Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.
Course Of The Month
8 days, 2 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How to insert decoded password into command line?
Posted on 2012-03-29
Hi.
Is a Windows Server OS 2003/2008.
The problem - a shell scripts (*.BAT/*.CMD files) sometimes contains a string like this:
We need to hide any such "security-sensitive" information from scripts.
Is not allowed to store password in a clear-text in scripts.
Please note: we already have a TXMON.INI file which contains encrypted password. And I can program a simple tool which can decode that password but...
... the question is - how exactly to feed the "DB2 connect ..." command line with a decrypted password?
On UNIX/Linix I know - there is an ability to substitute a part of command line with StdOut from some application (using apostrophe char). So, on Linux it could sounds like this (this example command is not related to db2, is just to show an approach - instead of command enclosed in `` Linux shell inserts StdOut of a command inside a ``):
But I do not know - how to do it on Windows? Is it possible at all?
If yes - how exactly? If not - what other options we may have to solve this?
Note: is not ok to use PowerShell. Is only ok to use standard Windows CMD. Or even better to say - is only ok to use DB2CMD (which is a kind of wrapper over Windows CMD).
Note: is not ok to enforce user to enter password anytime script is running. Because in most cases scripts should run automatically without human assistance.
Note: is not ok to use ""db2 connect ..." command without credentials(!). Because a logged user credentials are not always match a correct database account. But however scripts should still works fine in such cases.
Regards,
Dmitry.
Is a Windows Server OS 2003/2008.
The problem - a shell scripts (*.BAT/*.CMD files) sometimes contains a string like this:
db2 connect MyDbName user MyDbUsername using MyDbPassword
We need to hide any such "security-sensitive" information from scripts.
Is not allowed to store password in a clear-text in scripts.
Please note: we already have a TXMON.INI file which contains encrypted password. And I can program a simple tool which can decode that password but...
... the question is - how exactly to feed the "DB2 connect ..." command line with a decrypted password?
On UNIX/Linix I know - there is an ability to substitute a part of command line with StdOut from some application (using apostrophe char). So, on Linux it could sounds like this (this example command is not related to db2, is just to show an approach - instead of command enclosed in `` Linux shell inserts StdOut of a command inside a ``):
tar cvf - `find ./ -name ?akefile 2>/dev/null` | gzip -9c > backup.tar.gz
But I do not know - how to do it on Windows? Is it possible at all?
If yes - how exactly? If not - what other options we may have to solve this?
Note: is not ok to use PowerShell. Is only ok to use standard Windows CMD. Or even better to say - is only ok to use DB2CMD (which is a kind of wrapper over Windows CMD).
Note: is not ok to enforce user to enter password anytime script is running. Because in most cases scripts should run automatically without human assistance.
Note: is not ok to use ""db2 connect ..." command without credentials(!). Because a logged user credentials are not always match a correct database account. But however scripts should still works fine in such cases.
Regards,
Dmitry.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
5
2
2
9 Comments
I have looked on CPAU tool. Do not like it. It is not convenient for me.
Imagine - what would happen if customer will change password?! It would means that we have to re-encode all the jobs with CPAU tool. That is bad scenario for us.
I would prefer to read & decode password from existing INI file rather than encoding/encrypting lot of jobs with CPAU tool. Read&decode - I can do this with my tool (is just a couple of API calls) but question - how to submit password from a running program into a command line of "DB2 connect ..."?
Another problem with CPAU - it seems does not work. I can create a job file but it fail on job execution. So, I typed commands (as described in CPAU examples):
1st command works fine, 2nd command always do not work. :-\
So, tool is not suitable and is not working.
Please suggest other options.
Imagine - what would happen if customer will change password?! It would means that we have to re-encode all the jobs with CPAU tool. That is bad scenario for us.
I would prefer to read & decode password from existing INI file rather than encoding/encrypting lot of jobs with CPAU tool. Read&decode - I can do this with my tool (is just a couple of API calls) but question - how to submit password from a running program into a command line of "DB2 connect ..."?
Another problem with CPAU - it seems does not work. I can create a job file but it fail on job execution. So, I typed commands (as described in CPAU examples):
cpau -u DOMX\myusername -p myDomainPassword -ex "ConnectDb.bat" -enc -file connect.job
cpau -dec -file connect.job -lwp
1st command works fine, 2nd command always do not work. :-\
So, tool is not suitable and is not working.
Please suggest other options.
Active today
Simple answer "Don't use scripts. Compile a program."
If plain-text scripts are a problem, then they simply should not be used.
Tom
If plain-text scripts are a problem, then they simply should not be used.
Tom
When you call a batch file, you can enter parameters after the command that the batch file refers to as %1, %2, etc.
For example, in the batch file hi.bat, you have following code
if you called it as
you will get
so, maybe you can make program to decrypt password and call db.bat with password as parameter
then, in db.bat there will be
For example, in the batch file hi.bat, you have following code
@echo Hi %1 and welcome!
if you called it as
hi Tom
you will get
Hi Tom and welcome!
so, maybe you can make program to decrypt password and call db.bat with password as parameter
then, in db.bat there will be
db2 connect MyDbName user MyDbUsername using %1
1) The "do not use scripts" is bad option for us. We need it exactly in a form of scripts.
2)
Show the script code please. I want to look on it.
The big problem with your answer is that you did not answered my question - HOW EXACTLY TO RETURN SOMETHING FROM EXE TO USE IN BAT FILE?
I had posted an example from Linux shell script which is showing an approach. I want something similar in Windows.
2)
... so, maybe you can make program to decrypt password and call db.bat with password as parameter ...
Show the script code please. I want to look on it.
The big problem with your answer is that you did not answered my question - HOW EXACTLY TO RETURN SOMETHING FROM EXE TO USE IN BAT FILE?
I had posted an example from Linux shell script which is showing an approach. I want something similar in Windows.
Active today
The problem is that a script can be modified at any time to ECHO a decoded password parameter or any other sensitive information. Unless the script itself is protected from every user that can be a risk, there will not be anything that is hidden.
As long as it is understood that nothing is protected in the script, then a script is fine.
Tom
As long as it is understood that nothing is protected in the script, then a script is fine.
Tom
Ya... but script is the easiest (and cheapest) way to do maintenance.
If not use a script then we have to invest a lot of resources into development of special maintenance application. We could not do it now...
Personnel on site is not so experienced to do ECHO for a password. Also, script file itself could be protected by security settings to disable write access to it. So, in this particular case is ok to still use a script in some places. Only need to hide a clear-text password somehow.
If not use a script then we have to invest a lot of resources into development of special maintenance application. We could not do it now...
Personnel on site is not so experienced to do ECHO for a password. Also, script file itself could be protected by security settings to disable write access to it. So, in this particular case is ok to still use a script in some places. Only need to hide a clear-text password somehow.
Finally I did solved it in a following way:
Write-access to script is denied by installer. Also it script itself is not in a "public" directory. So, I assume that should be enough for my case.
Note: the $(...) parameters are replaced by installed with actual values.
Here is example of encoded password: 2!cf1a8b63~MGBsqB7yZgvagDP
So, it has CRC-value and some random data.
The InstUtil.dll is a my dll with password decoding function.
@echo off
set SW_DbName=$(DbName)
set SW_DbUser=$(DbUser)
set SW_DbPwd=$(DbPasswEncrypted)
set SW_DbPwdId=%TIME:~-2%
rundll32 %~dp0\..\Maintain\InstUtil.dll,SecTxt_DecodePwd
call "%temp%\SWPw%SW_DbPwdId%.bat"
del /f /q "%temp%\SWPw%SW_DbPwdId%.bat"
db2 connect to %SW_DbName% user %SW_DbUser% using %SW_DbPwd%
echo Connected at %DATE%, %TIME%
set SW_DbPwd=
Write-access to script is denied by installer. Also it script itself is not in a "public" directory. So, I assume that should be enough for my case.
Note: the $(...) parameters are replaced by installed with actual values.
Here is example of encoded password: 2!cf1a8b63~MGBsqB7yZgvagDP
So, it has CRC-value and some random data.
The InstUtil.dll is a my dll with password decoding function.
Featured Post
Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| mysql vs miscrosoft sql server | 6 | 55 | |
| Microsoft Access VBA - allocate a colour | 3 | 68 | |
| Filemaker question - Daily Task | 5 | 46 | |
| Access 2003, find all instances of database ODBC | 3 | 45 |
Read about achieving the basic levels of HRIS security in the workplace.
Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud.
This article shows how to create one of these functions to write directly to Azure Table Storage.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
- Windows 10
- Microsoft Legacy OS
- Windows 8
- Windows OS
- Windows 7
- Windows Vista, *Windows Explorer, Windows XP, *Internet Explorer (IE), Windows 2000
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
- Windows 10
- Microsoft Legacy OS
- Windows 8
- Windows OS
- Windows 7
- *windows update, *Windows Updates, Windows Vista, Windows XP
Suggested Courses
Course of the Month8 days, 2 hours left to enroll
737 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.