The new HSM connectivity process within Sterling Integrator v5.2.6 leaves the HSM partition password stored in clear text.
RBS Security rules require the following
1) The partition password must be input in two parts (the password is only released to two separate people, both of whom have signed declarations that they will not disclose their part to the other bearer)
2) The input of the password must be obscured. No part of the password can be viewed during the input process
3) The password must be encrypted at rest. Currently this is in clear text within the new hsm.properties file.
I have been advised to raise this PMR by our IBM consultants (Keith Marsh and Lee Wilson. I will additionally be raising an RfE stating the same requirements.
This requirement is urgent (which is why I have given it severity 2), as our existing Luna4 HSMs are beyond end of life, and the upgrade programme we are currently running (moving from ISBI v5.2.1 to ISBI v18.104.22.168) needs to complete this quarter in order to allow the bank to comply with the SWIFTNet 7.2 programme for FileAct before the November end date
How will this idea be used?
Protection of the HSM Partition password, ensuring security of certificates stored on the HSM partition
|What is your industry?||Banking|
|What is the idea priority?||Urgent|
|Link to original RFE|