RTVMSKPWD -- Retrieve Masked Password

RTVMSKPWD RETRIEVE MASKED PASSWORD TAASEGQ
The Retrieve Masked Password tool provides a command to mask a password (CHGMSKPWD) and a command to retrieve a masked password (RTVMSKPWD). The password is translated to different characters and the positions are rearranged within a 256 byte field in the MSKPWDP file in TAASECURE. The tool may be used for a variety of needs such as batch functions that require a password. The function could also be used if you wanted a menu option for an end user that allows STRPASTHR (could also be TELNET). Rather than prompting for the command to allow the user to enter a password, the command could be invoked with a password entered. For the best security, keying in the password interactively is the best choice. A typical example where a password is required in a batch function is with the use of FTP. If you have a regular FTP job, you might consider packaging the commands to simplify the usage. FTP requires that a user profile and a password be entered as an FTP subcommand. To provide a standard batch function, you typically need a source member which would contain the subcommands. Attempting to secure this source member so that no one could see the password can be difficult or impossible. Instead of using FTP directly, a better choice would be to use one of the TAA FTP front end commands: FTP2 SAVSNDL SBMSAVSNDL RSTSNDL The TAA front end commands make it much simpler to use FTP. All functions needed including the password are specified as parameters. The subcommands are generated internally and mask the complexity of FTP. A typical program to submit to batch would be: PGM SAVSNDL LIB(aaa) RMTSYS(bbb) RMTUSER(ccc) RMTPWD(ddd) ENDPGM This would save the specified library to a save file and transmit it to the remote system. By default, a save file of the same name as the library would be placed in the TAAWORK library. Instead of hard coding your password for the RMTPWD parameter, you would specify: PGM DCL &PASSWORD CHAR LEN(10) RTVMSKPWD PASSWORD(&PASSWORD) SAVSNDL LIB(aaa) RMTSYS(bbb) RMTUSER(ccc) RMTPWD(&PASSWORD) ENDPGM By using RTVMSKPWD, the source may be seen my anyone without giving your password away. Because the SAVSNDL command specifies the RMTPWD parameter as DSPINPUT(NO), the password will not appear in the job log even if LOGCLPGM(YES) is specified for the job. To use the RTVMSKPWD command, you must have entered the CHGMSKPWD command. See the section on 'Getting started'. Using RTVMSKPWD is not as safe as system passwords. However, when using a TAA FTP command, the approach is considerably safer than storing a password in a source member. See the later discussion. Note that the same approach could be used with the system FTP command, but modifying a subcommand would require significantly more work. When a TAA FTP command is used in an interactive job, the subcommands are generated into a file in QTEMP. The password does not appear. If a TAA FTP command is used in batch a spooled file of the subcommands is output, but does not contain the password. You could make the approach more secure by having a unique profile on the remote system that could not be signed onto. Using FTP on the remote system causes a batch job. Valid passwords --------------- Valid passwords must begin with A-Z in the first character and be A-Z or 0-9 in the 2nd-10th characters. Embedded blanks are not valid. Note that the special characters # $ @ _ are not valid. Up to 99 masked passwords per user may be entered. This allows the same user to have communicate with different systems where each system potentially has a different user profile named and password. The masked passwords must match the intended password use. For example, if a TAA FTP command is to be used, the password must agree with what is used on the remote system, but may differ from the password on the source system. Object only code for RPG programs --------------------------------- Because the algorithm used for masking should be secure, the RPG source for CHGMSKPWD and RTVMSKPWD is not shipped with the TAA Productivity Tools product. Only the object code is part of the product. You may request the source by contacting the TAA Productivity Tools owner if you are the technical representative of your organization. Getting started --------------- Any user may enter the CHGMSKPWD command. CHGMSKPWD PASSWORD(xxx) The PASSWORD value will not be seen when entering using the command prompter nor will the value appear in the job log. The PWDNBR parameter defaults to 1. Entering a PWDNBR value allows the storing of up to 99 masked passwords per user. The appropriate PWDNBR must be specified when RTVMSKPWD is used. If no record exists for the user and the PWDNBR value, a new record is added. Each time CHGMSKPWD is used with the same PWDNBR value, the corresponding record in the MSKPWDP file is significantly changed in the MSCHAR field where the password is masked. This occurs even if the same password is entered. To retrieve a masked password, use RTVMSKPWD in a CL program: DCL &PWD CHAR LEN(10) . RTVMSKPWD PASSWORD(&PWD) RTVMSKPWD only operates for the current user profile (you can only retrieve a masked password for your own profile). The optional PWDNBR parameter defaults to 1 and allows you to retrieve up to 99 masked passwords. Maintaining the MSKPWDP file ---------------------------- The MSKPWDP file in TAASECURE should be periodically maintained to remove old records that are no longer needed. The MTNMSKPWD command is provided which will delete old records that have not been used in N days. Note that when a password is added, the update date (MSUPDD) and the last used date (MSUSED) will be the same. Writing a secure program ------------------------ The value retrieved for a RTV command will not appear in the job log even if LOG(4 0 SECLVL) is specified. You should avoid using a retrieved password on a command such as SNDPGMMSG. If you use the password on a TAA FTP front end command such as SAVSNDL, the password will not appear in the job log. For tight security, remove the observability of the program that uses RTVMSKPWD with the CHGPGM command: CHGPGM PGM(xxx) RMVOBS(ALL) Security considerations ----------------------- The MSKPWDP file in TAASECURE can be seen by any user with ALLOBJ special authority. Determining the users password from the data in the MSCHAR field would be very difficult, but not impossible. The bigger exposure is having a user write a program that would retrieve a password and run it under the user profile that he wants to access the password for. It is recommended that any programs with RTVMSKPWD be changed with CHGPGM RMVOBS(ALL) to prevent debugging. CHGMSKPWD escape messages you can monitor for ---------------------------------------------- None. Escape messages from based on functions will be re-sent. RTVMSKPWD escape messages you can monitor for ---------------------------------------------- TAA9891 No masked password exists for the user/PWDNBR Escape messages from based on functions will be re-sent. MTNMSKPWD escape messages you can monitor for ---------------------------------------------- None. Escape messages from based on functions will be re-sent. CHGMSKPWD Command parameters CMD ---------------------------- PASSWORD The password to be masked. It may be up to 10 characters in length and must begin with a letter A-Z. The 2nd-10th characters must be a letter A-Z or a number 0-9. No embedded blanks must exist. Note that the special characters # $ @ _ are not valid. If no record exists for the current user and PWDNBR value, a new record is added to the MSKPWDP file in TAASECURE. If a record already exists, it is changed. PWDNBR The password number to be added or changed. The default is 1. A number from 1-99 may be entered. RTVMSKPWD Command parameters CMD ---------------------------- PWDNBR The password number to be retrieved. The default is 1. A number from 1-99 may be entered. A record must exist in the MSKPWDP file in TAASECURE for the user and PWDNBR value. PASSWORD The password to be returned for the current user and PWDNBR value. This is a required parameter that must be specified as CHAR LEN(10). MTNMSKPWD Command parameters CMD ---------------------------- RTNDAYS The number of days to retain records for since they have last been used. The default is 1000 days. A value between 1 and 9999 may be entered. Restrictions ------------ The RTVMSKPWD command may only be used in a CL program. Because the algorithm used for masking should be secure, the tool is shipped as object code only (no source exists) for the RPG programs. Prerequisites ------------- The following TAA Tools must be on your system: ABORT Abort ADDDAT2 Add date CHKALLOBJ Check ALLOBJ special authority EDTVAR Edit variable GENRANNBR Generate random number RTVDAT Retrieve date SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message SNDJLGMSG Send job log message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- CHGMSKPWD CMD TAASEGQ QATTCMD RTVMSKPWD CMD TAASEGQ2 QATTCMD MTNMSKPWD CMD TAASEGQ2 QATTCMD TAASEGQC PGM CLP TAASEGQC QATTCL TAASEGQC2 PGM CLP TAASEGQC2 QATTCL TAASEGQC3 PGM CLP TAASEGQC3 QATTCL TAASEGQR PGM RPG TAASEGQR2 PGM RPG TAASEGQP FILE PF TAASEGQP QATTDDS The source for TAASEGQR and TAASEGQR2 is not shipped with the product. Structure --------- CHGMSKPWD Cmd TAASEGQC CL pgm TAASEGQR RPG Pgm - Object code only RTVMSKPWD Cmd TAASEGQC2 CL pgm TAASEGQR2 RPG Pgm - Object code only MTNMSKPWD Cmd TAASEGQC3 CL pgm

RTVMSKPWD       RETRIEVE MASKED PASSWORD               TAASEGQ


The  Retrieve  Masked  Password tool  provides  a  command  to  mask  a
password  (CHGMSKPWD)  and  a command  to  retrieve  a masked  password
(RTVMSKPWD).   The password  is translated to  different characters and
the positions are  rearranged within  a 256 byte  field in the  MSKPWDP
file in TAASECURE.   The tool may  be used for a variety  of needs such
as batch functions that require a password.

The  function could also  be used  if you wanted  a menu  option for an
end user that  allows STRPASTHR (could  also be TELNET).   Rather  than
prompting for the  command to allow the  user to enter a  password, the
command could be invoked with a password entered.

For  the best  security, keying  in the  password interactively  is the
best choice.

A typical example where a password  is required in a batch function  is
with  the use  of FTP.    If you  have  a regular  FTP  job, you  might
consider packaging  the commands to  simplify the usage.   FTP requires
that  a user profile  and a password  be entered as  an FTP subcommand.
To provide  a  standard batch  function, you  typically  need a  source
member  which would  contain  the subcommands.    Attempting to  secure
this  source  member so  that  no one  could  see the  password  can be
difficult or impossible.

Instead of using FTP directly, a  better choice would be to use one  of
the TAA FTP front end commands:

            FTP2
            SAVSNDL
            SBMSAVSNDL
            RSTSNDL

The  TAA front  end commands  make it  much simpler  to use  FTP.   All
functions  needed including the  password are  specified as parameters.
The subcommands are  generated internally  and mask  the complexity  of
FTP.

A typical program to submit to batch would be:

            PGM
            SAVSNDL   LIB(aaa) RMTSYS(bbb) RMTUSER(ccc)
                        RMTPWD(ddd)
            ENDPGM

This would save  the specified library to  a save file and  transmit it
to  the remote system.   By default,  a save file  of the same  name as
the library would be placed in the TAAWORK library.

Instead  of hard  coding your  password for  the RMTPWD  parameter, you
would specify:

            PGM
            DCL       &PASSWORD *CHAR LEN(10)
            RTVMSKPWD PASSWORD(&PASSWORD)
            SAVSNDL   LIB(aaa) RMTSYS(bbb) RMTUSER(ccc)
                        RMTPWD(&PASSWORD)
            ENDPGM

By using RTVMSKPWD,  the source  may be seen  my anyone without  giving
your password away.

Because  the   SAVSNDL  command  specifies  the   RMTPWD  parameter  as
DSPINPUT(*NO),  the password  will not  appear in the  job log  even if
LOGCLPGM(*YES) is specified for the job.

To use  the RTVMSKPWD  command,  you must  have entered  the  CHGMSKPWD
command.  See the section on 'Getting started'.

Using RTVMSKPWD  is not  as safe  as system  passwords.  However,  when
using  a  TAA FTP  command,  the approach  is  considerably  safer than
storing a password in a source member.  See the later discussion.

Note that  the  same  approach  could  be  used  with  the  system  FTP
command, but  modifying a subcommand  would require  significantly more
work.

When a TAA  FTP command is used in  an interactive job, the subcommands
are  generated into  a file  in QTEMP.   The password  does not appear.
If  a  TAA  FTP command  is  used  in  batch  a  spooled  file  of  the
subcommands is output, but does not contain the password.

You could make  the approach more secure by having  a unique profile on
the  remote system that  could not  be signed onto.   Using  FTP on the
remote system causes a batch job.

Valid passwords
---------------

Valid passwords must begin with A-Z  in the first character and be  A-Z
or 0-9  in the  2nd-10th characters.   Embedded  blanks are not  valid.
Note that the special characters # $ @ _ are not valid.

Up  to 99 masked passwords  per user may  be entered.   This allows the
same user  to  have  communicate  with  different  systems  where  each
system potentially has a different user profile named and password.

The  masked passwords  must  match  the  intended password  use.    For
example, if  a TAA FTP command  is to be used, the  password must agree
with  what  is used  on  the remote  system,  but may  differ  from the
password on the source system.

Object only code for RPG programs
---------------------------------

Because the  algorithm  used  for masking  should  be secure,  the  RPG
source  for  CHGMSKPWD  and  RTVMSKPWD  is not  shipped  with  the  TAA
Productivity  Tools  product.   Only  the object  code is  part  of the
product.    You   may  request  the  source   by  contacting  the   TAA
Productivity Tools  owner if  you are  the technical  representative of
your organization.

Getting started
---------------

Any user may enter the CHGMSKPWD command.

            CHGMSKPWD   PASSWORD(xxx)

The  PASSWORD value will  not be seen  when entering using  the command
prompter nor will the value appear in the job log.

The PWDNBR parameter  defaults to 1.   Entering a  PWDNBR value  allows
the storing  of up to  99 masked passwords  per user.   The appropriate
PWDNBR must be specified when RTVMSKPWD is used.

If no  record exists for  the user and  the PWDNBR value,  a new record
is added.

Each   time  CHGMSKPWD  is  used  with   the  same  PWDNBR  value,  the
corresponding record in  the MSKPWDP file  is significantly changed  in
the MSCHAR  field where the  password is masked.   This occurs  even if
the same password is entered.

To retrieve a masked password, use RTVMSKPWD in a CL program:

            DCL         &PWD *CHAR LEN(10)
             .
            RTVMSKPWD   PASSWORD(&PWD)

RTVMSKPWD  only operates  for the  current user  profile (you  can only
retrieve a  masked  password  for  your own  profile).    The  optional
PWDNBR parameter  defaults to  1 and allows  you to  retrieve up  to 99
masked passwords.

Maintaining the MSKPWDP file
----------------------------

The  MSKPWDP file  in TAASECURE  should  be periodically  maintained to
remove old records that  are no longer needed.   The MTNMSKPWD  command
is provided which  will delete old records  that have not been  used in
N days.

Note that  when a password is  added, the update date  (MSUPDD) and the
last used date (MSUSED) will be the same.

Writing a secure program
------------------------

The  value retrieved for a  RTV command will not  appear in the job log
even if  LOG(4 0  *SECLVL)  is specified.   You  should  avoid using  a
retrieved password on a command such as SNDPGMMSG.

If  you use  the  password  on a  TAA  FTP front  end  command such  as
SAVSNDL, the password will not appear in the job log.

For  tight security, remove the observability  of the program that uses
RTVMSKPWD with the CHGPGM command:

             CHGPGM     PGM(xxx) RMVOBS(*ALL)

Security considerations
-----------------------

The MSKPWDP file  in TAASECURE  can be  seen by any  user with  *ALLOBJ
special authority.   Determining  the users password  from the  data in
the MSCHAR field would be very difficult, but not impossible.

The  bigger  exposure is  having  a  user write  a  program  that would
retrieve a password  and run it  under the user profile  that he  wants
to access the password for.

It is  recommended that  any programs  with RTVMSKPWD  be changed  with
CHGPGM RMVOBS(*ALL) to prevent debugging.

CHGMSKPWD escape messages you can monitor for
----------------------------------------------

None.  Escape messages from based on functions will be re-sent.

RTVMSKPWD escape messages you can monitor for
----------------------------------------------

      TAA9891    No masked password exists for the user/PWDNBR

Escape messages from based on functions will be re-sent.

MTNMSKPWD escape messages you can monitor for
----------------------------------------------

None.  Escape messages from based on functions will be re-sent.

CHGMSKPWD Command parameters                          *CMD
----------------------------

   PASSWORD      The  password  to be  masked.    It may  be  up to  10
                 characters  in  length and  must  begin with  a letter
                 A-Z.   The 2nd-10th  characters must be  a letter  A-Z
                 or a number 0-9.  No embedded blanks must exist.

                 Note  that the  special characters  #  $ @  _ are  not
                 valid.

                 If  no record exists  for the current  user and PWDNBR
                 value, a new  record is added to  the MSKPWDP file  in
                 TAASECURE.    If  a  record   already  exists,  it  is
                 changed.

   PWDNBR        The  password  number to  be  added or  changed.   The
                 default is 1.  A number from 1-99 may be entered.

RTVMSKPWD Command parameters                          *CMD
----------------------------

   PWDNBR        The password number to be  retrieved.  The default  is
                 1.   A  number from  1-99 may  be entered.   A  record
                 must exist  in the MSKPWDP  file in TAASECURE  for the
                 user and PWDNBR value.

   PASSWORD      The  password to be returned  for the current user and
                 PWDNBR value.    This  is a  required  parameter  that
                 must be specified as *CHAR LEN(10).

MTNMSKPWD Command parameters                          *CMD
----------------------------

   RTNDAYS       The number  of days to  retain records for  since they
                 have  last been used.   The  default is 1000  days.  A
                 value between 1 and 9999 may be entered.

Restrictions
------------

The RTVMSKPWD command may only be used in a CL program.

Because the algorithm used  for masking should  be secure, the tool  is
shipped as  object code only (no  source exists) for the  RPG programs.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ABORT           Abort
     ADDDAT2         Add date
     CHKALLOBJ       Check *ALLOBJ special authority
     EDTVAR          Edit variable
     GENRANNBR       Generate random number
     RTVDAT          Retrieve date
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDJLGMSG       Send job log message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   CHGMSKPWD     *CMD                   TAASEGQ       QATTCMD
   RTVMSKPWD     *CMD                   TAASEGQ2      QATTCMD
   MTNMSKPWD     *CMD                   TAASEGQ2      QATTCMD
   TAASEGQC      *PGM       CLP         TAASEGQC      QATTCL
   TAASEGQC2     *PGM       CLP         TAASEGQC2     QATTCL
   TAASEGQC3     *PGM       CLP         TAASEGQC3     QATTCL
   TAASEGQR      *PGM       RPG
   TAASEGQR2     *PGM       RPG
   TAASEGQP      *FILE      PF          TAASEGQP      QATTDDS

The  source  for  TAASEGQR  and  TAASEGQR2  is  not  shipped  with  the
product.

Structure
---------

CHGMSKPWD   Cmd
   TAASEGQC   CL pgm
     TAASEGQR   RPG Pgm - Object code only

RTVMSKPWD   Cmd
   TAASEGQC2  CL pgm
     TAASEGQR2  RPG Pgm - Object code only

MTNMSKPWD   Cmd
   TAASEGQC3  CL pgm

Added to TAA Productivity tools July 15, 2006

Home Page

Up to Top