Re: Some weirdness on a customer box -- MIDRANGE-L

× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

Does JDBC use SSL to encrypt transmissions? If not can you do a comm
trace and see what password it's sending? For example, on 5250 without
SSL it's quite easy to trap a password

STRCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) MAXSTG(2M)
sign on from another session
ENDCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN)
PRTCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) FMTTCP(*YES)
TCPIPADR('10.10.8.237') SLTPORT(23)
where that is the IP address of my PC and port 23 is telnet.
DSPSPLF FILE(QPCSMPRT) SPLNBR(*LAST)
*............1...ROB...REDACTED

Note: The "human readable" will display the password in upper case, even
if you have a lower case system (yes I have QPWDLVL set to 3, have the
extended password on my signon screen and even get an invalid password
error if I try all caps). If you look at the hex values it will show the
correct case. If you do not have a hex calculator sql does a fine job
with
VALUES X'9985848183A38584'
I think it's a bug.

Basically any kid with a sniffer can easily figure out what passwords are
unless you are using SSL.

Rob Berendt

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.