Skip to Main Content
IBM Sterling


This portal is to open public enhancement requests for IBM Sterling products and services. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Categories Security
Created by Guest
Created on Jul 31, 2024

Protect usage of the 'decrypt_string.sh|cmd' command

The database password stored in sandbox.cfg can be encrypted, but the facility to decrypt it is readily available within the installation (i.e. "decrypt_string.cmd|sh").

A user with access to the SFG installation directory would therefore not have much difficulty decrypting and retrieving that DB password.

'decrypt_string.sh|cmd' is protected by forcing the input of the system passphrase. However, most customers (in my experience) add the passphrase to customer_overrides so that it is not prompted for when performing automated/scripted stop/starts, or other actions such as decrypt_string.

Would it be possible to add an exception so that decrypt_string prompts for the passphrase (or some other secret) and other utilities continue as are? This would increase the protection of the DB password (which are often likely to be non-rotating and therefore at greater risk).

What is your industry? Banking
How will this idea be used?

Sensitive credential protection

  • Admin
    Mark Allen
    Reply
    |
    Dec 4, 2024

    Thank you for taking the time to provide your ideas to IBM. Your request may not be delivered within the release currently under development, but the theme aligns with our current roadmap and, as such, is being tagged for future consideration and is part of our long-term strategy. We cannot commit to a delivery window at this time, but this is something we agree would be beneficial in the product.

    As part of our long term strategy, we are considering external vault integration to handle secrets like this, i.e. leverage Hashicorp for IIM based installations. Our container offerings already offer this support at the configuration level through the use of RedHat OpenShift.

    We truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations, and ideas.

    Please note: IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion.

  • Guest
    Reply
    |
    Oct 23, 2024

    Ideally we'd provide capabilities to link out to a vault for passwords like this rather than using weak symmetric enryption.

  • Guest
    Reply
    |
    Oct 23, 2024

    A better approach might be to provide a hook to retrieve the passphrase from a vault e.g. CyberArk.

  • Guest
    Reply
    |
    Aug 5, 2024

    We need to make sure that we don't enforce something that breaks process for customers. There are different ways that the application is started up today, and making a significant change like this could break some of those, expecially if the customer has a fully automated startup process and the passphrase prompt breaks that process. Otherwise a great suggestion for security.