[AIX][MQ 9.4.0 Jun 2024][Linux]

runqmcred (protect authentication token keystore password)

Use the runqmcred command to encrypt the password for the queue manager key repository that contains the trusted authentication token issuer's public key certificates or symmetric keys.

Purpose

The runqmcred command is used to encrypt the queue manager authentication token key repository. The authentication token key repository contains the public key certificates or symmetric keys for trusted authentication token issuers. The path to the key repository and the file that contains the encrypted password are specified in the AuthToken stanza in the qm.ini file. The queue manager uses the information in the AuthToken stanza to verify that the token that an application provides for authentication purposes is issued by a trusted issuer.

The key repository password must be encrypted as it is not secure to store plain text passwords. Copy the encrypted password that is returned by the runqmcred command into a file, and include the path to the file in the KeyStorePwdFile attribute of the AuthToken stanza in the qm.ini file.

An encryption key, which is known as the initial key, is used to encrypt the password. You can provide a file that contains the initial key when you run the runqmcred command. Create the initial key file before you run the command. If you do not provide the initial key, the default initial key is used.
CAUTION:
The default initial key is the same for all IBM® MQ installations. To protect passwords securely, supply an initial key that is unique to your installation when you encrypt passwords.
Important: If you supply an initial key when you encrypt the password, the same initial key must be specified in the queue manager INITKEY attribute so that the queue manager can decrypt the password. If the queue manager INITKEY attribute is already set, use the same initial key when you run the runqmcred command. For more information about the queue manager INITKEY attribute, see INITKEY.

Syntax

Read syntax diagramSkip visual syntax diagram runqmcred -sfkeyfile-sm

Optional parameters

-sf keyfile
Path to a file that contains the initial key that is used to encrypt the password. Create this file that contains the initial key before you run the runqmcred command. The same initial key must be specified in the queue manager INITKEY attribute. The file must contain a single line of at least one character.
If this parameter is not specified, the default initial key is used.
[MQ 9.4.4 Oct 2025]-sm
Encrypts passwords using a FIPS compliant cryptographic library.

Examples

The following example encrypts the authentication token key repository password with the initial key that you provide.

Use the -sf argument to provide the initial key file path. You are prompted to enter the password to encrypt.
runqmcred -sf /home/initial.key
The command outputs the following text, with the encrypted password on the last line.
5724-H72 (C) Copyright IBM Corp. 1994, 2026.
Enter password:
*************
<QM>!2!UnH/9hRXEGA0cenLVSGCW9a0s5A2vHDkTiA7vRv8ogc=!yhlsHFw7MIh48SvaYeTwRQ==
The following example encrypts the authentication token keystore password with the default initial key.
runqmcred
The command outputs the following text, with the encrypted password on the last line.
5724-H72 (C) Copyright IBM Corp. 1994, 2026.
Credentials are encrypted using the default encryption key. For more secure
protection of stored credentials, use a custom, strong encryption key.
Enter password:
*************
<QM>!2!b5rb01sMzFzc1ClZeQMryruWFM3HSm8DKyEaZK7qzWY=!TrWdU57DCDXM0Qah99I/Lg==

Return codes

0
Command completed successfully.
1
Command completed unsuccessfully.