Mapping credentials for a file server using the ProtocolBridgeCredentials.xml file

Map user credentials in IBM® MQ Managed File Transfer to user credentials on the file server by using the default credential mapping function of the protocol bridge agent. IBM MQ Managed File Transfer provides an XML file that you can edit to include your credential information.

About this task

The ProtocolBridgeCredentials.xml file must be manually created by the user. By default, the location of this file is the home directory of the user who started the protocol bridge agent, but this can be stored anywhere on the file system accessible by the agent. To specify a different location, add the <credentialsFile> element to the ProtocolBridgeProperties.xml file. For example,

<tns:credentialsFile path="/example/path/to/ProtocolBridgeCredentials.xml"/>

Before you can use a protocol bridge agent, set up credential mapping by editing this file to include host, user, and credential information. For more information and samples, see Protocol bridge credentials file format.

When you create the ProtocolBridgeCredentials.xml file on a z/OS® platform using IBM MQ Managed File Transfer V7.5 or earlier, you must set a file tag before you edit the file. Run the following command to mark the file as having ASCII contents:

chtag -t -c ISO8859-1 ProtocolBridgeCredentials.xml

Note: On z/OS, you can store the protocol bridge credential file on a dataset, where the name of the .xml file can be specified by the user.

Procedure

- Edit the line <tns:server name="server name"> to change the value of the name attribute to the server name in the ProtocolBridgeProperties.xml file.
  Protocol bridge agents that are created for Version 7.0.4 and earlier do not have a ProtocolBridgeProperties.xml file (or related user exits), so for Version 7.0.4.1 and later the server name is automatically assigned the server's host name. Therefore, if you use an updated ProtocolBridgeCredentials.xml file with <server> entries, a name corresponding to the server's host name will match.
  You can use the pattern attribute to specify that you used a server name that contains wildcards or regular expressions. For example,
```
<tns:server name="serverA*" pattern="wildcard">
```
Insert user ID and credential information into the file as child elements of <tns:server>.
You can insert one or many of the following elements into the file:
- If the protocol file server is an FTP, FTPS, or SFTP server, you can use passwords to authenticate the user requesting the transfer. Insert the following lines into the file:
```
<tns:user name="FTE User ID" 
  serverUserId="Server User ID" 
  serverPassword="Server Password">
</tns:user>
```
  Then change the value of the attributes.
  - name is a Java regular expression to match the MQMD user ID associated with the MQMFT transfer request
  - serverUserId is the value that is passed to the protocol file server as the login user ID. If the serverUserId attribute is not specified, the MQMD user ID associated with the MQMFT transfer request is used instead
  - serverPassword is the password that is associated with the serverUserId.
  The name attribute can contain a Java regular expression. The credential mapper attempts to match the MQMD user ID of the MQMFT transfer request to this regular expression. The protocol bridge agent attempts to match the MQMD user ID to the regular expression in the name attribute of the <tns:user> elements in the order that the elements exist in the file. When a match is found the protocol bridge agent does not look for more matches. If a match is found, the corresponding serverUserId and serverPassword values are passed to the protocol file server as the login user ID and password. The MQMD user ID matches are case-sensitive.
- If the protocol file server is an SFTP server, you can use public and private keys to authenticate the user requesting the transfer. Insert the following lines into the file and change the value of the attributes. The <tns:user> element can contain one or many <tns:privateKey> elements.
```
<tns:user name="FTE User ID" 
    serverUserId="Server User ID" 
    hostKey="Host Key">
    <tns:privateKey associationName="association" 
      keyPassword="Private key password">
   Private key file text
    </tns:privateKey>
</tns:user>
```
  - name is a Java regular expression to match the MQMD user ID associated with the MQMFT transfer request
  - serverUserId is the value that is passed to the protocol file server as the login user ID. If the serverUserId attribute is not specified, the MQMD user ID associated with the MQMFT transfer request is used instead
  - hostKey is the expected key that is returned from the server when logging on
  - key is the private key of the serverUserId
  - keyPassword is the password for the key to generate public keys
  - associationName is a value that is used to identify for trace and logging purposes
  The name attribute can contain a Java regular expression. The credential mapper attempts to match the MQMD user ID of the MQMFT transfer request to this regular expression. The protocol bridge agent attempts to match the MQMD user ID to the regular expression in the name attribute of the <tns:user> elements in the order that the elements exist in the file. When a match is found the protocol bridge agent does not look for more matches. If a match is found, the corresponding serverUserId and key values are used to authenticate the MQMFT user with the protocol file server. The MQMD user ID matches are case-sensitive.
  For more information about using private keys with a protocol bridge agent, see Example: How to configure a protocol bridge agent to use private key credentials with a UNIX SFTP server.
Note:
When the transfer request is written to the command queue, the MQMD user ID might be converted to uppercase if the source agent command queue is on a z/OS or IBM i system. As a result the MQMD user ID for the same originating user might arrive at the credentials exit in the original case or converted to uppercase depending on the source agent that is specified in the transfer request. The default credential mapping exit performs case-sensitive matches against the supplied MQMD user ID, which you might need to allow for in the mapping file.