(1) decompiles a Java class to get the encryption key,

You can obfuscate your class to make decompile difficult: 
https://www.informit.com/guides/content.asp?g=java&seqNum=109&rl=1



Kelly Cookson wrote:

Thanks for the responses. It looks like I have to create a default user profile on the iSeries so my JTOpen classes can have a user ID and password to access the iSeries. I'm thinking about a system that will let me automatically change the default user password on a regular basis.
I'm going to create a Java program on the PeopleSoft server that will:
(1) generate a random string,
(2) update the default user profile password on the iSeries with the random 
string,
(3) encrypt the random string,
(4) write the encrypted string to an IFS file,
(5) FTP the IFS file to a text file on the PeopleSoft server.

I'm also going to create a Java class called Password that will read the encrypted string from the text file on the PeopleSoft server and decrypt it.
My JTOpen classes will always call the Password class to get the password for 
connecting to the iSeries.

This way I never hardcode passwords into the JTOpen classes. I can change the 
passwords periodically and automatically. Also, a person cannot get the 
password from the PeopleSoft server unless that person: (1) decompiles a Java 
class to get the encryption key, (2) gets the encrypted password from the 
PeopleSoft text file, and (3) writes a script to decrypt the password. This may 
not pose a serious challenge to experienced hackers, but it will pose a 
challenge to most of the people inside our company firewall, where this whole 
set-up sits.

I will also take your advice and assign *SIGNOFF to the First Menu of the default user profile. That means someone who manages to get the password must still find a way to exploit it through programming.
Any glaring weaknesses that I'm overlooking? Any ideas for improvements?

Thanks,
Kelly


________________________________

From: java400-l-bounces@xxxxxxxxxxxx on behalf of Glenn Holmer
Sent: Tue 10/11/2005 10:35 AM
To: Java Programming on and around the iSeries / AS400
Subject: Re: JTOpen Login from batch programs on a remote server



On Tuesday 11 October 2005 09:45, Ashish Kulkarni wrote:
We had a similar situation, we have created a standard
user id, password on AS400, this password does not
expire, and for security reason, this user does not
access to green screen, to achieve in the user profile
we have defined
First menu  . . . . . . .   *SIGNOFF
this will signoff the user as soon as he logs in from
green screen,

We did this too.

--
____________________________________________________________
Glenn Holmer                          gholmer@xxxxxxxxxxxxxx
Software Engineer                        phone: 414-908-1809
Weyco Group, Inc.                          fax: 414-908-1601
--
This is the Java Programming on and around the iSeries / AS400 (JAVA400-L) 
mailing list
To post a message email: JAVA400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/java400-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.