[UNIX, Linux, Windows, IBM i]

runmqicred (protect IBM MQ client passwords)

The runmqicred command protects passwords that are used by the IBM® MQ client libraries, for example, the TLS keystore password. It is also used to protect passwords that are used to protect log replication traffic for Native HA configurations.

Usage notes

The runmqicred command prompts for the password to be encrypted to be entered. An encryption key, which is known as the initial key, is used to encrypt the password. You can provide a file that contains the initial key when you run the command. Create the initial key file before you run the command. If you do not provide the initial key, the default initial key is used.

To encrypt the password with a specific initial key, use one of the following mechanisms to specify the name of the file that contains the initial key, in order of priority:
  1. The -sf parameter to the runmqicred command.
  2. The MQS_MQI_KEYFILE environment variable.
CAUTION:
The default initial key is the same for all IBM MQ installations. To protect passwords securely, supply an initial key that is unique to your installation when you encrypt passwords.

After the password is encrypted, runmqicred displays the encrypted password string.

Store the encrypted password in the appropriate property.
  • For IBM MQ clients, store the encrypted password in either the appropriate property of the mqclient.ini file, or the MQKEYRPWD environment variable.
  • [MQ 9.4.0 Jun 2024]For Native HA configurations, store the encrypted password in the appropriate property of the NativeHALocalInstance stanza of the qm.ini file.

Syntax

Read syntax diagramSkip visual syntax diagram runmqicred -sfkeyfile-spprotection_mode-sm

Optional parameters

-sf keyfile
The path to the file that contains the initial key that is used to encrypt the password. If specified, the file must contain at least one character, and only one line.
If this parameter is not specified, the default initial key is used.
-sp protection_mode
The password protection mode that is used by the command. One of the following values can be specified:
1
Use the password protection mode that is compatible with IBM MQ 9.2.
2
Use the latest password protection mode. This mode is the most secure credentials protection mode.
This value is the default.
[MQ 9.4.4 Oct 2025]-sm
Encrypts passwords using a FIPS compliant cryptographic library.

Examples

>runmqicred
5724-H72 (C) Copyright IBM Corp. 1994, 2025.
Credentials are encrypted using the default encryption key. For more secure
protection of stored credentials, use a custom, strong encryption key.Enter password:
*******
<MQI>!2!+uIepF0e7O/R7CUCe/46ToTo5MucJCWgLZKCSYwLix4=!+6AG1pYrphCo/dlfSt8N3g====
>runmqicred -sf InitialKey.file
5724-H72 (C) Copyright IBM Corp. 1994, 2025.
Enter password:
*******
<MQI>!2!STHVy96FWSEwPkwNQfR2Nuoe6/uWl/EAqqylOjav9qs=!l+2y9yB/SjpzssrpGd+wJw======

Return codes

0
Command completed successfully.
1
Command completed unsuccessfully.