceName. If you migrated the integration node from a previous version, the values that you define on this command replace the values that you set on the mqsicreatebroker or mqsichangebroker commands before migration; the relevant parameters on those commands are deprecated in WebSphere Message Broker Version 8.0. - The name of the security identity that is used to connect an IBM® Sterling Connect:Direct®
CDOutput or node to itsConnect:Direct server. The ResourceName takes the form
cd::secId
, wheresecId
is specified as the value of the security identity property on aCDServer
configurable service. Change security identitycd::default
to alter the default user ID and password. - The name of the security identity that is used to authenticate a CICS®
Transaction Server for z/OS connection. The ResourceName takes the
form
cics::secId
, wheresecId
is specified as the value of the Security identity property on the CICSRequest node or in the -n securityIdentity property of the associated CICSConnection configurable service. - The name of the security identity that the EmailInput node or EmailServer configurable service use to
authenticate with an email server to retrieve email messages. The ResourceName
takes the form
email::secId
, wheresecId
is specified as the value of the Security identity property on the EmailInput node or in the -n securityIdentity property of the associated EmailServer configurable service. - The name of the IMS connection. The
ResourceName takes the form
ims::secId
, wheresecId
is the same as the value of the Security identity property on the IMSRequest node or in the -n securityIdentity property of the associated IMSConnect configurable service. - The name of the security identity that is used to authenticate a JDBC type 4
connection. The ResourceName takes the form
jdbc::secId
, wheresecId
is specified as the value of the -n securityIdentity property of the associated JDBCProvider configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.Specify
jdbc::JDBC
to define default values for user ID and password for the integration node to use for all JDBC connections for which you have not set specific values. - The name of the security identity that is used to authenticate a connection to a JMS or JNDI
resource. The ResourceName takes the form
jms::secId
orjndi::secId
, wheresecId
is specified as the value. - The name of the security identity that is used for retrieving client credentials from the Kerberos Key Distribution Center (KDC) by a SOAPRequest node with a policy set and binding specifying Kerberos.
- The name of the security identity that is used to authenticate an LDAP directory.
Specify
ldap::<servername>
to define credentials for an individual server. If you want the integration node to bind anonymously to this server, specifyanonymous
as the user ID.Specify
ldap::LDAP
to define a default setting. The integration node uses the specified user ID and password values for all servers that do not have an explicitldap::<servername>
entry. Therefore, all servers that previously used anonymous bind by default start to use the details defined in anldap::LDAP
entry. - The name of the security identity that is used to authenticate
a connection to a Salesforce system. The ResourceName takes the form
salesforce::secId
, wheresecId
is the value of the Security Identity property in the SalesforceRequest node. - The name of the security identity that is used to authenticate a
connection that is made through a LoopBack® connector. The
ResourceName takes the form
loopback::secId
, wheresecId
is the value of the Security Identity property in the LoopBackRequest node. - The name of the security identity that is used to authenticate a connection to an
external REST API, such as an App Connect REST API. The ResourceName takes
the form
rest::secId
, wheresecId
is the value of the Security Identity property in the RESTRequest or RESTAsyncRequest node, or in the AppConnectRESTRequest node. - The name of the adapter connection to the external EIS. The
AdapterName takes the form
eis::adapterName
, whereadapterName
is specified as the value. - The name of the security identity that is used to
authenticate a connection to an MQTT server. The security identity is used to locate the user name
and password. The ResourceName takes the form
mqtt::secId
, where secId is specified as the value of the Security identity property of the MQTTPublish or MQTTSubscribe node.- Specify
mqtt::pubsubDefault
to define security credentials for connecting to an external MQTT server that the integration node uses to publish its event messages. For more information, see Configuring the publication of event messages.
- Specify
- The security identity that is used to authenticate a connection to
a secured Kafka cluster. The security identity is used to locate the user name and password, which
are passed to the Kafka cluster when a connection is attempted. If the Security identity field is blank, which is the default, the
ResourceName of
kafka::KAFKA::integration_server_name
is used. To use a security identity other than the default, specify a value in ResourceName with the formatkafka::MyKafkaIdentity
and set the Security identity field of the node to the same value as MyKafkaIdentity by using the BAR editor or the mqsiapplybaroverride command. - The security identity that is used to authenticate a connection to a
secured HTTP proxy server. The security identity is used to locate the user name and password. The
ResourceName takes either the form
httpproxy::proxyHostname
orhttpproxy::HTTPPROXY
:- Specify
httpproxy::proxyHostname
to define a security identity to be used for retrieving user name and password credentials for the specified HTTP proxy. - Specify
httpproxy::HTTPPROXY
to define a security identity to be used as a default for any proxy server that does not have a matchinghttpproxy::proxyHostname
setting.
- Specify
- The name of the security identity that is used to authenticate a connection to a
secured WebSphere MQ queue manager. The security identity is used to locate
the user name and password, which are passed to the queue manager when a connection is attempted.
- Specify
mq::securityIdentityName
to define a security identity to be used for retrieving user name and password credentials for an MQ node that has the Security identity property set tosecurityIdentityName (through either the MQ Connection properties on the node or an MQEndpoint policy). - Specify
mq::QMGR::QMName
to configure a user name and password to be used for all local or client connections to the named queue manager, when no security identity name has been specified in the MQ node or MQEndpoint policy. - Specify
mq::MQ
to configure a user name and password for all local or client connections to queue managers, where no security identity name has been set on the MQ node or MQEndpoint policy, and where the queue manager that is being connected to does not match any queue manager names that have been specified usingmq::QMGR::QMName
. - Specify
mq::pubsubDefault
to define security credentials for connecting to an MQ pub/sub broker that the integration node uses to publish its event messages. For more information, see Configuring the publication of event messages.
- Specify
- The name of the security identity that is used to authenticate an SMTP server.
- The name of the security identity that is used to authenticate a connection to an FTP server.
The ResourceName takes the form
ftp::secId
, wheresecId
is specified as the value of the Security identity property of the FileInput or FileOutput node, or in the -n securityIdentity property of the associated FtpServer configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command. - The name of the security identity that is used to authenticate a connection to an SFTP
server. The security identity is used to locate the user name and password or the Secure Shell (SSH)
identity file. The ResourceName takes the form
sftp::secId
, wheresecId
is specified as the value of the Security identity property of the FileInput or FileOutput node, or in the -n securityIdentity property of the associated FtpServer configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command. - The name of the security identity that is used to authenticate an integration node keystore.
- The name of the security identity that is used to authenticate a web user interface keystore. For more information, see Securing connections to the web user interface.
- The name of the security identity that is used to authenticate a WSRR configurable service.
- The name of the security identity that is used to connect to a secure WebSphere eXtreme Scale grid. The security identity represents a user name and password that is used when you connect to an external grid. The name of this identity is used by the WXSServer configurable service.
- The ODBC data source for which the user ID and password pair are to be created or
modified. The ResourceName takes one of the following forms:
- -u UserId or EISUserId
- (Required for Create and adapter connection; Optional for Alter) The user ID to be associated with this resource or EIS.
- -p Password
- (Required for Create, Alter, and adapter connection) The password
to be associated with this resource or EIS.
For compatibility with existing systems, you can still specify
<password>
. However, if you do not specify a password with this parameter when you run the command, you are prompted to enter a password during its invocation, and to enter the password a second time to verify that you have entered it correctly.On z/OS only, this parameter is optional with the
dsn::DSN
resource type. If you omit this parameter, the integration node uses the started task user ID to connect to IBM DB2®. The integration node uses the user ID that you specified with the -u parameter when it constructs fully qualified SQL statements; for example, for stored procedures. If you create fully qualified SQL statements, the integration node uses these statements as created.This parameter is required with the
ftp::
resource type, but is optional with thesftp::
resource type. However, if you do not specify a password with ansftp::
resource, you must specify the SSHIdentityFile parameter.If you specify a password by using the -p Password parameter and the password includes characters that have special meaning to the command shell, you must use quotation marks around the password or escape the characters. Use single quotation marks on Linux and UNIX systems. Use double quotation marks on Windows systems. For a full list of reserved characters, and the rules that are associated with those characters when you use quotation marks and escape characters, see the documentation that is supplied with the shell.
However, you can avoid the need to use quotation marks or to escape special characters if you omit to specify a password by using the -p Password parameter when you run the command. You are prompted to enter a password during the invocation of the command, and to enter the password a second time to verify that you have entered it correctly. The password that you specify after being prompted can include characters that have special meaning to the command shell with no need for you to use quotation marks or to escape these characters.
- -c ClientIdentity
- (Optional) The name of the consumer key of your Salesforce Connected App, to be used for authentication with Salesforce systems.
- (Optional) The name of the client ID of your connected LoopBack application, to be used for authentication with LoopBack connectors.
- -s ClientSecret
- (Optional) The consumer secret of your Salesforce Connected App, to be used for authentication with Salesforce systems.
- (Optional) The client secret of your connected LoopBack application, to be used for authentication with LoopBack connectors.
- -k APIKey
- (Optional) The API key to be used for authentication with REST APIs. You can specify only a REST API key to be used for authentication, or you can specify a REST API key together with a user ID and password.
- -i SSHIdentityFile
- (Optional) The name of an identity file, in the OpenSSL PEM format, to be used for
authentication with SFTP, in place of a password. You must specify either a password or an identity
file, but not both. If you specify an identity file, you can also specify a pass phrase with the
Passphrase parameter.
On z/OS systems, known hosts files and SSH identity files are stored in EBCDIC format, and on other operating systems they are stored in ASCII format.
- -r Passphrase
- (Optional) The pass phrase that is used for authentication with SFTP. This parameter is valid only when the SSHIdentityFile parameter is also specified. The pass phrase is used during decryption of the identity file.
- -d
- (Required for Delete) This parameter deletes completely the resource from the integration node registry.
- -f
- (Optional) Specify this parameter to process the mqsisetdbparms command only when the integration node itself is stopped.
Authorization
- Security requirements for Linux and UNIX platforms
- Security requirements for Windows systems
- Security requirements for z/OS
Ensure that the registry is appropriately secured to prevent unauthorized access.
Examples
CICS connections
Use the mqsisetdbparms command in the following format to associate a user ID and password pair with CICS.mqsisetdbparms integrationNodeName -n ResourceName -u userID -p password
For example:
mqsisetdbparms IBNODE -n cics::mySecurityIdentity -u myUserID -p myPassword
WebSphere MQ connections
mqsisetdbparms IBNODE -n mq::securityIdentityName -u username -p password
mqsisetdbparms IBNODE -n mq::QMGR::QMName -u username -p password
mq::QMGR::QMName
:mqsisetdbparms IBNODE -n mq::MQ -u username -p password
pubsubDefault
.
These credentials are used to connect to an MQ pub/sub broker that
the integration node uses to publish its event messages. mqsisetdbparms IBNODE -n mqtt::pubsubDefault -u myUserID -p myPassword
For
more information, see Configuring the publication of event messages. ODBC Data source names
The following example shows the use of the command to associate a userid and password for a specific ODBC data source name (no Universal Record Identifier (URI) prefix is required):
mqsisetdbparms IBNODE -n USERDB1 -u myuserid1 -p mypassword1
The
following examples show the use of the optional prefix odbc::
.
Use this option to set the user ID and password for an ODBC data source
at either the integration node level, or at the integration server
level:
mqsisetdbparms IBNODE -n odbc::USERDB2 -u myuserid2 -p mypassword2
mqsisetdbparms IBNODE -n odbc::USERDB2::myIntegrationServer -u myuserid3 -p mypassword3
The following example shows how to set up a default user ID and password for the broker to use for all ODBC data source names where no explicit Resource Names were set:
mqsisetdbparms IBNODE -n dsn::DSN -u myuserid4 -p mypassword4
The following examples delete all the values that are defined for specific resource names from the broker registry:
mqsisetdbparms IBNODE -n USERDB1 -d
mqsisetdbparms IBNODE -n odbc::USERDB2 -d
mqsisetdbparms IBNODE -n odbc::USERDB2::myIntegrationServer -d
Email server connections
mqsisetdbparms integrationNodeName -n ResourceName -u userID -p password
For example:
mqsisetdbparms IBNODE -n smtp::mySecurityIdentityObjectName
-u myUserID -p myPassword
IBM Sterling Connect:Direct
mqsisetdbparms integrationNodeName -n ResourceName -u userID -p password
For example:
mqsisetdbparms IBNODE -n cd::default -u mqbroker -p xxxxxxx
JDBC type 4 connections
jdbc::
, followed by the value that
matches the -n securityIdentity property of the
associated JDBCProvider configurable service.mqsisetdbparms integrationNodeName -n resource_name -u userID -p password
For
example:mqsisetdbparms IBNODE -n jdbc::mySecurityIdentity -u myuserid -p secretpw
mqsisetdbparms IBNODE -n jdbc::JDBC -u UserId2 -p password2
JMS and JNDI resource names
The following examples show the use of the command when the URI for a JMS or JNDI resource name is substituted for the -n ResourceName parameter.
For a JMS resource,
the URL prefix is "jms::"
; for JNDI, the prefix is "jndi::"
.
On Linux and UNIX systems, if the parameter string
includes a backslash (\
) character, you must escape
from this character by using a second backslash character (\\
)
when you enter the mqsisetdbparms command.
myuserid
and
password secret
for JMS topic connection factory tcf1
,
use the following syntax:mqsisetdbparms IBNODE -n jms::tcf1 -u myuserid -p secret
com.sun.jndi.fscontext.RefFSContextFactory
,
enter the following command:mqsisetdbparms IBNODE -n jndi::com.sun.jndi.fscontext.RefFSContextFactory
-u myuserid -p secret
JMS node account names
The preceding examples describe how to configure security for JMS and JNDI resources for all JMS nodes that use those resources in an integration node.
_
): Message Flow Name_Node label
MyJMSFlow1
,
and you require a specific user ID and password for JMSInput node MyJMSInput1
,
the resulting account name is: MyJMSFlow1_MyJMSInput1
@
) character followed
by the resource name: resource typeaccount name@resource name
tcf1
,
used by JMSInput node MyJMSInput1
in
message flow MyJMSFlow1
, the following resource
name is used: jms::MyJMSFlow1_MyJMSInput1@tcf1
myuserid
, a password
of secret
, and the resource name that is created
from the account name, use the following syntax: mqsisetdbparms IBNODE -n jms::MyJMSFlow1_MyJMSInput1@tcf1
-u myuserid -p secret
LDAP servers
ldap.mydomain.com
:mqsisetdbparms IBNODE -n ldap::ldap.mydomain.com -u ldapuid -p ********
To
set up authorization for other servers, use the command to set up
default credentials:mqsisetdbparms IBNODE -n ldap::LDAP -u ldapother -p ********
If
you want the integration node to bind anonymously to an LDAP server,
specify the server name and the user ID anonymous
:mqsisetdbparms IBNODE -n ldap::ldap.mydomain2.com -u anonymous -p ********
For
the user ID anonymous
, the password is always ignored.MQTT connections
mqsisetdbparms IBNODE -n mqtt::mySecurityIdentity -u myUserID -p myPassword
The MQTTSubscribe or MQTTPublish node that is connecting
to a secure MQTT server must have its Security identity property
set to the same value that is configured by using this command, so mySecurityIdentity
in
this example.pubsubDefault
.
These credentials are used to connect to an external MQTT server that
the integration node uses to publish its event messages. mqsisetdbparms IBNODE -n mqtt::pubsubDefault -u myUserID -p myPassword
For
more information, see Configuring the publication of event messages. HTTP proxy server connections
mqsisetdbparms IBNODE -n httpproxy::myProxyHostname -u myUserID -p myPassword
mqsisetdbparms IBNODE -n httpproxy::HTTPPROXY -u myProxyUsername -p myProxyPassword
Kafka connections
mqsisetdbparms integrationNodeName -n kafka::KAFKA::integrationServerName -u userID -p password
mqsisetdbparms IBNODE -n kafka::KAFKA::myIntegrationServer1 -u myKafkaUserID -p myKafkaPassword
All
Kafka nodes that are deployed to the same integration server must
use the same set of credentials to authenticate to the Kafka cluster.
The user ID and password specified by this command are used when a
connection is attempted by any Kafka node that has been deployed to
the specified integration server.WebSphere Adapters account names
mqsisetdbparms integrationNodeName -n adapter name -u user name -p password
For
example:mqsisetdbparms IBNODE -n eis::SAPCustomerInbound.inadapter -u sapuid -p ********
IMS connections
mqsisetdbparms integrationNodeName -n resource_name -u userID -p password
For example:
mqsisetdbparms IBNODE -n ims::mySecurityIdentity -u myuserid -p mypassword
Salesforce connections
mqsisetdbparms integrationNodeName -n salesforce::mySecurityIdentity -u userID -p password -c clientIdentity -s clientSecret
mqsisetdbparms IBNODE -c
3MVG98_Pfg5cqqyb0NUwU1XtHr9NhWu_Kmb8RTIH53a7pdTzeychmvvtjTdiRbuoWtyr_QL.lepaXNk7W3PDA -s
2050239087638761094 -n 'salesforce::SF' -p 'passwd1IWvMp3JqqklwG2erpaLs2oKz' -u 'salesforce_userid'
LoopBack connections
mqsisetdbparms integrationNodeName -n loopback::mySecurityIdentity -u userID -p password
mqsisetdbparms IBNODE -n loopback::lbreqid1 -u myLoopBackUserID -p myLoopBackPassword
REST API connections
mqsisetdbparms IBNODE -n rest::mySecurityIdentity -u myRESTUserID -p myRESTPassword -k myRESTAPIkey
mqsisetdbparms IBNODE -n rest::mySecurityIdentity -u myRESTUserID -p myRESTPassword
mqsisetdbparms IBNODE -n rest::mySecurityIdentity -k myRESTAPIkey
FTP and SFTP server connections
mqsisetdbparms IBNODE -n ftp::identityA -u user1 -p MyPassword
mqsisetdbparms IBNODE -n sftp::identityB -u user2 -p MyPassword
mqsisetdbparms IBNODE -n sftp::identityC -u user3 -i C:\key_rsa_no_pp
mqsisetdbparms IBNODE -n sftp::identityD -u user4 -i C:\key_rsa_pp -r MyPassPhrase
Kerberos
Use the mqsisetdbparms command to provide the integration node with the Kerberos client credentials for accessing the Kerberos Key Distribution Center (KDC). These credentials (which are required for SOAPRequest nodes) can also be provided in the integration node properties tree.
mqsisetdbparms IBNODE -n kerberos::realm1::integrationServerName -u clientId -p ClientPassword
mqsisetdbparms IBNODE -n kerberos::realm1 -u clientId -p ClientPassword
mqsisetdbparms IBNODE -n kerberos::kerberos -u clientId -p ClientPassword
WebSphere eXtreme Scale grid connections
Use the mqsisetdbparms command to specify the user name and password to use when you connect to a secure WebSphere eXtreme Scale grid. The name of this identity (in this example, id1) is used by the WXSServer configurable service.
mqsisetdbparms IBNODE -n wxs::id1 -u userId -p password