Creating an MFT credentials file
You can use an MFT credentials file for storing user ID and password information, for connection to IBM® MQ and to Db2®, and have a credentials file for each agent.
If you have a credentials file for each agent, you can limit by agent which users can access the credentials file.
<?xml version="1.0" encoding="IBM-1047"?>
<tns:mqmftCredentials xmlns:tns="http://wmqfte.ibm.com/MFTCredentials"
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://wmqfte.ibm.com/MFTCredentials MFTCredentials.xsd">
<!-- name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" -->
<tns:qmgr name="MQPH" user="ADMIN" mqUserId="JOHNDOEH" mqPassword="cXXXX"/>
<!-- name="MQPI" user="ADMIN" mqUserId="JOHNDOE1 -->
<tns:qmgr name="MQPI" user="ADMIN" mqUserId="JOHNDOEI" mqPassword="yXXXX"/>
<tns:qmgr name="MQPH" mqUserId="NONEH" mqPassword="yXXXX"/>
<tns:qmgr name="MQPI" mqUserId="NONEI" mqPassword="yXXXX"/>
</tns:mqmftCredentials>
When a job with userid ADMIN needs to connect to queue manager MQPH, it passes user ID JOHNDOEH and uses password cXXXX.
If the job is run by any other user ID, and connects MQPH, that job passes user ID NONEH and password yXXXX.
You can protect this file using a security product, for example, RACF®, but the user IDs running the IBM MQ Managed File Transfer commands need read access to this file.
<tns:qmgr name="MQPI" user="JOHNDOE2" mqUserId="JOHNDOE1" mqPassword="yXXXX"/>
<tns:qmgr mqPasswordCipher="e977c61e9b9c363c" mqUserIdCipher="c394c5887867157c"
name="MQPI" user="JOHNDOE2"/>
<!-- name="MQPI" user="ADMIN" mqUserId="JOHNDOE1 -->
These comments are unchanged by the obscuring process.
Note that the content is obscured, not strongly encrypted. You should limit which user IDs have access to the file.