Pass encrypted variable to job
Moderators: chulett, rschirm, roy
Pass encrypted variable to job
Hi folks,
Due to non-technical reasons, I am trying to pass the value of an encrypted environment variable to a DataStage job from within a calling sequence. The environment variable name is not known at design time and therefore is not a parameter to the job.
I found an obscure technote that DS is somehow meant to detect if a value supplied as a parameter from a file is encrypted, but I am not sure if this also applies when the value is passed directly. At the moment, the encrypted value is reencrypted and this results in the wrong value being used in the job.
I can easily decrypt DS encrypted values, but it requires manual intervention. Has anyone either manage to pass encrypted values to a job or decrypt the password through code? (Please no "that would defeat the purpose of encryption" posts since DS encryption is not secure; storing the value as unencrypted is also not an option).
Cheers,
A
Due to non-technical reasons, I am trying to pass the value of an encrypted environment variable to a DataStage job from within a calling sequence. The environment variable name is not known at design time and therefore is not a parameter to the job.
I found an obscure technote that DS is somehow meant to detect if a value supplied as a parameter from a file is encrypted, but I am not sure if this also applies when the value is passed directly. At the moment, the encrypted value is reencrypted and this results in the wrong value being used in the job.
I can easily decrypt DS encrypted values, but it requires manual intervention. Has anyone either manage to pass encrypted values to a job or decrypt the password through code? (Please no "that would defeat the purpose of encryption" posts since DS encryption is not secure; storing the value as unencrypted is also not an option).
Cheers,
A
It looks like the encryption in version 11.3 or newer is quite strong. Prior versions used something I would call a weak encoding scheme. I won't call it encryption.
Could you share the technote link? I'm not quite clear on your goals or questions yet. What kind of resolution are you looking for, one that will achieve better security or one that will do the opposite, etc.?
Could you share the technote link? I'm not quite clear on your goals or questions yet. What kind of resolution are you looking for, one that will achieve better security or one that will do the opposite, etc.?
Choose a job you love, and you will never have to work a day in your life. - Confucius
The tech note is at this address http://www-01.ibm.com/support/docview.w ... wg1JR47902 , but I since found out it is only present in v11 (this is the reason why it wasn't working on v9).
I am trying to find a way to duplicate the parameter set functionality (for non-technical reasons that I will not go into).
One way I thought of was to have the parameter set values as environment variables and then have them grouped in a set in some sort of metadata table. It all works, bar this small encryption ... erm ... encoding snag.
I am trying to find a way to duplicate the parameter set functionality (for non-technical reasons that I will not go into).
One way I thought of was to have the parameter set values as environment variables and then have them grouped in a set in some sort of metadata table. It all works, bar this small encryption ... erm ... encoding snag.
I do respect your desire to not divulge the "non-technical reasons", but there's a basic problem I have with all such situations: why would a variable not be known at design time?
How do you know if such a variable is what you need to use (in this case) as an encrypted value? Seems like a lot of extra work to accommodate those "reasons", and while I would easily sympathize with non-technical interference, I'd want to reject it in favor of something that at least remotely conforms with basic design standards.
My sympathy is fully for developers who must try to accommodate, um, ridiculous (a stronger word not used) requirements.
For any singular problem point, my first instinct is to build an isolated process around it to create a reasonable "hook" I can use in code. Would it be possible for you to do something like that, create a process (script, specialized job) along that line?
Good luck.
How do you know if such a variable is what you need to use (in this case) as an encrypted value? Seems like a lot of extra work to accommodate those "reasons", and while I would easily sympathize with non-technical interference, I'd want to reject it in favor of something that at least remotely conforms with basic design standards.
My sympathy is fully for developers who must try to accommodate, um, ridiculous (a stronger word not used) requirements.
For any singular problem point, my first instinct is to build an isolated process around it to create a reasonable "hook" I can use in code. Would it be possible for you to do something like that, create a process (script, specialized job) along that line?
Good luck.
Franklin Evans
"Shared pain is lessened, shared joy increased. Thus do we refute entropy." -- Spider Robinson
Using mainframe data FAQ: viewtopic.php?t=143596 Using CFF FAQ: viewtopic.php?t=157872
"Shared pain is lessened, shared joy increased. Thus do we refute entropy." -- Spider Robinson
Using mainframe data FAQ: viewtopic.php?t=143596 Using CFF FAQ: viewtopic.php?t=157872
Variables are not "known" since I'd need to replicate parameter set functionality without using parameter sets (e.g. a new parameter set value set requires 4 new project variables and the calling sequence cannot be recompiled/ edited - the value is retrieved at run-time from the environment).
The untried resolution would be to install the IBM patch.
The untried resolution would be to install the IBM patch.
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
It picks up the value of the environment variable from the shell. At run time, as Craig noted. You should also investigate the other special values $PROJDEF and $UNSET, to round out your knowledge.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Thanks - I've used these magic settings ($PROJDEF), but I obviously misunderstood $ENV. Though now I'm equally not sure how to use it.
Inside a job, whether an environment value is retrieved from the shell or project definition is irrelevant, right? So it would only make sense to use whenever changing an environment variable is easier from the shell than from the Admin client which I rarely found to be the case.
Inside a job, whether an environment value is retrieved from the shell or project definition is irrelevant, right? So it would only make sense to use whenever changing an environment variable is easier from the shell than from the Admin client which I rarely found to be the case.
Hi,
Can you use parameter set files?
they can be set with limited access and can be updated as needs be
would that work for you?
Can you use parameter set files?
they can be set with limited access and can be updated as needs be
would that work for you?
Roy R.
Time is money but when you don't have money time is all you can afford.
Search before posting:)
Join the DataStagers team effort at:
http://www.worldcommunitygrid.org
Time is money but when you don't have money time is all you can afford.
Search before posting:)
Join the DataStagers team effort at:
http://www.worldcommunitygrid.org