Technical Note: Masking Passphrases in JCL When Working with SecureZIP® for z/OS®
SecureZIP for z/OS customers need a means to prevent encryption passphrases from appearing in the clear, when running SecureZIP encryption and decryption jobs. On the mainframe, exposing the passphrase in cleartext in the JCL that’s used for encryption or decryption is not a best practice and, in some cases, violates an organization’s security policy.
Fortunately, there is an easy process to apply passphrases when encrypting or decrypting, yet avoid exposing such passphrases in the clear. Moreover, the recommended method follows standard IBM mainframe operational and data security best practices.
NOTE: Suppressing display of the passphrase used to encrypt or decrypt SecureZIP-protected data is optional, but a frequently desired best practice. SecureZIP can automatically suppress the display of the passphrase value in output. For input, customers must ensure the best practice described in this Technical Note is applied consistently.
Solution
The passphrase(s) used for encryption or decryption jobs are managed outside the JCL used to execute such jobs. The passphrases are, instead, placed in a partition data set (PDS) from which they are accessed at run-time.
The below JCL illustrates a simplified example of this approach. The job is configured to encrypt a sequential file, using a passphrase obtained from an external PDS:
// MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID
//*
//********************************************************************
//* SAMPLE JOB STREAM TO ZIP SEQ FILE "SECZIP.TEST.SEQ” TO AN *
//* ARCHIVE OF "SECZIP.HIDE.PASSWORD.ZIP" USING STRONG ENCRYPTION *
//* AND USING THE INCLUDE_CMD PARAMETER TO PULL THE SECURED PASSWORD *
//* INTO THE JOB STREAM *
//********************************************************************
//*
//ENCRYPT EXEC PGM=SECZIP,REGION=8M
//STEPLIB DD DISP=SHR,DSN=SECZIP.SZV10.LOAD
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
-ARCHIVE_DSN(SECZIP.HIDE.PASSWORD.ZIP)
-ACTION(ADD)
SECZIP.TEST.SEQ
-ECHO(N)
The PDS MEMBER (SECZIP.SECURED.LIBRARY(PASSWORD)) contains the appropriate encryption method, password parameter, and desired passphrase (see sample below):
Command ===> Scroll ===> CSR
********************************* Top of Data **********************************
-ENCRYPTION_METHOD(AES128)
-PASSWORD(L0CKD0WN)
******************************** Bottom of Data ********************************
The run-time UserID must have READ access to the PDS member that contains the passphrase. By using the ECHO (N) parameter, an operator viewing the job output will not see which PDS member was specified to import the passphrase for the encryption process.
Resulting Output
Within the output below, the ENCRYPTION_METHOD and PASSWORD parameters were incorporated into the job stream and used to provide the desired encryption. Please note the passphrase used to secure the data has been masked in the output for security purposes.
-ACTION(ADD)
SECZIP.TEST.SEQ
-ECHO(N)
ZPAM030I OUTPUT Archive opened: SECZIP.HIDE.PASSWORD.ZIP
ZPAM253I ADDED File SECZIP.TEST.SEQ
ZPAM254I as SECZIP/TEST/SEQ
ZPAM255I (DEFLATED 76%/75%) SecureZIP(R) AES128 ; DATA SIZE 800; ZIP SIZE 198
ZPAM140I FILES: ADDED EXCLUDED BYPASSED IN ERROR COPIED
ZPAM140I 1 0 0 0 0
ZPMT002I PKZIP processing complete. RC=00000000 0(Dec)
Another option to secure the PDS member containing the passphrase and encryption method would be to set access permissions for that PDS member to NONE, but provide READ access to the job under a different user account than that of the operator. This allows an operator, who does not have READ access to the secured PDS member, to submit the encryption (or decryption) job. The job will use the authorized user account credentials that do have READ access and effectively pull the PDS member into the job stream for encryption.
Visit our Homepage
PDF Version