Support Dynamic/Managed Passwords for Oracle Database Accounts in IBM Sterling Secure File Gateway (SFG)

1. Problem Statement

Currently, IBM SFG requires static passwords for Oracle database accounts used for configuration, runtime, and audit data storage. This poses security and compliance challenges in environments that require:

· Regular password rotation per company security policies.
· Integration with enterprise password management solutions (e.g., CyberArk, HashiCorp Vault, or other company approved Vault).
· Elimination of hard-coded or manually managed credentials in configuration files.

Manual updates to SFG configurations when passwords change are error-prone, cause service interruptions, and increase operational overhead.

2. Proposed Solution

Enable SFG to support dynamic passwords for Oracle database connections through one or more of the following methods:

a) External Password Store Vaults which approved by company
· Support Oracle’s “External Password Vaults” feature, where passwords are managed outside SFG for credential storage, enabling password rotation without SFG configuration changes.
b) API-Based Password Retrieval
· Provide a pluggable interface to fetch passwords from external secret managers at runtime.
· Support industry-standard APIs (RESTFUL) for integration with vault solutions.

3. Business Benefits

· Improved Security: Aligns with company policies for credential rotation and secret management.
· Reduced Operational Risk: Eliminates service downtime due to password expiration or manual updates.
· Compliance: Helps meet regulatory requirements for credential protection and rotation.
· Integration Flexibility: Enables use of existing enterprise password management infrastructure.

4. Use Case Example

An SFG installation uses an Oracle database for audit logging. The Oracle account password must be rotated every 90 days per company security policy.

· Today: Support team must update the password in SFG configuration files, restart services, risking downtime and configuration errors.
· With RFE: SFG fetches the current password from a pre-configured Secrets Store or company approved enterprise vault at runtime. Password rotation occurs transparently in the vault without SFG reconfiguration.

5. Implementation Considerations

· Backward compatibility: Static password configurations should remain supported.
· No impact to existing SFG functionality or database schema/configuration settings.
· Configuration changes should be minimal and well-documented.
· Support for both on-premises and cloud-deployed SFG instances.

6. Additional Remarks

For long term running, it is mandatary to adopt dynamic secrets management in our team. IBM should support such capabilities for existing in other IBM products and extending this to SFG. This would strengthen its security posture and customer adoption in regulated industries.