Thanks David, will look into..
Dilip Nair
From: JAVA400-L <java400-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of David Gibbs via JAVA400-L
Sent: Tuesday, August 20, 2024 3:51 PM
To: Java Programming on and around the IBM i <java400-l@xxxxxxxxxxxxxxxxxx>
Cc: David Gibbs <david@xxxxxxxxxxxx>
Subject: [EXTERNAL] Re: AS400 Object
On Aug 20, 2024, at 9: 14 AM, Nair, Dilip <Dilip. Nair@ henryschein. com> wrote: > > We are currently using AS400 object to validate user profiles and invoke RPG programs from Java. > > User and password to create the object is
ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
ZjQcmQRYFpfptBannerEnd
On Aug 20, 2024, at 9:14 AM, Nair, Dilip <Dilip.Nair@xxxxxxxxxxxxxxx<mailto:Dilip.Nair@xxxxxxxxxxxxxxx>> wrote:
We are currently using AS400 object to validate user profiles and invoke RPG programs from Java.
User and password to create the object is hardcoded in the program.
Looking for ideas on how to secure the password than hardcoding in the program
I’ve never used this technique, but it was something I looked at when I was working on Implementer.
Take a look at profile tokens … IIRC, you can generate it once and reuse it, as long as you use it at least once within its expiration time limit.
https://urldefense.com/v3/__https://javadoc.midrange.com/jtopen/com/ibm/as400/access/AS400.html*getProfileToken(java.lang.String,*20char*5B*5D,*20int,*20int)__;IyUlJSUl!!C8D7Pa6reTSs!ZuAjXBN2vOEHct3lLzps-XhVY70Ssopb6_lshtYaYdVZwNgcp5omLr1M4RmXRSARiO3xGlPbRBtObRbAUR7LR2oeBfTS$<
https://urldefense.com/v3/__https:/javadoc.midrange.com/jtopen/com/ibm/as400/access/AS400.html*getProfileToken(java.lang.String,*20char*5B*5D,*20int,*20int)__;IyUlJSUl!!C8D7Pa6reTSs!ZuAjXBN2vOEHct3lLzps-XhVY70Ssopb6_lshtYaYdVZwNgcp5omLr1M4RmXRSARiO3xGlPbRBtObRbAUR7LR2oeBfTS$>
You can store the token in a serialized form.
This does require that you ask the user for a password once per session though.
Another thing I looked at is using the Windows keystore to get an encryption key.
Something you night want to consider is creating a server job that runs on the host to invoke the application on behalf of the user requesting it. You could use the user profile handle switching api’s to switch users.
You’ll need to implement your own security mechanism to prevent unauthorized use.
david
--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing list
To post a message email: JAVA400-L@xxxxxxxxxxxxxxxxxx<mailto:JAVA400-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit:
https://urldefense.com/v3/__https://lists.midrange.com/mailman/listinfo/java400-l__;!!C8D7Pa6reTSs!ZuAjXBN2vOEHct3lLzps-XhVY70Ssopb6_lshtYaYdVZwNgcp5omLr1M4RmXRSARiO3xGlPbRBtObRbAUR7LR790fwVS$<
https://urldefense.com/v3/__https:/lists.midrange.com/mailman/listinfo/java400-l__;!!C8D7Pa6reTSs!ZuAjXBN2vOEHct3lLzps-XhVY70Ssopb6_lshtYaYdVZwNgcp5omLr1M4RmXRSARiO3xGlPbRBtObRbAUR7LR790fwVS$>
or email: JAVA400-L-request@xxxxxxxxxxxxxxxxxx<mailto:JAVA400-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at
https://urldefense.com/v3/__https://archive.midrange.com/java400-l__;!!C8D7Pa6reTSs!ZuAjXBN2vOEHct3lLzps-XhVY70Ssopb6_lshtYaYdVZwNgcp5omLr1M4RmXRSARiO3xGlPbRBtObRbAUR7LR7KWBn_G$<
https://urldefense.com/v3/__https:/archive.midrange.com/java400-l__;!!C8D7Pa6reTSs!ZuAjXBN2vOEHct3lLzps-XhVY70Ssopb6_lshtYaYdVZwNgcp5omLr1M4RmXRSARiO3xGlPbRBtObRbAUR7LR7KWBn_G$>.
Please consider the environment before printing this email.
E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message.
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this e-mail by anyone else is unauthorized.
midrange.com
