Skip to Main Content
IBM Sterling

This portal is to open public enhancement requests for IBM Sterling products and services. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Categories Security
Created by Guest
Created on May 10, 2024

Encrypted Access Key and Secret Key in # S3 IO Exit parameters

Encrypted Access Key and Secret Key in # S3 IO Exit parameters Stanza of Initparm.cfg file.

Here is problem Statement :

We were able to send the file to DELL ECS S3 Bucket from linux node, for this one we have updated the initparm.cfg file, We have used below code snippet for this one


# S3 IO Exit parameters





:options=-Xmx640m \

-Dstore.providerName=S3 \

-Ds3ioexit.trace_level=debug \

-Dstore.keyStore=JRE_SP \

-Ds3.endPointUrl=<S3_Hosted_Server>.VISA.COM \

-Ds3.endPointPort=<Port Number> \

-Ds3.profilePath="/home/<user>/<folder>/.aws/credentials" \

-Ds3.profileName=appteam \



but the issue with this approach is, Access key and Secret key is in Clear text stored on linux box, its a security issue to store these keys in plain text,

Can you please help us with option to encrypt these keys and decrypt them at run time during Process execution ?

What is your industry? Financial Markets
How will this idea be used?

It will be used to send the file to S3 Object Store Directly from Linux CD Node.

  • Admin
    James Joseph
    May 27, 2024

    Thank you for taking the time to provide your ideas to IBM. After discussing with development, we believe the requested request for enhancement does not align with our product roadmap considering the boarder market needs. For that reason I am putting this as "Not under consideration" and we can revisit this once we see interest from more customers (via Voting or Comments)

    I understand that this is not the answer you were expecting however if you have any additional feedback, thoughts or ideas, or if there is anything else I can do, please do not hesitate to reply to this message to continue the conversation. Appreciate your patience.


    Product Management

  • Admin
    James Joseph
    May 27, 2024

    Access key and secret key are in clear text in this file, but it is possible to “hide” these keys using the credential_process property in the credentials file.The credentials file is documented by AWS. Configuration and credential file settings - AWS Command Line Interface (

    Here is an example:

    [profile appteam]

    credential_process = /aPathTo/

    The called script will return the keys in a JSON format on the stdout. The aws sdk will use it to get the keys. Here is an example:


    "Version": 1,

    "AccessKeyId": "value",

    "SecretAccessKey": "value"


    Here is an example of what could be achieved :

    • Prepare an unencrypted JSON file with keys in clear.

    • Encrypt this file with OpenSSL: openssl enc -aes-256-cbc -salt -in /aPath/ClearJSONRecord.txt -out /anotherPath/EncryptedJSONRecord.enc -k PASS

    • Save the unencrypted file outside CD users and groups access

    • Write a script to decrypt the file : openssl enc -aes-256-cbc -d -in /anotherPath/EncryptedJSONRecord.enc -k PASS

    • Declare this script with the credential_process property in the credentials file.

    It is also possible retrieve temporary and expiring credentials using AWS STS (AWS STS examples using AWS CLI - AWS Command Line Interface (

    A more sophisticated solution:

    • Call AWS STS to retrieve temporary credentials (returned in a JSON format) on a regular basis (using a cron job, before STS token expires), encrypt them to a file, touch the credentials file

    • The script declared in credential_process decrypts when called. (CD requests the AWS SDK to monitor the credentials file change and the credentials mechanism will call the script again if file changed)

  • Admin
    James Joseph
    May 24, 2024

    Thank you for taking the time to share your ideas to IBM. We truly value our relationship with you and appreciate your efforts and willingness to share details about your experience, your recommendations, and ideas. We will soon review the same in the coming weeks and shall get back with a response.


    Product Management