I have a little java program that reads a db2 table via jdbc. This program is invoked via "tso bpxbatch myjavatool".
I wonder if there is the possibility to "pass" the username/password of my TSO user to the JDBC driver?
For example, if I connect to DB2 with a simple REXX script I don't have to specify my username/password again and DB2/RACF checks if my user is allowed to execute the SQLs.
Now my java tool is not running in my TSO address space but under the control of the J9 in the USS address space...
Is there also a way to automatically log in to DB2 with the current TSO user?
I don't know too much about BPXBATCH, but I assume you are still running under your own userid in the USS-address-space.
In your java-code you should be able to get your userid via
String user = System.getProperty("user.name");
As for the password you could try using RACF-Passtickets instead. There is a library IRRRacf.jar in /user/include/java_classes and the corresponding javadoc in IRRRacfDoc.jar in the same directory. the code for generating the Passticket is rather simple:
IRRPassTicket generator = new IRRPassTicket();
String ptkt = generator.generate(user,applid);
then just pass the passticket instead of the password and you should be fine.
Alas, there's several aspects you have to make sure of before using this approach:
Set up RACF to use Passtickets for DB2 - it might already be configured, else you'll have to set up proper profiles in the PTKTDATA-class (See RACF-documentation for more details)
Make sure each user running the code has the proper RACF authorization to use the r_ticketserv callable service (again, see RACF documentation)
Find the correct application-name (applid) for your DB2-system. See the DB2-documentation about using passtickets.
Related
You can set a org.springframework.jdbc.datasource.DriverManagerDataSource user name and password with:
dataSource.setUsername("johnsmith");
dataSource.setPassword("myplaintextpassword");
My question is - if I were to create an object this way, and then examine the memory of the machine this is running on, could I see the plaintext password?
If so, how can one securely create a database connection using a passed in password?
Sure. Create a complete heapdump of the process or JVM and you will be able to see it.
I don't know what operating system your application runs in or if it is standalone or run in container like Tomcat but exactly this is the reason why processes need to be separated.
You have to make sure that the file or JNDI configuration your password is stored in is only accessible by those processes / users that absolutely need access to them. And an additional layer of encryption will help too. There always will be someone (like root on Linux) who can read every process memory but your job is to keep the group of people being able to do this as small as possible.
Perhaps serverfault is a better place for asking or searching details about this. I am sure you can describe your environment (OS, container for your application, ...), try to get help for that setup.
I'm trying to do this:
import groovy.sql.Sql
def sql = Sql.newInstance(
url:'jdbc:sqlserver://localhost\\myDB',
user:'server\user', //this I don't think I need because of SSPI
password:'password',
driver:'com.microsoft.sqlserver.jdbc.SQLServerDriver',
SSPI: 'true'
)
The problem I'm having is that this connection is just timing out. I can ping the machine. I can also connect to the database with Managment Studio logged into my SSPI user (or whatever you call it, I start the Management Studio with a different user)
So I've tried that with my SoapUI as well, started the program as a different user, but I still time out when I initiate the connection. So something is very wrong with my connection string and any help would be appreciated.
P.S. Yes, I don't know what's up with the \ backslashes after the URL to the server, I guess it indicates that it's at the root. If I don't use them I get a message that I'm on the incorrect version.
And then we found the answer..... First of all I had the wrong JDBC driver installed. You need to head over to microsoft to get the real deal:
https://www.microsoft.com/en-us/download/details.aspx?id=11774
Then you need to unpack this one, place the 4 or 4.1 version in your bin directory of SoapUI. (You are apparently supposed to use Lib/Ext, but that doesn't work for me)
Then, since we are trying to use SSPI or Windows Authentication, to connect to the SQL server, you need to place the sqljdbc_auth.dll from the driver/enu/auth folder. This is used in one of your path's or in SoapUI Lib folder. Remember to use the 32 bit dll for 32 bit SoapUI!!! I did not since my system is 64.....
After this, I used this string, but now you have the setup correct, so it should work fine as long as you remember to start SoapUI up using the correct windows user. (Shif-right click - start as different user - use the same user you have started the SQL server with)
Again, I wasn't completely aware of this from the start (yes, total newbie here) and it failed.
Finally, when you have done all this, this is the string that works - and probably a lot of derivatives since the failing part here were the driver and dll.
def sql =Sql.newInstance("jdbc:sqlserver://localhost;Database=myDB;integratedSecurity=true","com.microsoft.sqlserver.jdbc.SQLServerDriver")
what would be the best way to store IBM TAM connection parameters in JAVA? My application is built on JAVA spring and uses TAM for access management. Inorder to connect to IBM TAM i have a java file that gets value from property file which stores the following values application name, configuration url, registry suffix,tam admin username and tam admin paswword.I dont want to store all these values in java code or property file. Please suggest me whether i can store it in the web application server like storing connection strings.
You can use the server certificate within the configuration file. You will always need to specify the configuration file at minimum. It should look something like this:
Locale myLocale = new Locale("ENGLISH", "US");
PDContext myContext = new PDContext(myLocale, configFileURL);
You will need to create your configuration file using svrsslcfg:
java com.tivoli.pd.jcfg.SvrSslCfg -action config
-admin_id sec_master-admin_pwd secpw
-appsvr_id PDPermissionjapp -appsvr_pwd pw -host jsys.myco.com
-mode remote -port 999 -policysvr ampolicy.myco.com:7135:1
-authzsvr amazn.myco.com:7136:1 -cfg_file c:/am/config_file.conf
-key_file c:/am/keystore_file.ks -domain mydomain -cfg_action create
-certrefresh true
Typically in the environment I administer our developers use the PDContext method using the username+password+config file. We have never used the certificate method. I believe if you use the certificate method, the application would connect as the server's user account that is created when you use the svrsslcfg command. That account would need appropriate permissions within TAM to achieve what it needs to.
At the minimum, you will need to specify somewhere to store the configuration URL. I would strongly encourage you not to hard code the value as it limits the administrators that must maintain the application long term. You may also need a place to store the username+password if you decide that you need to connect as specific user and not the server's TAM user account.
Refer to this document for svrsslcfg options to create the configuration file: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_authJava_guide_pdf.pdf
Look at this reference guide for information on how to use PDContext:
https://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/ameb_AdminJava_guide_pdf.pdf
I'm writing a Ruby script that uses the PG gem to set up a database connection and send files. I'm structuring it to take variables for the hostname, username, database name, and port. In a Shell script I've written to manage some companion tasks, I rely on the password stored in ~/.pgpass instead of having the user enter a password for psql because there are a lot of transactions and sometimes entering the password can fail for no apparent reason (and it sucks entering it in 20 times).
Will PG access the same source when a password isn't explicitly provided? By convention, I've included the password in the file, but since this is being pushed to an internally available repo, I'd prefer not to have that information in my file. I'm trying to test the functionality now, but was wondering if anyone in the SO community knows the answer to this question. If PG doesn't access the .pgpass file, is there a way to reference the variable and write it into the file without prompting the user to enter the password?
Thanks in advance for your help.
Yes, it will use ~/.pgpass just like any interface based on libpq, the C PostgreSQL client library.
However, a good alternative for not having the password in a file is to have it in the PGPASSWORD environment variable. If you set this in a script, it will be inherited by every program it calls.
PGPASSWORD when set will be used as the password for any libpq connection, which means the majority of programs that connect to PostgreSQL.
I connect to a remote sqlserver database using the jdbc service. My apps script has my password and userid. Is there a security risk involved. I ask because javascript is open to inspection; are app-scripts open to users?
What is the best way to get that secure information into an app?
Even hard coded values don't show up in the javascript when rendered by the browser. That is because all the code that you write runs on the server side (except client handlers).
However, if you share a script or spreadsheet with the script with another user, the code is visible to the other user.
You can store your username and password in a spreadsheet that only you have access to and read from there during runtime. However, ensure that the script runs under your id (i.e only published as a web app).
Use the UserProperties service. It's values are only available to you and if you decide to make the application multi-user, you could even direct users to store their unique sql username/password in their own UserProperties.