Any way to have DataStage client use an encrypted connection

tonystark622 · Post by **tonystark622** » Thu Feb 10, 2005 9:45 am

I have a requirement for some folks in another city to use our DataStage server to develop and run some jobs using their own data. They are concerned that if they view data in DataStage while developing their jobs, that the data will be exposed on the network connection between our server here and their client workstations in their city. Does anyone know of a way to make the connection between the client and the DataStage server encrypted?

Thanks,
Tony

ArndW · Post by **ArndW** » Thu Feb 10, 2005 10:37 am

Tony,

the IP packets are pretty small (in terms of data-control info) so unless someone specifically sniffs your connection there isn't much to be seen. If someone does look at all the packets on that port then they will get.... DataStage stuff. Not much clear text there to pose a security hole.

The encryption would be at the WAN level and would be transparent to DS; so it would depend upon the WAN connection type and the setup that the two nodes have. Most often if a company has two sites that are connected they will have some sort of security defined that makes it tough for outsiders to snoop/sniff packets (note that I said difficult, not impossible). Making the client-server connection encrypted within datastage is something Ascential engineering would have to do and is probably not going to happen.

tonystark622 · Post by **tonystark622** » Thu Feb 10, 2005 10:59 am

I understand about the difficulty of spying on the data. My customer insists that any data going between our cities be encrypted. We made arrangements with our respective DBA's to encrypt the Oracle connection. this was the only other way that I could think of that any data could be exposed. I suspect that the link between our cities is encrypted, but I can't confirm that, so I was looking for a way to encrypt the link between the DataStage client and the DataStage server.

Thanks for your reply,
Tony

tonystark622 · Post by **tonystark622** » Thu Feb 10, 2005 11:08 am

If someone does look at all the packets on that port then they will get.... DataStage stuff. Not much clear text there to pose a security hole.

I understand that the DataStage client is written in VB or some .NET language. As such, I imagine that they're using conventional classes/objects to transport the data in the ViewData function, such as an ADO Recordset or equivalent. I suspect that the knowledge and/or tools to watch these kinds of data sets be passed on a network connection exists. This is the kind of thing that my customer is concerned about.

Thanks again for your reply. I do appreciate it.

Tony

ArndW · Post by **ArndW** » Thu Feb 10, 2005 11:26 am

Tony,

I find it odd that the customer doesn't just make a secure WAN layer; that can be configured not only at the hardware level for a permanent connection or with a software app if using a public one (and if they use Cisco routers then they need only turn on the encryption). I guess the only procedural method would be to deny remote developers access to the Database, or make them use tables with non-sensitive or randomized data.

tonystark622 · Post by **tonystark622** » Thu Feb 10, 2005 11:41 am

I understand. There are other ramifications, such as if they use a terminal emulator to log into the UNIX box and look at the data while developing the jobs.

And as I said, I suspect that they do have encryption on the links, but they insisted that we encrypt our Oracle connections to ensure that this was secure.

Thanks again,
Tony