Mapping credentials for a file server using the ProtocolBridgeCredentials.xml file

Map user credentials in WebSphere® MQ File Transfer Edition to user credentials on the file server by using the default credential mapping function of the protocol bridge agent. WebSphere MQ File Transfer Edition provides an XML file that you can edit to include your credential information.

About this task

The fteCreateBridgeAgent command creates the file ProtocolBridgeCredentials.xml in the agent configuration directory configuration_directory/coordination_queue_manager/agents/bridge_agent_name. Before you can use a protocol bridge agent, set up credential mapping by editing this file to include host, user, and credential information.

When you create the ProtocolBridgeCredentials.xml file on a z/OS® platform, you must set a file tag before you edit the file. Run the following command to mark the file as having ASCII contents:
chtag -t -c ISO8859-1 ProtocolBridgeCredentials.xml

Procedure


    • If you are using Version 7.0.4 or earlier, edit the line <tns:serverHost name="file protocol server host"> to change the value of the name attribute to the host name or IP address of the system hosting the protocol file server. This value must be the same value that you specify for the fteCreateBridgeAgent -bh parameter.
    • If you are using Version 7.0.4.1 or later with the new function enabled, edit the line <tns:server name="server name"> to change the value of the name attribute to the server name in the ProtocolBridgeProperties.xml file. This value must be the same value that you specify for the fteCreateBridgeAgent -bh parameter.

      Protocol bridge agents created for Version 7.0.4 and earlier do not have a ProtocolBridgeProperties.xml file (or related user exits), so for Version 7.0.4.1 and later the server name is automatically assigned the server's host name. Therefore, if you use an updated ProtocolBridgeCredentials.xml file with <server> entries, a name corresponding to the server's host name will match.

      You can use the pattern attribute to specify that you have used a server name containing wildcards or regular expressions. For example,
      <tns:server name="serverA*" pattern="wildcard">
  1. Insert user ID and credential information into the file as child elements of <tns:serverHost> for Version 7.0.4 and earlier, and <tns:server> for Version 7.0.4.1 and later. You can insert one or many of the following elements into the file:
    • If the protocol file server is an FTP, FTPS, or SFTP server you can use passwords to authenticate the user requesting the transfer. Insert the following lines into the file:
      <tns:user name="FTE User ID" serverUserId="Server User ID" serverPassword="Server Password" >
      </tns:user>
      Then change the value of the attributes.
      • name is a Java™ regular expression to match the MQMD user ID associated with the WMQFTE transfer request
      • serverUserId is the value passed to the protocol file server as the login user ID. If the serverUserId attribute is not specified, the MQMD user ID associated with the WMQFTE transfer request is used instead
      • serverPassword is the password associated with the serverUserId.

      The name attribute can contain a Java regular expression. The credential mapper attempts to match the MQMD user ID of the WMQFTE transfer request to this regular expression. The protocol bridge agent attempts to match the MQMD user ID to the regular expression in the name attribute of the <tns:user> elements in the order that the elements exist in the file. When a match has been found the protocol bridge agent does not look for additional matches. If a match is found, the corresponding serverUserId and serverPassword values are passed to the protocol file server as the login user ID and password. The MQMD user ID matches are case-sensitive.

    • If the protocol file server is an SFTP server you can use public and private keys to authenticate the user requesting the transfer. Insert the following lines into the file and change the value of the attributes. The <tns:user> element can contain one or many <tns:privateKey> elements.
      <tns:user name="FTE User ID" serverUserId="Server User ID" hostKey="Host Key">
          <tns:privateKey associationName="association" keyPassword="Private key password">
         Private key file text    </tns:privateKey>
      </tns:user>
      • name is a Java regular expression to match the MQMD user ID associated with the WMQFTE transfer request
      • serverUserId is the value passed to the protocol file server as the login user ID. If the serverUserId attribute is not specified, the MQMD user ID associated with the WMQFTE transfer request is used instead
      • hostKey is the expected key returned from the server when logging on
      • key is the private key of the serverUserId
      • keyPassword is the password for the key to generate public keys
      • associationName is a value used to identify for trace and logging purposes
      The name attribute can contain a Java regular expression. The credential mapper attempts to match the MQMD user ID of the WMQFTE transfer request to this regular expression. The protocol bridge agent attempts to match the MQMD user ID to the regular expression in the name attribute of the <tns:user> elements in the order that the elements exist in the file. When a match has been found the protocol bridge agent does not look for additional matches. If a match is found, the corresponding serverUserId and key values are used to authenticate the WMQFTE user with the protocol file server. The MQMD user ID matches are case-sensitive.

      For more information about using private keys with a protocol bridge agent, see Example: How to configure a protocol bridge agent to use private key credentials with a UNIX SFTP server.

    Note:

    When the transfer request is written to the command queue, the MQMD user ID might be converted to uppercase if the source agent command queue is on a z/OS or IBM® i system. As a result the MQMD user ID for the same originating user might arrive at the credentials exit in the original case or converted to uppercase depending on the source agent specified in the transfer request. The default credential mapping exit performs case-sensitive matches against the supplied MQMD user ID, which you might need to allow for in the mapping file.


Task Task

Feedback

Timestamp icon Last updated: Tuesday, 30 January 2018
http://www.ibm.com/support/knowledgecenter/SSEP7X_7.0.4/com.ibm.wmqfte.doc/protocol_bridge_credentials_file.htm