1

I use VB.net to access an iseries running IBM7.1 OS. I use the IBMDASQL connection. All works well.

The UserID and Password are in plain text in the connection string. Many of these programs run in batch which means I cannot respond to a prompt to enter a user and password. The IT Audit guys say the Password cannot be in plain text for anyone to hack. The connection string resides in the source of the VB.net program as well as in the App.config file.

Does anyone have a solution to securely access an iSeries without the User / password visible in plain sight? I also want to periodically change the password of the User so I don't want to have to go into each vb.net source program and recompile.

Jim

user6031212
  • 11
  • 1

1 Answers1

2

IBM i supports Kerberos authentication...

See this document How to Configure the System i Access for Windows OLE DB Providers to Connect Using Kerberos

You might need to utilise Enterprise Identity Mapping(EIM) to map a Kerberos (ie Active Directory) principle to a IBM i user profile.

Otherwise, your only option would be to store a reversibly encrypted username and password that your app can connect with; that's a function of your app not what you are connecting to. This SO post recommends using the ProtectedData class...

One more thing, the user ID on the i should be strictly limited in what it can do to only what it needs to do. If your connecting with a *SECOFR class user...and you don't need to be. You need use a different ID. Preferably one created just for this task.

Charles
  • 21,637
  • 1
  • 20
  • 44
  • Yep. In short, don't hard-code the userID nor password in the connection string if you don't want them visible in the program code. – user2338816 Mar 07 '16 at 22:58
  • Thanks for your response. In going down the Kerberos road, I want to ensure changing this doesn't affect an i Series Access session sign on. In other words, I want to be able to do my batch or vb.net apps, also SQL 2012 DTS packages which also get data from the Iseries and populate s SQL tables. – user6031212 Mar 18 '16 at 18:37
  • Will I be able to do this in a controlled environment? Not affecting other i Series Access log ins? – user6031212 Mar 18 '16 at 18:38
  • IIRC, you can use Kerberos with selected user IDs. So as long as this app as a unique user ID, you should be able to use Kerberos without affecting other log-ins. – Charles Mar 21 '16 at 12:41