This portal is to open public enhancement requests for IBM Sterling products and services. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updateson them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Current situation: The OpenID Connect refresh token is sent as a GET parameter to the webservers of pem-pp and pem-pr applications so the refresh token is showed in the URL history of the browser/sniffer traffic: Example: GET/rochesso/home?refresh...
Use Refresh token rotation to make Jwt token more secure
Current Situation: An access token allows temporary access to restricted resources, PEM APIs, and so has a short validity period of 5 minutes (configurable through system properties). A refresh token has a longer validity as it allows users to log...
At current situation a malicious user can bypass the file type restrictions for logos in pem-pp application. It is possible to bypass the upload restrictions and upload a disallowed file by changing the file Content-Type to an allowed one. The ser...
Use a whitelist approach to validate the file extension in /dsv/sponsor/module/fileManagement and /dsv/partner/module/fileManagement
The PEM is vulnerable to an unrestricted file upload on the path /dsv/partner/module/fileManagement/ and /dsv/sponsor/module/fileManagement in the parameter file. Through this vulnerability it is possible to upload a windows executable file that t...
PEM currently only supports basic authentication for SMTP. ( user id, password ). At most, it does allow you to select between smtp and smtps. However, smtp providers have been moving away from basic authentication for some time. PEM does not allo...
Some of REST APIs for IBM products have token authentication implemented. I.e., call a sign in API to get a token, and then use the token in a HTTP Header for all other API calls.
IBM Sterling Secure Proxy: https://www.ibm.com/su...
Ability to add custom HTTP headers for PEM application
Due to security concerns, security team likes to have custom HTTP headers in all HTTP traffic. Request you to please add a new feature is to be able to configure HTTP header for PEM application. This is required to get CA signed certificates from ...
Do not place IBM confidential, company confidential, or personal information into any field.