IBM Integration Bus, Version 10.0.0.0 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


mqsisetdbparms command

Use the mqsisetdbparms command to associate a specific user ID and password (or SSH identity file) with one or more resources that are accessed by the integration node.

Supported platforms

  • Windows
  • Linux and UNIX systems
  • z/OS®. Run this command by customizing and submitting BIPSDBP.

Purpose

Use the mqsisetdbparms command to set security credentials for a specific user ID and password for database connections (or user ID and SSH identity file for SFTP) for the following resources:
  • A CICSConnection configurable service
  • A data source name (DSN) that is accessed from a message flow
  • An EmailServer configurable service
  • An FtpServer configurable service
  • An IMSConnect configurable service
  • A JDBCProvider configurable service
  • A JMS or JNDI resource, for example a JMSProviders configurable service
  • Kerberos Key Distribution Center (KDC) client credentials for SOAPRequest nodes with a WS-Security policy set and bindings that specify Kerberos
  • Lightweight Directory Access Protocol (LDAP) bind credentials for the integration node security manager
  • An MQTT server that requires a user name and password
  • A secured WebSphere® MQ queue manager
  • An SMTP configurable service
  • The integration node keystore password
  • An account name, with a user name and password, for the WebSphere Adapters
  • A WebSphere Service Registry and Repository (WSRR) configurable service
  • A WXSServer configurable service
  • SOAPRequest nodes

The user ID and password pair is created in the DSN folder under the integration node registry folder.

You can run the mqsisetdbparms command while the integration node is running. However, you must stop and start each integration server that uses a particular DSN, before that information is read and used by that integration server.

If you are using the mqsisetdbparms command on Linux or a UNIX console, add an escape character if you use one or more of the reserved characters. For example, you must specify these values:

mqsisetdbparms DUMMYBROKER -n ftp::DUMMYFTP -u dummy\\user -p abcdef  

Do not use the following format:

mqsisetdbparms DUMMYBROKER -n ftp::DUMMYFTP -u dummy\user -p abcdef  

If you use the latter format, the backslash character (\) in the user ID or password is ignored. The example causes the FTP connection through the FileInput node to fail with incorrect user credentials.

For a full list of reserved characters, and the rules that are associated with those characters when you use quotation marks and escape characters, see the documentation that is supplied with the shell.

To check any credentials that you set by using mqsisetdbparms, use the mqsireportdbparms command; see mqsireportdbparms command.

Syntax

Create

Read syntax diagramSkip visual syntax diagram
>>-mqsisetdbparms--integrationNodeName-- -n --ResourceName------>

>-- -u --UserId------------------------------------------------->

>--+- -p --Password------------------------------+--+-----+----><
   '- -i --SSHIdentityFile--+------------------+-'  '- -f-'   
                            '- -r --Passphrase-'              

Alter

Read syntax diagramSkip visual syntax diagram
>>-mqsisetdbparms--integrationNodeName-- -n --ResourceName------>

>--+--------------+--------------------------------------------->
   '- -u --UserId-'   

>--+- -p --Password------------------------------+--+-----+----><
   '- -i --SSHIdentityFile--+------------------+-'  '- -f-'   
                            '- -r --Passphrase-'              

Delete

Read syntax diagramSkip visual syntax diagram
>>-mqsisetdbparms--integrationNodeName-- -n --ResourceName------>

>-- -d --+-----+-----------------------------------------------><
         '- -f-'   

Adapter connection

Read syntax diagramSkip visual syntax diagram
>>-mqsisetdbparms--integrationNodeName-- -n --AdapterName------->

>-- -u --EISUserId-- -p --EISPassword--+-----+-----------------><
                                       '- -f-'   

Parameters

integrationNodeName
(Required) The name of the integration node for which settings are to be created, altered, or deleted.
-n ResourceName or AdapterName
(Required) This parameter identifies one of the following resources:
  • The ODBC data source for which the user ID and password pair are to be created or modified. The ResourceName takes the form of either dsn::DSN, dsn::ODBC, or datasource_name, where datasource_name identifies the data source name for the database to which you want to connect.
    Data source names are used by the following nodes:
    • Compute
    • Database
    • DatabaseRetrieve
    • DatabaseRoute
    • Filter
    • Mapping
    If you use the same DSN to refer to the same database instance from multiple nodes, the same user ID and password pairing is used.

    To define default values for user ID and password for the integration node to use for all data source names for which you have not set specific values, specify dsn::DSN.

    If you migrated the integration node from a previous version, the values that you define on this command replace the values that you set on the mqsicreatebroker or mqsichangebroker commands before migration; the relevant parameters on those commands are deprecated in WebSphere Message Broker Version 8.0.

  • The name of the security identity that is used to connect an IBM® Sterling Connect:Direct® CDOutput or node to itsConnect:Direct server. The ResourceName takes the form cd::secId, where secId is specified as the value of the security identity property on a CDServer configurable service. Change security identity cd::default to alter the default user ID and password.
  • The name of the security identity that is used to authenticate a CICS® Transaction Server for z/OS connection. The ResourceName takes the form cics::secId, where secId is specified as the value of the Security identity property on the CICSRequest node or in the -n securityIdentity property of the associated CICSConnection configurable service.
  • The name of the security identity that the EmailInput node or EmailServer configurable service use to authenticate with an email server to retrieve email messages. The ResourceName takes the form email::secId, where secId is specified as the value of the Security identity property on the EmailInput node or in the -n securityIdentity property of the associated EmailServer configurable service.
  • The name of the IMS™ connection. The ResourceName takes the form ims::secId, where secId is the same as the value of the Security identity property on the IMSRequest node or in the -n securityIdentity property of the associated IMSConnect configurable service.
  • The name of the security identity that is used to authenticate a JDBC type 4 connection. The ResourceName takes the form jdbc::secId, where secId is specified as the value of the -n securityIdentity property of the associated JDBCProvider configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.

    Specify jdbc::JDBC to define default values for user ID and password for the integration node to use for all JDBC connections for which you have not set specific values.

  • The name of the security identity that is used to authenticate a connection to a JMS or JNDI resource. The ResourceName takes the form jms::secId or jndi::secId, where secId is specified as the value.
  • The name of the security identity that is used for retrieving client credentials from the Kerberos Key Distribution Center (KDC) by a SOAPRequest node with a policy set and binding specifying Kerberos.
  • The name of the security identity that is used to authenticate an LDAP directory.

    Specify ldap::<servername> to define credentials for an individual server. If you want the integration node to bind anonymously to this server, specify anonymous as the user ID.

    Specify ldap::LDAP to define a default setting. The integration node uses the specified user ID and password values for all servers that do not have an explicit ldap::<servername> entry. Therefore, all servers that previously used anonymous bind by default start to use the details defined in an ldap::LDAP entry.

  • The name of the adapter connection to the external EIS. The AdapterName takes the form eis::adapterName, where adapterName is specified as the value.
  • The name of the security identity that is used to authenticate a connection to an MQTT server. The security identity is used to locate the user name and password. The ResourceName takes the form mqtt::secId, where secId is specified as the value of the Security identity property of the MQTTPublish or MQTTSubscribe node.
    • Specify mqtt::pubsubDefault to define security credentials for connecting to an external MQTT server that the integration node uses to publish its event messages. For more information, see Configuring the publication of event messages.
  • The name of the security identity that is used to authenticate a connection to a secured WebSphere MQ queue manager. The security identity is used to locate the user name and password, which are passed to the queue manager when a connection is attempted.
    • Specify mq::securityIdentityName to define a security identity to be used for retrieving user name and password credentials for an MQ node that has the Security identity property set tosecurityIdentityName (through either the MQ Connection properties on the node or an MQEndpoint policy).
    • Specify mq::QMGR::QMName to configure a user name and password to be used for all local or client connections to the named queue manager, when no security identity name has been specified in the MQ node or MQEndpoint policy.
    • Specify mq::MQ to configure a user name and password for all local or client connections to queue managers, where no security identity name has been set on the MQ node or MQEndpoint policy, and where the queue manager that is being connected to does not match any queue manager names that have been specified using mq::QMGR::QMName.
    • Specify mq::pubsubDefault to define security credentials for connecting to an MQ pub/sub broker that the integration node uses to publish its event messages. For more information, see Configuring the publication of event messages.
  • The name of the security identity that is used to authenticate an SMTP server.
  • The name of the security identity that is used to authenticate a connection to an FTP server. The ResourceName takes the form ftp::secId, where secId is specified as the value of the Security identity property of the FileInput or FileOutput node, or in the -n securityIdentity property of the associated FtpServer configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.
  • The name of the security identity that is used to authenticate a connection to an SFTP server. The security identity is used to locate the user name and password or the Secure Shell (SSH) identity file. The ResourceName takes the form sftp::secId, where secId is specified as the value of the Security identity property of the FileInput or FileOutput node, or in the -n securityIdentity property of the associated FtpServer configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.
  • The name of the security identity that is used to authenticate an integration node keystore.
  • The name of the security identity that is used to authenticate a WSRR configurable service.
  • The name of the security identity that is used to connect to a secure WebSphere eXtreme Scale grid. The security identity represents a user name and password that is used when you connect to an external grid. The name of this identity is used by the WXSServer configurable service.
-u UserId or EISUserId
(Required for Create and adapter connection; Optional for Alter) The user ID to be associated with this resource or EIS.
-p Password
(Required for Create, Alter, and adapter connection) The password to be associated with this resource or EIS.

For compatibility with existing systems, you can still specify <password>. However, if you do not specify a password with this parameter when you run the command, you are prompted to enter a password during its invocation, and to enter the password a second time to verify that you have entered it correctly.

On z/OS only, this parameter is optional with the dsn::DSN resource type. If you omit this parameter, the integration node uses the started task user ID to connect to DB2®. The integration node uses the user ID that you specified with the -u parameter when it constructs fully qualified SQL statements; for example, for stored procedures. If you create fully qualified SQL statements, the integration node uses these statements as created.

This parameter is required with the ftp:: resource type, but is optional with the sftp:: resource type. However, if you do not specify a password with an sftp:: resource, you must specify the SSHIdentityFile parameter.

-i SSHIdentityFile
(Optional) The name of an identity file, in the OpenSSH format, to be used for authentication with SFTP, in place of a password. You must specify either a password or an identity file, but not both. If you specify an identity file, you can also specify a pass phrase with the Passphrase parameter.

On z/OS systems, known hosts files and SSH identity files are stored in EBCDIC format, and on other operating systems they are stored in ASCII format.

-r Passphrase
(Optional) The pass phrase that is used for authentication with SFTP. This parameter is valid only when the SSHIdentityFile parameter is also specified. The pass phrase is used during decryption of the identity file.
-d
(Required for Delete) This parameter deletes completely the resource from the integration node registry.
-f
(Optional) Specify this parameter to process the mqsisetdbparms command only when the integration node itself is stopped.

Authorization

For information about platform-specific authorizations, see the following topics: If you have enabled integration node administration security, you must also set up the authority that is detailed in Tasks and authorizations for administration security.

Ensure that the registry is appropriately secured to prevent unauthorized access.

Examples

CICS connections

Use the mqsisetdbparms command in the following format to associate a user ID and password pair with CICS.
mqsisetdbparms integrationNodeName -n ResourceName -u userID -p password

For example:

mqsisetdbparms IBNODE -n cics::mySecurityIdentity -u myUserID -p myPassword

WebSphere MQ connections

The following example shows how to create a security identity to be used for retrieving user name and password credentials when an MQ node has the Security identity property set tosecurityIdentityName (through either the MQ Connection properties on the node or an MQEndpoint policy):
mqsisetdbparms IBNODE -n mq::securityIdentityName -u username -p password
The following example shows how to configure a user name and password to be used for all local or client connections to a named queue manager, when no security identity name has been specified in the MQ node or MQEndpoint policy:
mqsisetdbparms IBNODE -n mq::QMGR::QMName  -u username -p password
The following example shows how to configure a user name and password for all local or client connections to queue managers, where no security identity name has been set on the MQ node or MQEndpoint policy, and where the queue manager that is being connected to does not match any queue manager names that have been specified using mq::QMGR::QMName:
mqsisetdbparms IBNODE -n mq::MQ  -u username -p password
The following example shows how to set the user name and password for the fixed security identity name pubsubDefault. These credentials are used to connect to an MQ pub/sub broker that the integration node uses to publish its event messages.
mqsisetdbparms IBNODE -n mqtt::pubsubDefault -u myUserID -p myPassword
For more information, see Configuring the publication of event messages.

Data source names

The following example show use of the command for a specific data source name (no Universal Record Identifier (URI) prefix is required for this purpose):

mqsisetdbparms IBNODE -n Database1 -u MQUserId -p password

The following example deletes all the values that are defined for a specific data source name from the integration node registry:

mqsisetdbparms IBNODE -n ClientDB -d
The following example shows how to set up a default user ID and password for the integration node to use for all data source names where no explicit values have been set:
mqsisetdbparms IBNODE -n dsn::DSN -u UserId1 -p password1
The following examples show the use of the additional prefix odbc::. Use this option to set the user ID and password at the integration server level, and at the integration node level:
mqsisetdbparms IBNODE -n odbc::DSN -u myuserid
  -p mypassword
mqsisetdbparms IBNODE -n odbc::DSN::default -u myuserid -p mypassword

Email server connections

Use the mqsisetdbparms command in the following format to associate a user ID and password pair with an email server for the EmailInput node or the EmailServer configurable service to use to retrieve email messages.
mqsisetdbparms integrationNodeName -n ResourceName -u userID -p password

For example:

mqsisetdbparms IBNODE -n smtp::mySecurityIdentityObjectName 
-u myUserID -p myPassword

IBM Sterling Connect:Direct

Use the mqsisetdbparms command in the following format to associate a user ID and password pair with a Connect:Direct server.
mqsisetdbparms integrationNodeName -n ResourceName -u userID -p password

For example:

mqsisetdbparms IBNODE -n cd::default -u mqbroker -p xxxxxxx

JDBC type 4 connections

Use the mqsisetdbparms command to associate a user ID and password pair with a JDBC type 4 connection. The value that you specify for the -n ResourceName must have a prefix of jdbc::, followed by the value that matches the -n securityIdentity property of the associated JDBCProvider configurable service.
mqsisetdbparms integrationNodeName -n resource_name -u userID -p password
For example:
mqsisetdbparms IBNODE -n jdbc::mySecurityIdentity -u myuserid -p secretpw
The following example shows how to set up a default user ID and password for the integration node to use for all JDBC connections for which you have not set specific values:
mqsisetdbparms IBNODE -n jdbc::JDBC -u UserId2 -p password2

JMS and JNDI resource names

The following examples show the use of the command when the URI for a JMS or JNDI resource name is substituted for the -n ResourceName parameter.

For a JMS resource, the URL prefix is "jms::"; for JNDI, the prefix is "jndi::".

On Linux and UNIX systems, if the parameter string includes a backslash (\) character, you must escape from this character by using a second backslash character (\\) when you enter the mqsisetdbparms command.

For example, to specify a user ID of myuserid and password secret for JMS topic connection factory tcf1, use the following syntax:
mqsisetdbparms IBNODE -n jms::tcf1 -u myuserid -p secret
Similarly, to specify the same security for a JNDI initial context com.sun.jndi.fscontext.RefFSContextFactory, enter the following command:
mqsisetdbparms IBNODE -n jndi::com.sun.jndi.fscontext.RefFSContextFactory 
     -u myuserid -p secret

JMS node account names

The preceding examples describe how to configure security for JMS and JNDI resources for all JMS nodes that use those resources in an integration node.

To increase the degree of control that you have in the security of JMS nodes, you can associate a resource with an account name. The account name comprises the message flow name that is concatenated with the node label by using the underscore character (_):
            Message Flow Name_Node label
For example, where the message flow name is MyJMSFlow1, and you require a specific user ID and password for JMSInput node MyJMSInput1, the resulting account name is:
             MyJMSFlow1_MyJMSInput1
You can then specify the account name string in the -n ResourceName parameter on the mqsisetdbparms command by prefixing the account name with the resource type, and concatenating the account name with an at sign (@) character followed by the resource name:
            resource typeaccount name@resource name
Therefore, assuming a JMS resource name of tcf1, used by JMSInput node MyJMSInput1 in message flow MyJMSFlow1, the following resource name is used:
            jms::MyJMSFlow1_MyJMSInput1@tcf1
To specify a user ID of myuserid, a password of secret, and the resource name that is created from the account name, use the following syntax:
mqsisetdbparms IBNODE -n jms::MyJMSFlow1_MyJMSInput1@tcf1
                 -u myuserid -p secret

LDAP servers

Use the mqsisetdbparms command to set up authorization credentials for the LDAP server ldap.mydomain.com:
mqsisetdbparms IBNODE -n ldap::ldap.mydomain.com -u ldapuid -p ********
To set up authorization for other servers, use the command to set up default credentials:
mqsisetdbparms IBNODE -n ldap::LDAP -u ldapother -p ********
If you want the integration node to bind anonymously to an LDAP server, specify the server name and the user ID anonymous:
mqsisetdbparms IBNODE -n ldap::ldap.mydomain2.com -u anonymous -p ********
For the user ID anonymous, the password is always ignored.

MQTT connections

The following example shows how to create a security identity that is used by MQTT nodes that are connecting to a secured MQTT server:
mqsisetdbparms IBNODE -n mqtt::mySecurityIdentity -u myUserID -p myPassword
The MQTTSubscribe or MQTTPublish node that is connecting to a secure MQTT server must have its Security identity property set to the same value that is configured by using this command, so mySecurityIdentity in this example.
The following example shows how to set the user name and password for the fixed security identity name pubsubDefault. These credentials are used to connect to an external MQTT server that the integration node uses to publish its event messages.
mqsisetdbparms IBNODE -n mqtt::pubsubDefault -u myUserID -p myPassword
For more information, see Configuring the publication of event messages.

WebSphere Adapters account names

Use the mqsisetdbparms command in the following format to configure an account name with a user name and password for the WebSphere Adapters.
mqsisetdbparms integrationNodeName -n adapter name	-u user name -p password
For example:
mqsisetdbparms IBNODE 	-n eis::SAPCustomerInbound.inadapter -u sapuid -p ********

IMS connections

Use the mqsisetdbparms command in the following format to associate a user ID and password pair with an IMS Connect connection.
mqsisetdbparms integrationNodeName -n resource_name -u userID -p password

For example:

mqsisetdbparms IBNODE -n ims::mySecurityIdentity -u myuserid -p mypassword

FTP and SFTP server connections

Use the mqsisetdbparms command to associate a user ID and password with an FTP server connection:
mqsisetdbparms IBNODE -n ftp::identityA -u user1 -p MyPassword 
Use the mqsisetdbparms command to associate a user ID and password with an SFTP server connection:
mqsisetdbparms IBNODE -n sftp::identityB -u user2 -p MyPassword 
Use the mqsisetdbparms command to associate a user ID and SSH identity file with an SFTP server connection:
mqsisetdbparms IBNODE -n sftp::identityC -u user3 -i C:\key_rsa_no_pp 
Use the mqsisetdbparms command to associate a user ID, SSH identity file, and pass phrase with an SFTP server connection:
mqsisetdbparms IBNODE -n sftp::identityD -u user4 -i C:\key_rsa_pp -r MyPassPhrase 

Kerberos

Use the mqsisetdbparms command to provide the integration node with the Kerberos client credentials for accessing the Kerberos Key Distribution Center (KDC). These credentials (which are required for SOAPRequest nodes) can also be provided in the integration node properties tree.

To set KDC credentials for a specific realm that is used by SOAPRequest nodes in a specific integration server:
mqsisetdbparms IBNODE -n kerberos::realm1::integrationServerName -u clientId -p ClientPassword 
To set KDC credentials for a specific realm that is used by SOAPRequest nodes in any integration server:
mqsisetdbparms IBNODE -n kerberos::realm1 -u clientId -p ClientPassword 
To set KDC credentials for any realm that is used by SOAPRequest nodes in any integration server:
mqsisetdbparms IBNODE -n kerberos::kerberos -u clientId -p ClientPassword 

WebSphere eXtreme Scale grid connections

Use the mqsisetdbparms command to specify the user name and password to use when you connect to a secure WebSphere eXtreme Scale grid. The name of this identity (in this example, id1) is used by the WXSServer configurable service.

To set the user ID and password for the security identity that is called "id1", use the following command:
mqsisetdbparms IBNODE -n wxs::id1 -u userId -p password

an09155_.htm | Last updated 2015-03-27 19:27:04