How to store sensitive information in COBOL?

Question

I currently store a critical credentials into a text file which I load it up in my COBOL program by this way:

  ***********************
   LOAD-CREDENTIALS
  ***********************
     READ PASSFILE

     DISPLAY 'USER: ' WE-USER
     DISPLAY 'PASS: ' WE-PASS

Of course, the real program doesn't display the credentials, this is just an example. It still is not a good practice.

Therefore, what is the most secure way to enhance security when storing passwords in an IBM mainframe using COBOL?

Answer 1

The short answer to your question "what is the most secure way to enhance security when storing passwords in an IBM mainframe using COBOL?" is: you don't store passwords in an IBM mainframe using COBOL (or any other language).

Security on an IBM mainframe is accomplished via an External Security Manager (ESM) such as CA-ACF2, IBM RACF, or CA-Top Secret. The ESM controls access to resources such as datasets, transactions, and subsystems e.g. CICS, DB2, IMS, and TSO.

If you are trying to secure a resource on an IBM mainframe by rolling your own security system, stop and talk to the ESM administrators at your site to determine the best way for them to secure the resource for you.

Some examples...

• Credentials for SFTP might be kept in a PDS(E) access to which is controlled by the ESM such that only authorized users can access it, and the SFTP parameters are set by policy to retrieve the credentials automatically

• Credentials to access a REST web service from a CICS application might be provided as part of a URIMAP definition in the form of a certificate controlled by the ESM administrators