TechTip: 7.1 Offers Encrypted Debug Views

Security - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Thanks to the new DBGENCKEY parameter, you can now debug your customers' code while protecting your source.


If you stop and think about what some of your most important assets to your company are, your source code would most likely be on that list. Protecting your code is essential. Unfortunately, there are times when one of your customers encounters a problem. The easiest way to figure out the problem would be to put a debuggable version of your code onto the system. But now, your code isn't protected anymore. So you either expose your code or figure out another way to diagnose the problem. Wouldn't it be nice to just ship a debuggable version of your code and have it secure? In 7.1, the ILE compilers (RPG, COBOL, CL, C, and C++) and precompilers have a new parameter that allows you to encrypt your debug views. This means that you can ship debuggable code and know that your code is not exposed.


The new parameter is called Debug Encryption Key (DBGENCKEY). Entering a value in this parameter will tell the debugger to encrypt the debug views. The debugger requires the user to enter the debug encryption key before the views will be decrypted.


The DBGENCKEY parameter takes a 16-byte key value. If a key entered is not 16 bytes, it will be padded to 16 bytes with 0x40 (blank). The parameter is case-sensitive. If your source system and the target system do not use the same code page, the key should consist of characters that are invariant for the code pages or you should type a hexadecimal string for the key. If you prompt on the command, the DBGENCKEY will initially show a 17-character input area. If you want to type a hexadecimal string for the key, you can enter ampersand character followed by a blank (& ) and the input field is widened to 25 characters. This can be done repeatedly to widen the field to 32, 50, 80, 132, 256, and 512 characters. The Target Release (TGTRLS) parameter must have a value of V7R1M0 or *CURRENT to specify a debug encryption key.


Now that you have your debug views encrypted, how do you get them decrypted? On the STRDBG command, there is a parameter called Decryption Key (DBGENCKEY) in which you can enter the key, or you can wait for the debugger to prompt you for the key when an encrypted view is encountered. Since each module can have its own key and there could be several modules, the debugger caches the keys for the debug session. It will try all the cached keys before it prompts for a key. The cached keys will be cleared when the debug session is ended.


When the debugger prompts for the encryption key, it will give you three tries to enter a valid key. If a valid key is never entered, the debug view will not be decrypted. However, the module is still debuggable, and setting breakpoints and displaying variables will work. This is nice if you never want the source code to be visible on the customer's system but still want to debug it. Just be sure to keep a copy of the listing. Speaking of listings, the debug encryption key is written to the listing.


With the use of the DBGENCKEY parameter, you can now protect one of your company's most important assets and save time debugging problems encountered by your customers.


as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,