IBM Sterling Ideas

formerly Watson Supply Chain

Submit new product ideas for IBM Sterling solutions. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed. Order Management, Store Engagement, Watson Order Optimizer, Inventory Visibility, CPQ and Call Center are now part of Watson Supply Chain

Connect with IBM experts and your peers on the Supply Chain Collaboration Community and the Order Management Interest Group

Encryption of symmetric key pairs used in document encryption should occur on an HSM, not within B2Bi

Description

Document encryption is a primary function within B2B Integrator to ensure files are encrypted while at rest.  Whether these files pass through routes, files are created as a result of JDBC lookups, they arrive from other servers via a protocol, or are transformed in some way (ASCII-to-EBCDIC, UNIX-to-DOS, truncation of records, padding of records, PGP/GPG encryption/decryption, zip/unzip) these files, in order to keep their content secure, must be encrypted on disk (or in a database).


B2Bi can be configured to encrypt files on disk or in its database.  The storage location of the primary (asymmetric) key certificate that participates in encryption and decryption of files in an indirect way can be on an HSM (Hardware Security Module) with cross-reference information as to its location in B2Bi's database or the asymmetric key certificate in its entirety can be stored in B2Bi's database.

The asymmetric key is used to protect/generate a pair of symmetric keys which are the ones that actually carry out encryption and decryption of files on disk.  Upon the first receipt of a request to encrypt a file, if the asymmetric key is stored on an HSM, it is requested from the HSM and stored in B2Bi's JVM cache for future use to enable decryption of the symmetric key when needed and encryption/decryption of subsequent keys.  All this encryption/decryption of symmetric keys occurs within B2Bi using the asymmetric key, now resident in B2Bi's JVM cache.

Customer (and others) for security reasons mandate that encryption and decryption of the symmetric keys occur in the HSM; this way the asymmetric key never 'leaves' the HSM or remains resident elsewhere from the HSM (in this case, B2Bi's JVM cache).

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jan 29 2018
  • Needs review
How will this idea be used?

File arrives in B2Bi or is created by B2Bi (JDBC lookup), or file is transformed (therefore a new file exists).  B2Bi is mandated to encrypt files at rest.  Asymmetric keypair is stored on an HSM.

A requirements document will be provided once available from the customer.

What is your industry? Financial Markets
What is the idea priority? High
DeveloperWorks ID
RTC ID
Link to original RFE
  • Attach files