I suggest that you look closely at the authentication methods that are available to these external servers.   For example, many database systems allow for authentication by means of LDAP (OpenDirectory), or more generally through pluggable authentication modules.   In short, you want the target server to recognize the authenticity of the requestor, not only by means of some magic-word or cookie that has been correctly supplied, but by who he is, or perhaps where.   If you embed a password into an application such that anyone anywhere who has access to the server can present that password and be allowed inside the gate, then the entire security of the system devolves to the protection that may be afforded to that magic cookie ... which protection must be presumed to be zero.