The user data file <SYSTEM>/LINCLOG/SECURE (DFI) contains the attribute mask information entered at runtime. This file is created for the system on the system dictionary pack before generating the system. Following are the two options to maintain the SECURE data file.
Automatic Data Entry
Manual Data Entry
Although, you can use either of the option to maintain the SECURE data file, the recommended option is, Automatic Data Entry.
Automated Data Entry
To enter the attributes to be masked using the LOGLIBSECURITY utility, perform the following:
Run the utility with SW3 set, and either
equate the internal file, DFI to <SYSTEM>/LINCLOG/SECURE
or
enter the system name on the first transmit of the input screen
Note: You can also sign on to CANDE under the usercode for your system if the number of attributes to be masked exceeds 36. This is described in Manual Data Entry.
Add or edit the contents of the file, <SYSTEM>/LINCLOG/SECURE data file.
The LogLibSecurity input screen allows you to enter or edit the attributes that need to be masked or lists the attributes that have the ControlType property set to PasswordField.
The initial input screen of the LogLibSecurity utility prompts the following:
You can add or edit the contents of <SYSTEM>/LINCLOG/SECURE file to a maximum of 36 attributes in any order.
System Name – Enter the name of the system in which the LINCLOG masking needs to be applied. If LINCLOG security data has been previously entered for this system then transmit the system name so that the LINCLOG security details previously entered are returned.
Note: You cannot alter the system name after the first screen transmit.
Default Mask Character – You can enter the default masking character.
This character is used as the default character to mask the selected fields in the LINCLOG file. The character can be overridden at the individual attribute level.
Include all SECURE data – You can select this option to list the attributes that have the ControlType property set to PasswordField in Developer. The Default Mask Character is applied for these attributes.
Attribute Name – Enter the Attribute Name using <Ispec>.<data item> notation. For example, CUST.NAME
For each Attribute Name that you have entered, you can optionally enter the following:
Mask Skip: Enter the number of characters to skip from the first (leftmost) character if you require offset masking.
Mask Size: Enter the size (number of characters) that you need to mask, if only part of the field contents need to be masked. By default, whole attribute contents are masked.
Note: If you enter Mask Skip then you must enter Mask Size. If Mask Skip is not entered then the masking occurs from the leftmost character in the attribute contents.
Mask Char: You can override the Default Mask Character by supplying a specific mask character for an attribute.
For example, assuming the Attribute Name CUST.NAME is 25 characters long and the Default mask Character is '#'. If you enter CUST.NAME, 6, 5, @ in the LogLibSecurity utility, the first six characters are skipped and the next five characters are masked with @ for all CUST.NAME fields in the LINCLOG file. Hence Jonathan Smythe-Jones is masked as Jonath@@@@@ythe-Jones.
Notes:
You can apply upto five different masks on an Attribute Name but you must ensure that there are no conflicts between Mask Skip and Mask Size.
You must ensure that there is no overlapping of the masking definition for the same attribute.
Action – Enter the required action; V, E, or X.
V: Enter V to validate the input. If there are any error messages, they are returned to the status line (line 25). The mask data is refreshed, sorted in Attribute Name and Mask Skip order.
Note: The attribute name is validated against the associated LincGli file which provides details of the attribute properties.
– E: Enter E to validate the input and if there are no errors then create the file <SYSTEM>/LOGLIBRARY/PARAMS via the LOGLIBSECURITY utility and then exit. Additionally, a call is made to <SYSTEM>/1/LOGLIBRARY to reload its internal security tables from the new file <SYSTEM>/ LOGLIBRARY/PARAMS. The updated mask requests are then effective immediately. Also, a summary of the current mask data is displayed.
X: Enter X to exit the system with no updates or validation performed.
Manual Data Entry
To perform the manual entry, perform the following:
Sign on to CANDE under the usercode for your system, and enter:
R $<runtime usercode>)NGEN28/LOGLIBSECURITY ON <runtime pack>;
FILE DFI=<file title>;
{LIBRARY LOGLIB (TITLE=<Loglibrary title>);}
{FILE GLIFILE=<file title>;}Where entries within {..} are optional.
The parameters used in the above instruction are detailed in the following table.
| Parameter | Description |
|---|---|
| pack | Pack on which the utility NGEN28/LOGLIBSECURITY resides. Omit ON pack if it is on a family pack for that usercode. |
| FILE DFI | By default, the file <SYSTEM>/LINCLOG/SECURE should reside on the usercode and family where the utility NGEN28/LOGLIBSECURITY is executed. The internal file name DFI in NGEN28/LOGLIBSECURITY can be equated to the file, <SYSTEM>/LINCLOG/SECURE at execution time to override the default setting. Note: If internal file name is equated to the file, <SYSTEM>/LINCLOG/SECURE, information from the file is used to fill the input screen. |
| FILE LINCGLI | By default, the file <SYSTEM>/LINCGLI should reside on the usercode and family as file, DFI. The file can be equated at execution time to override the default setting. |
| LOGLIB | By default, the library <SYSTEM>/1/LOGLIBRARY should reside on the usercode and family as the file, DFI. The library, LOGLIB can be equated at execution time to override the default setting. |
An attribute with the format <ispec name>.<attribute name>, can be masked by specifying the following.
The number of characters to be skipped before applying the mask.
The size of masking to be applied. By default, size is the length of the field, if skip is zero.
A specific attribute mask that overrides the default mask character.
Generating the System with LOGLIBSECURITY
During system generation, the LOGLIBSECURITY utility:
Creates the file <SYSTEM>/LOGLIBRARY/PARAMS based on the contents of the file <SYSTEM>/LINCLOG/SECURE that contains attribute data records: <ispec><item name><offset><row><end pos><length>
If the <SYSTEM>/LINCLOG/MASKING file exists LogLibSecurity parses it in batch mode and creates the <SYSTEM>/LOGLIBRARY/PARAMS file
Returns SW1 set to true and displays the attribute name(s) if it cannot locate any of the attributes specified in the file <SYSTEM>/LINCLOG/SECURE file. The Generate WFL code also reports this. The attribute names are validated against the associated LINCGLI file which provides details of the attribute properties.
Note: Errors if any are returned to the screen.
Whilst exiting, LogLibSecurity calls the LOGLIBRARY program to reload the new or updated file <SYSTEM>/LOGLIBRARY/PARAMS. If there are any modifications in this file, it is effective immediately.
LOGLIBRARY Startup
When the system starts, LOGLIBRARY performs the following:
Reads the mask file <SYSTEM>/LOGLIBRARY/PARAMS and creates a table of Ispecs and attributes:
Or
Encrypts and decrypts data.
If the user library, LOGLIB_SUPPORT is present:
Call ENCRYPT_DATA prior to writing data to the LINCLOG for nominated ispec(s)
Call DECRYPT_DATA when reading data from the LINCLOG for nominated ispec(s)
If the user library, LOGLIB_SUPPORT is not present:
Applies appropriate masking (* by default) when writing LINCLOG records for nominated Ispec(s). The Taskstring attribute in the LOGLIBRARY can be used to specify an overriding masking character.
No additional action is required for reading the LINCLOG.
Note: A sample ALGOL library with entrypoints is available. The library title can be a file equated via a WFL MODIFY to the LOGLIBRARY program.
Any errors in the masking or encryption processing are not fatal. The errors only result in warning displays. The frequency of the warning displays can be limited by providing a taskvalue value to the LOGLIBRARY program via WFL MODIFY. For example, a value of 10 shows every 10th display. By default, all warnings are displayed.
If a user library is present then LOGLIBRARY must be modified by WFL MODIFY to point to the LOGLIB_SUPPORT library.
Clear Text Password Masking
The host deployment server, APPLBLD can optionally trace all message packets to and from the AB Suite client to a disk file. This message packet contains one or more passwords for the client login request and all of these are now masked by '*' when the packet is written to the LINCLOG file.