Posted: Tue Nov 06, 2007 10:48 am
What we did is that the scheduler account is secure with only 2 people having access, the passwords are stored in a file which is chmod 700. This file is sourced in (unencrypted passwords) and in the past the variables were used to pass to dsjob.
But then you could see the password in "ps -ef", so now we write the encrypted password and other params to a temp file and start dsjob with that.
The only people who have ever access to the file with unencrypted passwords are the 2 people with access to the scheduler account (and the system administration people of course :D )
We thought of encrypting passwords but then we hit upon the DataStage password security problem and we never encrypted the passwords ourselves, whatever encryption you would use yourself has the same weakness as the DataStage encryption. It has to work both ways decrypt/encrypt to be able to pass in the password properly.
Regards,
Ogmios
But then you could see the password in "ps -ef", so now we write the encrypted password and other params to a temp file and start dsjob with that.
The only people who have ever access to the file with unencrypted passwords are the 2 people with access to the scheduler account (and the system administration people of course :D )
We thought of encrypting passwords but then we hit upon the DataStage password security problem and we never encrypted the passwords ourselves, whatever encryption you would use yourself has the same weakness as the DataStage encryption. It has to work both ways decrypt/encrypt to be able to pass in the password properly.
Regards,
Ogmios