Passwords with runmqsc scripts

padlock

This is not a new question, but it has come in again several times in the last few weeks: how best to script MQSC operations where the connection requres a password. Rather than repeat the answer, I’ve put it here for convenience.

Entering passwords for runmqsc

If you are using runmqsc interactively, then you may get a prompt to type in a password before any MQSC commands can be run. This is (almost) always going to be true when using client connections to the queue manager. And it might be true even for local connections.

$ export MQSERVER=SYSTEM.ADMIN.SVRCONN/TCP/localhost
$ runmqsc -c -u metaylor QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2024.
Enter password:
********
Starting MQSC for queue manager QM1.


dis qmgr qmname
     1 : dis qmgr qmname
AMQ8408I: Display Queue Manager details.
   QMNAME(QM1)

The scripting problem

What if I want to enter the commands from a repeatable script?

When I’ve been sent this question, it always seems to be prefixed with “We have seen a recommendation to put the password as the first line of the script”. We can build that script easily enough:

$ cat  << EOF > /tmp/my.mqsc
myPassword
DIS QMGR QMNAME
EOF

And then run it:

$ runmqsc -c -u metaylor QM1 < /tmp/my.mqsc
5724-H72 (C) Copyright IBM Corp. 1994, 2024.
Enter password:
Starting MQSC for queue manager QM1.


     1 : DIS QMGR QMNAME
AMQ8408I: Display Queue Manager details.
   QMNAME(QM1)

But that’s certainly not my recommendation on how to do it. This approach has some fundamental flaws:

  1. It makes it hard to manage the scripts – any password change has to be reflected in them
  2. The script is tied to the user who is running the script. Maybe not a problem when it’s always running under the same account as part of a controlled (eg devops) environment, but it can be awkward when different people want to run the same scripts against their own queue managers
  3. The password is visible in the file! Anyone who can read the file can see the password.

The solution

The simple way of doing this in a much more secure and controllable fashion is to manage the passwords separately from the MQSC commands. But we can still automate the execution. And we don’t need to use insecure alternatives such as environment variables. (Remember that environment variables might be shown to anyone using the ps command.)

The “trick” is to combine two operations into a single stream using parentheses in the shell environment. Both the password and the real script are sent to the runmqsc stdin stream.

A simple demonstration is:

$ echo "DIS QMGR QMNAME" > /tmp/my.mqsc
$ (echo myPassword; cat /tmp/my.mqsc) | runmqsc -c -u metaylor QM1

or

$ (cat .myPasswordFile;cat /tmp/my.mqsc) | runmqsc -c -u metaylor QM1

The password is not visible to anyone, and it is not in the real MQSC script. I can vary the userid at will, along with the password, without ever needing to edit the script. Remember that echo is usually a shell builtin command so is not forked into a separate process where the parameter might be visible.

Because the password is independent of the MQSC script, you can use any convenient mechanism of your choice to obtain it. Perhaps read it into a local variable in your driving script and then use it in the combined invocation:

pw=`extract password from a vault`
or 
pw=`cat $HOME/.myPasswordFile`

(echo $pw;cat /tmp/my.mqsc) | runmqsc -c -u metaylor QM1

The same approach can also be used on Windows with a slightly varied syntax. For example:

(echo %PW% && type c:\temp\my.mqsc) | runmqsc -c -u metaylor QM1

One thought on “Passwords with runmqsc scripts”

Leave a Reply

Your email address will not be published. Required fields are marked *