PC5250 macros are great in that you can automate repetitive OS/400 green-screen functions for speed and accuracy. But the weak spot with pre-V5R1 PC5250 macros has always been that, out of necessity, hidden data -- such as passwords and other confidential information that are recorded when a macro is created -- is stored in the macro file as unprotected viewable text. This leads to a security hole in that macro variables in PC5250 .MAC files can easily be listed or brought into text editors, and unauthorized users can discover OS/400 user IDs, passwords and other sensitive information just by scanning PC5250 macros. This is not a good situation.
IBM has recognized this vulnerability and issued a new macro security setting with the PC5250 program that comes with Client Access Express for Windows V5R1. This setting isn't available in the PC5250 GUI; it is activated by manually entering a new parameter in PC5250's workstation profile. That setting prevents the recording and storage of hidden data, including passwords, in new macro files. To activate the feature, perform the following steps:
1. Using a text editor, open the workstation profile (the .ws file) that your V5R1 PC5250 program uses for emulation configuration.
2. Look for the keyboard stanza section in the file. The keyboard stanza is a series of settings that tell PC5250 how to process keyboard input. These statements are found directly underneath the '[Keyboard]' literal in the file.
3. Under the [Keyboard] stanza, add the following line to your .ws file:
4. Save the file.
For all new macros created after modifying the.ws file with this setting, V5R1 PC5250 will no longer store or playback macro data that was entered in hidden fields as the macro was recorded. When it comes time to enter a hidden value on playback--such as a password, bank account number, or other non-displayed sensitive information--the macro will stop and wait for the user to enter the hidden data before it continues processing. It's important to understand that IBM doesn?t encrypt the hidden data in the macro with this setting; it doesn't record it at all. The result is that your automated macros now become semi-automated, where a user must attend to the playback and enter sensitive information as the macro requires it.
This fix is available only with V5R1 PC5250, and it is not included with any earlier Client Access versions. You should also remember that adding the new .WS file setting doesn't modify any existing macros that contain viewable sensitive information. It works only with newly created macros, and existing macros will continue to feed stored hidden data into input fields upon playback. Hidden data will still be sitting unprotected in pre-V5R1 macro files, so if you implement this fix, I recommend that you also delete and re-record your existing macros to remove this vulnerability from your total installation. If you do this, it will help shore up existing PC5250 security issues and protect hidden data from prying eyes.
About the author: Joe Hertvik is an editor for Midrange Server and an IT consultant and freelance writer who specializes in middleware, network infrastructure, and iSeries and AS/400 issues. Joe can be reached at email@example.com.
- Tip: Use Express V5R1 to share PC5250 configurations
- OS/400 Discussion Forum: Post your questions, and get answers from other iSeries users as well as search400 experts.
- Search400's Best Web Links on Systems Management
This was first published in October 2001