IBM Sterling Ideas

formerly Watson Supply Chain

Submit new product ideas for IBM Sterling solutions. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed. Order Management, Store Engagement, Watson Order Optimizer, Inventory Visibility, CPQ and Call Center are now part of Watson Supply Chain

Connect with IBM experts and your peers on the Supply Chain Collaboration Community and the Order Management Interest Group

IBM software needs some form of integrity check / digitally signed agent as proof of authenticity

We have a requirement when obtaining software and need IBM to provide an answer around the following requirement:

We need to be able to test the source and integrity of the software being installed in the HSD environments. In my experience, this is the case for AIX and RHEL. I think RHEL uses gpg signatures, which are checked by the rpm install process (with the appropriate public keys in the local repository).

Could you tell us if Connect:Direct goes through the standard signature verification process?

For the Connect:Direct Secure Plus software, we’ll need to do some extra handling. All software that is used has to be approved by the Corporate Information Security validation process. We have an ingress that loosely is:

• SME for tool and/or agent obtains a digitally-signed agent from vendor
o Digital signature + checksum = Best
o Digital signature only = Nice
o Checksum only = Okay

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jun 20 2018
  • Already exists
How will this idea be used?

To validate authenticity of downloaded software, this is a new requirement for the bank.

What is your industry? Banking
What is the idea priority? High
DeveloperWorks ID
RTC ID
Link to original RFE
  • Attach files
  • Admin
    Chris Sanders commented
    September 07, 2018 14:47

    Thank you for opening this enhancement request with IBM.  I have reviewed the request with my development team and we believe that this capability is provided by the IBM Download Director when can be used to download installers from our Passport Advantage or Fix Central portals.  This should meet your needs, so I will need to reject this enhancement request, but should you run across other suggestions please do let us know.


    Sincerely,

    Chris Sanders

    Connect:Direct Offering Manager

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    September 07, 2018 15:00

    Due to security concerns/issues, our firewall blocks downloads via the Download Director, therefore we must use the HTTP option.

    Regardless of the download method, how do these download options provide the info required from our Corporate Info Security team?

    • SME for tool and/or agent obtains a digitally-signed agent from vendor
    o Digital signature + checksum = Best
    o Digital signature only = Nice
    o Checksum only = Okay

    Regards,

    Robin Overby
    IT Solutions Architect, VP - BB&T
    Wilson, NC 27893
    252.246.3378
    ROverby@BBandT.com

  • Admin
    Chris Sanders commented
    September 13, 2018 17:29

    Robin,


    I believe Download Director provides proxy capabilities.  Hopefully that will allow access through your firewall in your environment.  As for how to use the capabilities, the checksum is pretty easy to verify.  I've included a link to a Developerworks article below that explains how to verify the chucksum that Download Director creates.  Do let me know if you have any other questions.


    https://developer.ibm.com/answers/questions/217369/where-to-get-checksum-value-of-files-downloaded-fr/


    Sincerely,

    Chris Sanders

    Connect:Direct Offering Manager