We have a Spring application that connects to a DB2 AS400 database. We are currently using configuration files (.properties) to store the connection details, Spring reads thes files in the context creation phase and creates the datasource accordingly.
I have a requirement to store a hashed password instead of the password directly, that way if someone looks at the file content cannot know what the real password is.
Like this using SHA:
In my research I found that AS400 stores passwords using an index QSYUPTBL in the library QSYS, which is able to use DES or SHA hashing algorithms. So it will encrypt the received password and will compare the resulting hash with the one stored in the index. But is it possible to tell the DB's authentication process to expect the password being hashed and compare it directly?
Code:
... database.driverClassName=com.ibm.as400.access.AS400JDBCDriver database.url=jdbc:as400:<host>:naming=sql;libraries=*LIBL,...;transaction isolation=none database.username=<user> database.password=<password> database.initialPoolSize=2 database.maxPoolSize=5 ...
Like this using SHA:
Code:
... database.password=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ...
Comment