Specifying the password encryption key
From IBM® MQ 9.1.5, if the MQIPT configuration contains passwords that are encrypted using an encryption key other than the default key, you must provide the password encryption key in a file that MQIPT can read when it starts.
The password encryption key file
Passwords that are encrypted to be stored and used by MQIPT can be encrypted using an encryption key that you provide. If you do not provide an encryption key, the default encryption key is used. You do not have to specify a password encryption key, however it is more secure to do so. If you do not specify your own encryption key, the default encryption key is used.
The same password encryption key is used to encrypt and decrypt all stored passwords for an instance of MQIPT. Therefore, you need only a single password encryption key file for each MQIPT installation.
If the password encryption key for an MQIPT installation is changed, all encrypted passwords must be re-encrypted using the new encryption key.
Starting MQIPT
The default name of the password encryption key file is MQIPT_HOME_DIR/mqipt_cred.key, where MQIPT_HOME_DIR is the directory where the mqipt.conf configuration file is stored. If you are planning to run MQIPT as a service that is automatically started, you must create the password encryption key file with the default name.
- the -sf parameter on the mqipt command used to start MQIPT.
- the
MQS_MQIPTCRED_KEYFILE
environment variable. - the
com.ibm.mq.ipt.cred.keyfile
Java property.
If no password encryption key file name is provided, the default file name will be used, if the file exists. If the default password encryption key file does not exist, the default password encryption key is used.