See information about the latest product version
mqsisetdbparms command
Use the mqsisetdbparms command to associate a specific user ID and password (or SSH identity file) with one or more resources that are accessed by the broker.
Supported platforms
- Windows
- Linux and UNIX systems
- z/OS®. Run this command by customizing and submitting BIPSDBP.
Purpose
- A CICSConnection configurable service
- An ODBC data source name (DSN) that is accessed from a message flow
- An EmailServer configurable service
- An FtpServer configurable service
- An IMSConnect configurable service
- A JDBCProvider configurable service
- A JMS or JNDI resource, for example a JMSProviders configurable service
- Kerberos Key Distribution Center (KDC) client credentials for SOAPRequest nodes with a WS-Security policy set and bindings that specify Kerberos
- Lightweight Directory Access Protocol (LDAP) bind credentials for the broker security manager
- The Service Federation Manager (SFM) user ID and password credentials to authorize Service Control Management Protocol (SCMP) Atom requests
- An SMTP configurable service
- The broker keystore password
- An account name, with a user name and password, for the WebSphere® Adapters
- A WebSphere Service Registry and Repository (WSRR) configurable service
- A WXSServer configurable service
- SOAPRequest nodes
The user ID and password pair is created in the DSN folder under the broker registry folder.
You can run the mqsisetdbparms command while the broker is running. However, you must stop and start each execution group that uses a particular ResourceName, before that information is read and used by that execution group.
This behavior is different from the default behavior in WebSphere Message Broker Version 6.1 where the broker must be stopped to issue this command.
If you are using the mqsisetdbparms command on Linux or a UNIX console, add an escape character if you use one or more of the reserved characters. For example, you must specify these values:
mqsisetdbparms DUMMYBROKER -n ftp::DUMMYFTP -u dummy\\user -p abcdef
Do not use the following format:
mqsisetdbparms DUMMYBROKER -n ftp::DUMMYFTP -u dummy\user -p abcdef
If you use the latter format, the backslash character (\) in the user ID or password is ignored. The example causes the FTP connection through the FileInput node to fail with incorrect user credentials.
For a full list of reserved characters, and the rules that are associated with those characters when you use quotation marks and escape characters, see the documentation that is supplied with the shell.
To check any credentials that you set by using the mqsisetdbparms command, use the mqsireportdbparms command; see mqsireportdbparms command.
Syntax
Create
Alter
Delete
Parameters
- BrokerName
- (Required) The name of the broker for which settings are to be created, altered, or deleted.
- -n ResourceName or AdapterName
- (Required) This parameter identifies one of the following
resources:
- The ODBC data source for which the user ID and password pair are to be created or modified. The ResourceName takes one of the following forms:
- datasource_name
- odbc::datasource_name
- odbc::datasource_name::integrationserver_name
- dsn::DSN (a fixed ResourceName literal used to define default user ID and password values for ODBC connections)
Data source names are used by the following nodes:- Compute
- Database
- DatabaseRetrieve
- DatabaseRoute
- DataDelete
- DataInsert
- DataUpdate
- Filter
- Mapping
- Warehouse
If you use the same datasource_name to refer to the same database instance from multiple nodes, the same user ID and password pairing is used. To define default values for user ID and password for the integration node to use for all data source names for which you have not set specific values, specify dsn::DSN as the ResourceName. If you migrated the integration node from a previous version, the values that you define on this command replace the values that you set on the mqsicreatebroker or mqsichangebroker commands before migration; the relevant parameters on those commands are deprecated in WebSphere Message Broker Version 8.0.
- The name of the security identity that is used to connect an IBM® Sterling Connect:Direct® CDOutput or node to itsConnect:Direct server. The ResourceName takes the form cd::secId, where secId is specified as the value of the security identity property on a CDServer configurable service. Change security identity cd::default to alter the default user ID and password.
- The name of the security identity that is used to authenticate a CICS® Transaction Server for z/OS connection. The ResourceName takes the form cics::secId, where secId is specified as the value of the Security identity property on the CICSRequest node or in the -n securityIdentity property of the associated CICSConnection configurable service.
- The name of the security identity that the EmailInput node or EmailServer configurable service use to authenticate with an email server to retrieve email messages. The ResourceName takes the form email::secId, where secId is specified as the value of the Security identity property on the EmailInput node or in the -n securityIdentity property of the associated EmailServer configurable service.
- The name of the security identity that is used to authenticate
a JDBC type 4 connection. The ResourceName takes
the form jdbc::secId, where secId is
specified as the value of the -n securityIdentity property
of the associated JDBCProvider configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.
Specify jdbc::JDBC to define default values for user ID and password for the broker to use for all JDBC connections for which you have not set specific values.
- The name of the security identity that is used to authenticate a connection to a JMS or JNDI resource. The ResourceName takes the form jms::secId or jndi::secId, where secId is specified as the value.
- The name of the security identity that is used for retrieving client credentials from the Kerberos Key Distribution Center (KDC) by a SOAPRequest node with a policy set and binding specifying Kerberos.
- The name of the security identity that is used to authenticate
an LDAP directory.
Specify ldap::<servername> to define credentials for an individual server. If you want the broker to bind anonymously to this server, specify anonymous as the user ID.
Specify ldap::LDAP to define a default setting. The broker uses the specified user ID and password values for all servers that do not have an explicit ldap::<servername> entry. Therefore, all servers that previously used anonymous bind by default start to use the details defined in an ldap::LDAP entry.
- The name of the adapter connection to the external EIS. The AdapterName takes the form eis::adapterName, where adapterName is specified as the value.
- The name of the IMS™ connection. The ResourceName takes the form ims::secId, where secId is the same as the value of the Security identity property on the IMSRequest node or in the -n securityIdentity property of the associated IMSConnect configurable service.
- The name of the security identity that is used to authenticate an SMTP server.
- The name of the security identity that is used to authenticate a connection to an FTP server. The ResourceName takes the form ftp::secId, where secId is specified as the value of the Security identity property of the FileInput or FileOutput node, or in the -n securityIdentity property of the associated FtpServer configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.
- The name of the security identity that is used to authenticate a connection to an SFTP server. The security identity is used to locate the user name and password or the Secure Shell (SSH) identity file. The ResourceName takes the form sftp::secId, where secId is specified as the value of the Security identity property of the FileInput or FileOutput node, or in the -n securityIdentity property of the associated FtpServer configurable service on the mqsicreateconfigurableservice or mqsichangeproperties command.
- The name of the security identity that is used to authenticate a broker keystore.
- The name of the security identity that is used to authenticate a WSRR configurable service.
- The name of the security identity for SFM. Specify sfm::scmp to
define the basic access authentication credentials that must be present
in every SCMP Atom request that is received on the SFM HTTP(S) port.
The user ID and password that are configured in this way must match the user ID and password that the SFM console can provide. It is good practice to configure SFM to use SSL when you set basic access authentication.
- The name of the security identity that is used to connect to a secure WebSphere eXtreme Scale grid. The security identity represents a user name and password that is used when you connect to an external grid. The name of this identity is used by the WXSServer configurable service.
- The ODBC data source for which the user ID and password pair are to be created or modified. The ResourceName takes one of the following forms:
- -u UserId or EISUserId
- (Required for Create and adapter connection; Optional for Alter) The user ID to be associated with this resource or EIS.
- -p Password
- (Required for Create, Alter, and adapter connection) The password
to be associated with this resource or EIS.
For compatibility with existing systems, you can still specify <password>. However, if you do not specify a password with this parameter when you run the command, you are prompted to enter a password during its invocation, and to enter the password a second time to verify that you have entered it correctly.
On z/OS only, this parameter is optional with the dsn::DSN resource type. If you omit this parameter, the broker uses the started task user ID to connect to DB2®. The broker uses the user ID that you specified with the -u parameter when it constructs fully qualified SQL statements; for example, for stored procedures. If you create fully qualified SQL statements, the broker uses these statements as created.
This parameter is required with the ftp:: resource type, but is optional with the sftp:: resource type. However, if you do not specify a password with an sftp:: resource, you must specify the SSHIdentityFile parameter.
- -i SSHIdentityFile
- (Optional) The name of an identity file, in the OpenSSH format,
to be used for authentication with SFTP, in place of a password. You
must specify either a password or an identity file, but not both.
If you specify an identity file, you can also specify a pass phrase
with the Passphrase parameter.
On z/OS systems, known hosts files and SSH identity files are stored in EBCDIC format, and on other operating systems they are stored in ASCII format.
- -r Passphrase
- (Optional) The pass phrase that is used for authentication with SFTP. This parameter is valid only when the SSHIdentityFile parameter is also specified. The pass phrase is used during decryption of the identity file.
- -d
- (Required for Delete) This parameter deletes completely the resource from the broker registry.
- -f
- (Optional) Specify this parameter to process the mqsisetdbparms command only when the broker itself is stopped.
Authorization
- Security requirements for Linux and UNIX platforms
- Security requirements for Windows systems
- Security requirements for z/OS
Ensure that the registry is appropriately secured to prevent unauthorized access.
Examples
CICS connections
mqsisetdbparms broker name -n ResourceName -u userID -p password
For example:
mqsisetdbparms MB8BROKER -n cics::mySecurityIdentity -u myUserID -p myPassword
ODBC Data source names
The following example shows the use of the command to associate a userid and password for a specific ODBC data source name (no Universal Record Identifier (URI) prefix is required):
mqsisetdbparms MB8BROKER -n USERDB1 -u myuserid1 -p mypassword1
The following examples show the use of the optional prefix odbc::. Use this option to set the user ID and password for an ODBC data source at either the broker level, or at the execution group level:
mqsisetdbparms MB8BROKER -n odbc::USERDB2 -u myuserid2 -p mypassword2
mqsisetdbparms MB8BROKER -n odbc::USERDB2::myExecutionGroup -u myuserid3 -p mypassword3
The following example shows how to set up a default user ID and password for the broker to use for all ODBC data source names where no explicit Resource Names were set:
mqsisetdbparms MB8BROKER -n dsn::DSN -u myuserid4 -p mypassword4
The following examples delete all the values that are defined for specific resource names from the broker registry:
mqsisetdbparms MB8BROKER -n USERDB1 -d
mqsisetdbparms MB8BROKER -n odbc::USERDB2 -d
mqsisetdbparms MB8BROKER -n odbc::USERDB2::myExecutionGroup -d
Email server connections
mqsisetdbparms broker name -n ResourceName -u userID -p password
For example:
mqsisetdbparms MB8BROKER -n email::mySecurityIdentityObjectName
-u myUserID -p myPassword
IBM Sterling Connect:Direct
mqsisetdbparms broker name -n ResourceName -u userID -p password
For example:
mqsisetdbparms MB8BROKER -n cd::default -u mqbroker -p xxxxxxx
JDBC type 4 connections
mqsisetdbparms broker name -n resource_name -u userID -p password
For
example:mqsisetdbparms MB8BROKER -n jdbc::mySecurityIdentity -u myuserid -p secretpw
mqsisetdbparms MB8BROKER -n jdbc::JDBC -u UserId2 -p password2
JMS and JNDI resource names
The following examples show the use of the command when the URI for a JMS or JNDI resource name is substituted for the -n ResourceName parameter.
For a JMS resource, the URL prefix is "jms::"; for JNDI, the prefix is "jndi::".
On Linux and UNIX systems, if the parameter string includes a backslash (\) character, you must escape from this character by using a second backslash character (\\) when you enter the mqsisetdbparms command.
mqsisetdbparms MB8BROKER -n jms::tcf1 -u myuserid -p secret
mqsisetdbparms MB8BROKER -n jndi::com.sun.jndi.fscontext.RefFSContextFactory
-u myuserid -p secret
JMS node account names
The preceding examples describe how to configure security for JMS and JNDI resources for all JMS nodes that use those resources in a broker.
Message Flow Name_Node label
MyJMSFlow1_MyJMSInput1
resource typeaccount name@resource name
jms::MyJMSFlow1_MyJMSInput1@tcf1
mqsisetdbparms MB8BROKER -n jms::MyJMSFlow1_MyJMSInput1@tcf1
-u myuserid -p secret
LDAP servers
mqsisetdbparms MB8BROKER -n ldap::ldap.mydomain.com -u ldapuid -p ********
To
set up authorization for other servers, use the command to set up
default credentials:mqsisetdbparms MB8BROKER -n ldap::LDAP -u ldapother -p ********
If
you want the broker to bind anonymously to an LDAP server, specify
the server name and the user ID anonymous:mqsisetdbparms MB8BROKER -n ldap::ldap.mydomain2.com -u anonymous -p ********
For
the user ID anonymous, the password is always ignored.WebSphere Adapters account names
mqsisetdbparms broker name -n adapter name -u user name -p password
For
example:mqsisetdbparms MB8BROKER -n eis::SAPCustomerInbound.inadapter -u sapuid -p ********
mqsisetdbparms MB8BROKER -n eis::TwineballInbound.inadapter -u mqbroker -p ********
IMS connections
mqsisetdbparms broker name -n resource_name -u userID -p password
For example:
mqsisetdbparms MB8BROKER -n ims::mySecurityIdentity -u myuserid -p mypassword
FTP and SFTP server connections
mqsisetdbparms MB8BROKER -n ftp::identityA -u user1 -p MyPassword
mqsisetdbparms MB8BROKER -n sftp::identityB -u user2 -p MyPassword
mqsisetdbparms MB8BROKER -n sftp::identityC -u user3 -i C:\key_rsa_no_pp
mqsisetdbparms MB8BROKER -n sftp::identityD -u user4 -i C:\key_rsa_pp -r MyPassPhrase
Service Federation Management
mqsisetdbparms MB8BROKER -n sfm::scmp -u user1 -p MyPassword
mqsisetdbparms MB8BROKER -n sfm::scmp -d
Kerberos
Use the mqsisetdbparms command to provide the broker with the Kerberos client credentials for accessing the Kerberos Key Distribution Center (KDC). These credentials (which are required for SOAPRequest nodes) can also be provided in the broker properties tree.
mqsisetdbparms MB8BROKER -n kerberos::realm1::ExecutionGroup1 -u clientId -p ClientPassword
mqsisetdbparms MB8BROKER -n kerberos::realm1 -u clientId -p ClientPassword
mqsisetdbparms MB8BROKER -n kerberos::kerberos -u clientId -p ClientPassword
WebSphere eXtreme Scale grid connections
Use the mqsisetdbparms command to specify the user name and password to use when you connect to a secure WebSphere eXtreme Scale grid. The name of this identity (in this example, id1) is used by the WXSServer configurable service.
mqsisetdbparms MB8BROKER -n wxs::id1 -u userId -p password