This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
[ Picked text/plain from multipart/alternative ]

As far as I can tell, (I was not involved in the evolution of the stuff they
are using, but it is an in-house developed verification system that runs
side by side with the As/400 security "don't ask!!!") it verifies the level
of access needed by folks accessing systems from the Web.

It seems that the UID/PW are being passed in clear text from the Web,
exactly how they are planning on getting so many disparate users to all of a
sudden use encrypted data is at the moment beyond me ("I am not a security
guru, I prefer to get things done instead of preventing things from getting

**Real Time Update**

Just grabbed the developer on the fly and it sounds like it is a simple and
internal thing! We are storing the UID/PW in clear text and security wants
us to encrypt it. The only movement will be from the application to the
table and back to the app un-encrypted.

So it sounds like we can do it either on the 400 or it can be passed to the
400 (from VB) already encrypted.

Content-Description: Re: Encryption packages

From: Scott Klement <>
To: "Midrange List (E-mail)" <>
Subject: Re: Encryption packages
Date: Fri, 11 Jan 2002 16:34:34 -0500
X-Plaintext: Picked text/plain from multipart/alternative

[ Picked text/plain from multipart/alternative ]

Hi Howard,

Reading your message, a few things popped into my head:

What exactly are you going to do with the encrypted data?

   a) does an external system need to be able receive your encrypted data
        and decrypt it?
   b) will an external system be sending you encrypted data that you need
        to decrypt?

The reason that I ask is that OS/400 has objects that can be used to
store usernames & passwords in an encrypted format, where all the
encryption work is hidden from your program.  This works great if you
just need a list of userids/passwords that are valid for a certain
resource, but not so well if you need to transfer it over a LAN and
decrypt it somewhere else.

If you do need to transfer it, the AS/400 has an MI instruction called
"CIPHER" which is capable of doing DES encryption.  DES was a great
encryption back in it's day, but by todays standards is pretty weak.
Still, if the security of it isn't REALLY CRITICAL, then this might be
a good option.

On Fri, 11 Jan 2002, Weatherly, Howard wrote:
> I was just asked is we have any encryption packages for the 400, I know
> think this is available as a feature but I can not find the book or pages
> that I read this in.
> Anyone know where I can hunt this information up? and so I can give the
> choices, I posted on the COBOL list for any home grown code, but I could
> also use some input on any packages anyone might have used.
> My understanding is that security wants us to encrypt UID/PWD that we have
> in a external client user verification system, so basically the thing does
> not need to be heavy duty. I am going to surf about and cook up a list of
> possibilities that I can match with any possible Kudos and/or horror
> stories.

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email:
To subscribe, unsubscribe, or change list options,
or email:
Before posting, please take a moment to review the archives

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.