Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to avoid hardcoding credentials inside a COBOL program?

Tags:

security

passwords

mainframe

cobol

jcl

I have the following code to connect to an external DB inside a COBOL program:

MOVE 'I2SFG04'  TO WK-USER
MOVE '12345'    TO WK-PASS

EXEC SQL 
    CONNECT TO :WK-EXT-MACHINE 
    USER :WK-USER 
    USING :WK-PASS
END-EXEC.

But as you can guess, I don't want to hardcode the user and pass within the COBOL program. So is there a secure way to store them so anyone who has access to view the COBOL program can't see the credentials?

My first approach was to create a file (RACF protected) with the SYSIN content, so the COBOL program can load it up, but it won't be displayed in the source code. Something like this:

//STEP001  EXEC PGM=IKJEFT01
//STEPLIB  DD DSN=I2SJR04.SYS.DBRMLIB,DISP=SHR
//SYSIN    DD DSN=EF35.PRIVATE.DB.LOGIN,DISP=SHR
//SYSOUT   DD SYSOUT=*
//SYSTSIN  DD *
    DSN SYSTEM(SSID)
    RUN PROGRAM(MYCOBB) PLAN(PLANNAME) -
    LIB('I2SJR04.SYS.LOADLIB')
    END
/*

Content of EF35.PRIVATE.DB.LOGIN file:

I2SFG04
12345

Is there a better way to handle this kind of situations?

like image 731
mllamazares Avatar asked May 13 '18 15:05

mllamazares

3 Answers

A more sophisticated and secure solution would be to write a short assembler program that fetches the user and password from the security system (RACF, ACF2, Top Secret) itself.

Here's a narrative if you have the IBM RACF product as your security product: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichd100/passret.htm

What this approach does is put the logic of whether to allow the password to be fetched in the hands of the security administrator, rather than the programmer. You can show the world your source code, but if the security system doesn't grant access to the credentials, it doesn't matter what a user can see. Plus, this type of thing can usually be audited, so you can pretty easily get a complete list of every time the user/password was referenced.

like image 164
Valerie R Avatar answered Sep 18 '22 23:09

Valerie R

If its an IBM zOS mainframe you do not need to supply any credentials.

Your connect will use the user-id of the running job.

You just need to tell your DBA what the JCL user id the job will run under -- he will then grant access to the plan you are using.

like image 44
James Anderson Avatar answered Sep 21 '22 23:09

James Anderson

The only pitfall I can see would be if someone where to recode and recompile the program to say output the details.

So perhaps you could take the additional step of using a RACF protected program library into which the program is compiled.

like image 26
MikeT Avatar answered Sep 20 '22 23:09

MikeT
Sign in to Comment

Related questions

Array collisions in php
Django's escapejs filter and XSS
What are the implications of Java strings not really being immutable?
Using SecureString with LogonUser
Securing an OPKG repository
Can user.name be spoofed
Session Fixation VS XSRF/CSRF
Secure CSRF protection without sessions or database?
Php cannot read secure cookies
Securely Storing Keys in Android Keystore
Where to safely store database credentials within a PHP website [closed]
Authentication Provider : SecurityProvider service class name for XXXX is not specified in WL 12.1.3.0.0
Is the PHP function parse_ini_file() really so dangerous?
Override anti-forgery token errors on login page
What is the best way to store api-urls in android app?
Is it viable to refresh Auth Token on every request?
Protect sensitive data in embedded devices?
Springboot Security: Passwords do not match during login
Authentication for Spark standalone cluster
Is Telegram Bot communication secured via end-to-end encryption?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!