Encrypting metadata store passwords

DBB Db2 password file

DBB provides a utility shell script to create an encrypted password file that can be stored on the local file system and referenced when creating a Db2 metadata store.

String url = "jdbc:db2://system1.company.com:5040/DBB1"
String id = "USER1"
File pwFile = new File("/user1/build/user1.txt")
MetadataStore metadataStore = MetadataStoreFactory.createDb2MetadataStore(url, id, pwFile)

To create a password file, complete the following tasks:

1. Log in to z/OS UNIX.
2. From a command line, navigate to the directory where you want to create the password file.
3. Type $DBB_HOME/bin/pwf.sh <pass.txt> where <pass.txt> can be any file name that you have access to.
   This command prompts you to type your password.
   NOTE: If you use DBB through IBM Developer for z/OS (IDz), you cannot run this command as an IDz shell command because this type of shell command is not interactive. Instead, use an SSH or OMVS session.
4. When prompted, type the password. The password is encrypted and stored in the <pass.txt> file.

NOTE: Though the password file uses AES-256 bit encryption, since the encryption key is embedded in the DBB toolkit installation, it is possible that it can be identified and used to potentially decrypt the password file. Set appropriate operating system file permissions on the password file to prevent access from unauthorized users. The main benefit of using a password file is to avoid the repetition of the password in the clear in build scripts and property files.

Db2 Encrypted Password Argument

The DBB MetadataStoreFactoryclass also allows you to pass in the Db2 password as a Java™ string argument instead of a password file. However, the password string needs to be encrypted by using the DBB Db2 password file utility. You can then copy the encrypted password out of the password file and store it in a CI/CD secrets store to be used in pipeline scripts.