| Author |
Message
|
| Sosed |
 Posted: Tue Jan 15, 2013 3:16 am Post subject: |
 |
|
Apprentice
Joined: 24 Aug 2012
Posts: 43
|
| dominik.schweers wrote: |
On Solaris I found these settings in the filesystem. I don't remember exactly, sorry. I think it was something like
/var/mqsi/registry/<brokername>/DSN/
After DSN there are directories for every Database Alias with special settings. Perhaps you should look for this in your filesystem. Maybe on Windows the Windows Registry is used? |
Hello, everybody.
WMB 7.0.0.2 on RHEL. I have found this values at /var/mqsi/registry/<brokername>/CurrentVersion/DSN. User name stores in plane text. Password is encrypted. What kind of encription is it? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Jan 15, 2013 3:21 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Sosed wrote: |
| dominik.schweers wrote: |
On Solaris I found these settings in the filesystem. I don't remember exactly, sorry. I think it was something like
/var/mqsi/registry/<brokername>/DSN/
After DSN there are directories for every Database Alias with special settings. Perhaps you should look for this in your filesystem. Maybe on Windows the Windows Registry is used? |
Hello, everybody.
WMB 7.0.0.2 on RHEL. I have found this values at /var/mqsi/registry/<brokername>/CurrentVersion/DSN. User name stores in plane text. Password is encrypted. What kind of encription is it? |
It's not encrypted.
It's obfuscated.
Don't read these files.
Don't try and recover passwords from these files.
Don't rely on these files to provide the only layer of security on this password. Make sure the system is providing os-layer security on who can log in and who can access these files to the appropriate users.
And UPGRADE TO A NEWER FIXPACK. |
|
| Back to top |
|
|
| Sosed |
| Posted: Tue Jan 15, 2013 9:45 pm Post subject: |
|
|
Apprentice
Joined: 24 Aug 2012
Posts: 43
|
mqjeff, thanks for your reply 
| mqjeff wrote: |
Don't try and recover passwords from these files.
|
I don't need to recover password, I want to prevent it's recovery.
| mqjeff wrote: |
It's obfuscated.
|
Does it described at IBM official materials? I have not found something about obfuscation for mqsisetdbparms command.
I have found this information: for security profiles password (If OBFUSCATE is selected) appears in base64 encoding. Does mqsisetdbparms use the same way?
| mqjeff wrote: |
| Don't rely on these files to provide the only layer of security on this password. Make sure the system is providing os-layer security on who can log in and who can access these files to the appropriate users. |
We have os-layer security.
| mqjeff wrote: |
| And UPGRADE TO A NEWER FIXPACK. |
Thanks for your advise! |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Wed Jan 23, 2013 9:03 am Post subject: Password obfuscation |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
| Quote: |
| Does it described at IBM official materials? I have not found something about obfuscation for mqsisetdbparms command. |
No it's not described. It's an in-house developed algorithm.
| Quote: |
| I have found this information: for security profiles password (If OBFUSCATE is selected) appears in base64 encoding. Does mqsisetdbparms use the same way? |
No, the security profile based obfuscation is different. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jan 23, 2013 9:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Sosed wrote: |
mqjeff, thanks for your reply
| mqjeff wrote: |
Don't try and recover passwords from these files.
|
I don't need to recover password, I want to prevent it's recovery. |
Good. Excellent! most people asking about these files want to recover the password from them.
| Sosed wrote: |
| mqjeff wrote: |
| Don't rely on these files to provide the only layer of security on this password. Make sure the system is providing os-layer security on who can log in and who can access these files to the appropriate users. |
We have os-layer security. |
Then you have prevented recovery of the password from these files, by ensuring that only the correct and authorized user (i.e. exactly and only the broker service user) can get at them.
You have likewise perhaps taken steps to make sure the broker file system is stored on a file system that is encrypted at the storage layer (below the OS layer) so that if someone acquires physical access to the storage media, you are not compromised that way. But that would depend heavily on the security requirements of your installation. |
|
| Back to top |
|
|
| EKhalil |
| Posted: Fri Mar 14, 2014 8:29 am Post subject: Has anyone tried to decrypt UserId.dat ? |
|
|
Voyager
Joined: 29 Apr 2003
Posts: 99
Location: Boston, MA
|
Quote: "13. What database credential did I configure for database access?
The username configured on the broker to access a database can be found in the following file:
<MQSI_WORKPATH>/registry/<BKName>/CurrentVersion/<DSN> directory or directory with odbc or jdbc prefix>/UserId.dat
The password is in file Password.dat in the same directory, however it is encrypted so it is not possible to find out what password you configured." |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Apr 15, 2014 12:50 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
|
| Back to top |
|
|
|
|
