Hiding credentials stored in database OM Web Viewer 12.1
Article ID: 227635
Updated On:
Products
Output Management Web Viewer
Issue/Introduction
We are currently running 12.1 on our production systems. On the Configuration/Credentials screen where it shows Default credentials for all repositories, and then Individual credentials for each repository.
- Are these accurate values? Is OMWV storing userid and associated password information in the database? Is this a security exposure?
- Is OMWV making a SAF call to confirm the user password, or is it being retrieved from the database if it's being stored.
- Updated the configuration settings and checked "hide credentials" and logged off and back on, but still see the credentials.
Environment
- Output Management Web Viewer
- Output Management Distributed Repository Access System (DRAS)
- View®
- Output Management View® for z/OS
Resolution
- Yes and No. Yes, Web Viewer will store certain credential information in its external DB. No there is no security risk as all passwords are stored encrypted or hashed.
- No, Web Viewer is not making SAF calls at signon. Such calls (from Top Secret, ACF2 and RACF) are made from DRAS and mostly View during Web Viewer signons and while accessing other repositories which require different credentials. In other words, whenever the user is prompted for a password, a security call is made from the mainframe cooperative processing components.
- The credentials option has to be administered from the Roles. Administration tab - Role - select the role (Default User?) - Configuration Tab Elements - Select Credentials and then click the Update button. Now when someone logs in with the role you just changed, they should no longer have the Credentials option under the Configuration tab. This cannot be a globally configured option. It has to be based on the role.
Feedback
Yes
No
Powered by
