Security management and features in IBM Sterling B2B Integrator and Sterling File Gateway Manisha Khond, Software Engineer, IBM Sterling B2B Integrator Oct 25, 2017 11AM EDT This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly in the replay. By speaking during this presentation, you assume liability for your comments.
43
Embed
Security Features in SI SFG - IBM · 2020. 10. 19. · Security management and features in IBM Sterling B2B Integrator and Sterling File Gateway Manisha Khond, Software Engineer,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security management and features in IBM Sterling B2B Integrator and
Sterling File Gateway
Manisha Khond, Software Engineer, IBM Sterling B2B Integrator
Oct 25, 2017 11AM EDT
This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly in the replay. By speaking during this presentation, you assume liability for your comments.
�A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product.
� Document encryption is a feature provided with IBM Sterling B2B Integrator that allows
for the configuration of an additional layer of security beyond the traditional file and
database permissions. The feature is to protect the data at rest. Sterling File Gateway
uses the same document encryption feature for protecting data at rest.
� The Document encryption feature is intended to protect data at rest from snooping. The
feature allows you to encrypt the payload data stored in the database and/or the file
system. It is also designed to prevent someone outside the system from viewing the
payload data by directly accessing the database or file system.
� Uses symmetric encryption – the same key is used to both encrypt and decrypt the data.
Document encryption
� Important aspects of document encryption:
• The default configuration is no encryption. If you want to have your documents encrypted, you will need
to turn on this feature.
• You can turn this feature on at any time, but only documents received after encryption is turned on are
encrypted.
• Once you turn on this feature, encryption is for all payloads across the entire system.
• Only the document payload data is encrypted, not the meta data.
• The purpose of turning document encryption is to safeguard the document/payload at rest. If you turn off the document encryption, the document/payload will not be stored in encrypted format and there is a risk of tampering the data at rest.
• If the document encryption certificate is replaced with new certificate, the documents that are encrypted by the old certificate can be retrieved as long as the old document encryption certificate is not deleted.
Document encryptionHow to turn on Document Encryption?
� The system uses a predefined certificate to generate and encrypt the keys that are used to encrypt the documents.
User have a choice to use different certificate to encrypt the document.
� In order to turn on Document encryption, create a document encryption certificate (system certificate) and reference
the certificate in customer_overrides.properties as below:
security.CERT_NAME=docenccert
� The user have a choice to encrypt all the documents or only the document stored in the database or only document
stored on File System. Use the customer_overrides.properties setting depending on your requirements.
security.ENC_DECR_DOCS=ENC_ALL {Encrypt all documents}
security.ENC_DECR_DOCS=ENC_DB {Encrypt the documents stored on the database}
security.ENC_DECR_DOCS=ENC_FS {Encrypt the documents stored on File System}
� Disable the Document encryption is simple with customer_overrides.properties setting:
security.ENC_DECR_DOCS=NONE
Public Key Cryptography / Asymmetric encryption
� Unique Public and Private keys are issued to identities.
� Stored in Digital Certificates.
� Encryption uses the Public key.
� Decryption uses related Private Key.
� Scalable because Public key can be distributed.
� Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by adversary
as the receiver. Generally, this type of cryptosystem involves trusted third party which certifies that a
particular public key belongs to a specific person or entity only.
� Encryption algorithm is complex enough to prohibit attacker from unencrypting the data using encryption
public key.
� Though private and public keys are related mathematically, it is not be feasible to calculate the private key
� Federal Information Processing Standards (FIPS).
Secure Communication/Protocols (SFTP/SCP over SSH)
� SFTP provides secure File transfer over SSH.
Secure Communication/Protocols (SFTP/SCP over SSH)
�STRONG AUTHENTICATION WITH SSH KEYS
• Public Key authentication
o Uses a cryptographic key pair/SSH keys - public key and private key
o The public key on a server to authorize access and grant anyone who has a copy of
the private key.
• Password authentication
o Authentication with user name and password
Secure Communication/Protocols (SFTP/SCP over SSH)
� STRONG ENCRYPTION AND INTEGRITY PROTECTION
• During the negotiation the client and server agree on the symmetric encryption algorithm
to be used and generate the encryption key that will be used.
• Once a connection has been established between the SSH client and server, the data that
is transmitted is encrypted according to the parameters negotiated in the setup.
� IBM Sterling B2B integrator/Sterling file Gateway
• SFTP Client Adapter and Services.
• SFTP Server Adapter.
• Partner creation.
Digital Signature
�Provides
•Proof of origin.
•Non-repudiation - ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document.
•Message integrity.
�Created by
•Processing a plaintext message through a hashing algorithm resulting in unique hash value (message digest).
•Hash value is encrypted using private key which is accessible to the owner only.
�Get verified using related public key.
Digital Signature support
� XML Digital Signature service
� ebXML XML Digital Signature Service
� ebXML Validation Service
� Cryptographic Message Service
� AS2
� Web Services
� Electronic Banking Internet Communication Standard (EBICS)
� B2B Mail Client Adapter (SMIME)
� SMTP Send Adapter (SMIME)
� SOA Inbound Security Service, SOA Outbound Security Service, SOAP Inbound Service, SOAP Outbound Service
Web of Trust (PGP)
� Peer validation
• Does not use Certificate Authorities (CA)
• Decentralized model
• Every entity is similar to PKI CA
� Alternative to PKI, a centralized model
• Indirect validation of entity public keys. If first entity trust public key of second entity and the second entity trust public key of third, then the first entity trust public key of third.
� PGP
• Uses Web of Trust.
• Widely used Public Key Cryptography for Signing, Encryption/Decryption.
Web of Trust (PGP)
� How does the PGP work?
• PGP creates one time session key.
• Session key encrypts plaintext resulting in ciphertext.
• Session key is encrypted with the recipient public key.
• The ciphertext and encrypted session key are sent to the recipient.
• The recipient uses their private key for decryption to reveal the session key.
• The revealed session key is used to decrypt the ciphertext back into plaintext.
• Public keys need to be trusted between different parties.
National Institute of Standards and Technology (NIST) security compliance (5.2.4.2 or higher)� NIST security standards, see http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
� Strict NIST 800-131a compliance.
� Algorithms and key strengths that are not allowed for strict NIST 800-131a compliance include:
RSA keySize < 2048
DSA keySize < 2048
EC keySize < 224
SHA1
MD2, MD4, MD5
RC2, RC4
DES
� In strict NIST 800-131a compliance mode, only TLS 1.2 can be used.
�Enable NIST compliance, add below line in security.properties
• NIST.800-131a=strict
� To disable NIST compliance, modify the below property in security.properties.
• NIST.800-131a=off
Security Administration / Risk management
� Compliance controls
• Determine the roles to the authorized users (Application Administrators, Application users, Mailbox Administrators, SFG admin, SFG Operator etc).
• Determine the access (OS, DB, Application). Periodically review access.
• Determine managerial role (the a person who defines and grants an access).
• Revoke access when the user is not a valid authorized user anymore.
• Make sure that external media (NAS/SAN) storage is secure.
� Patch management
• Apply patches on database, operating system, application to comply with security standards.
• Check out IBM security bulletins and release notes periodically. Perform assessment on security fixes and take action to apply the fixes.
Security Administration / Risk management
� Risk management
• Identify potential risks by vulnerability assessment.
• Assessment of risks (prioritize, categorize).
• Mitigation measures.
� Change management
• Document patch applications, application upgrades, customer specific ifixes, customization in UI, SFG rebranding etc.
• Document business process modifications, Addition/Deletion of user accounts, Grant/Revoke of user roles, Service/Adapter modifications, Custom implementation, TP onboarding, Properties modifications etc.
• Document and secure information such as Private Keys, System Passphrase, system account username/password to start Sterling B2B Integrator/Sterling File Gateway.
Security Administration / Risk management
� Incident response and recovery
• Regular back up of application install, database. Store back up on secured storage server in encrypted
format.
• Make use of the IBM Sterling B2B Integrator cluster (multiple nodes).
• Disaster recovery system in place. The system should be refreshed periodically with data. Disaster
recovery systems should be maintained by applying patches/upgrade (same as live production
systems).
• Real time data replication.
• Application logs, change logs.
� Security awareness and training
• Train the ream members on how to handle compliance controls, patch management, change
management, incident response and recovery.
• Clearly defined goals and outcomes.
Security testing to determine the Security vulnerabilities
� Awareness
� News, Media (Poodle, Ransomware etc).
� Explicitly researching National Vulnerability Database.
� Test for secure transmission (Use of secure protocols).
� Check out that the Sterling B2B Integrator adapters can be accessed by valid users/trading partner. Check out firewall setting to make sure only valid external users are allowed access.
� Check out the security vulnerabilities for OS, Database by searching vendors knowledge base or security bulletin or checking National Vulnerability Database.
� Check out IBM Security bulletins and take action to remediate the security vulnerability (apply fixes/solution, patch, upgrade etc).
This Support Technical Exchange session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information you do not want shared publicly in
the replay. By speaking in during this presentation, you assume liability for your comments.
THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION
CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PLANS AND STRATEGY, WHICH ARE
SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING
OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION,
NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO NOR SHALL HAVE THE EFFECT OF CREATING ANY
WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS
AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCT OR SOFTWARE.
Copyright and Trademark Information
IBM, The IBM Logo and IBM.COM are trademarks of International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks
and others are available on the web under “Copyright and Trademark Information” located at