IBM Sterling Ideas

Submit new product ideas for IBM Sterling solutions. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed.

IBM is transforming its request for enhancement (RFE) process. The purpose of the transformation is to provide a more consistent experience for you to submit requests and to enable IBM product owners to respond to your requests more quickly. For more information click here.

Connect with IBM experts and your peers on the Supply Chain Collaboration Community and the Order Management Interest Group

IBM software needs some form of integrity check / digitally signed agent as proof of authenticity

We have a requirement when obtaining software and need IBM to provide an answer around the following requirement:

We need to be able to test the source and integrity of the software being installed in the HSD environments. In my experience, this is the case for AIX and RHEL. I think RHEL uses gpg signatures, which are checked by the rpm install process (with the appropriate public keys in the local repository).

Could you tell us if Connect:Direct goes through the standard signature verification process?

For the Connect:Direct Secure Plus software, we’ll need to do some extra handling. All software that is used has to be approved by the Corporate Information Security validation process. We have an ingress that loosely is:

• SME for tool and/or agent obtains a digitally-signed agent from vendor
o Digital signature + checksum = Best
o Digital signature only = Nice
o Checksum only = Okay

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jun 20 2018
  • Functionality already exists
How will this idea be used?

To validate authenticity of downloaded software, this is a new requirement for the bank.

What is your industry? Banking
What is the idea priority? High
  • Attach files
  • Admin
    Chris Sanders commented
    13 Sep, 2018 05:29pm

    Robin,


    I believe Download Director provides proxy capabilities.  Hopefully that will allow access through your firewall in your environment.  As for how to use the capabilities, the checksum is pretty easy to verify.  I've included a link to a Developerworks article below that explains how to verify the chucksum that Download Director creates.  Do let me know if you have any other questions.


    https://developer.ibm.com/answers/questions/217369/where-to-get-checksum-value-of-files-downloaded-fr/


    Sincerely,

    Chris Sanders

    Connect:Direct Offering Manager

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    7 Sep, 2018 03:00pm

    Due to security concerns/issues, our firewall blocks downloads via the Download Director, therefore we must use the HTTP option.

    Regardless of the download method, how do these download options provide the info required from our Corporate Info Security team?

    • SME for tool and/or agent obtains a digitally-signed agent from vendor
    o Digital signature + checksum = Best
    o Digital signature only = Nice
    o Checksum only = Okay

    Regards,

    Robin Overby
    IT Solutions Architect, VP - BB&T
    Wilson, NC 27893
    252.246.3378
    ROverby@BBandT.com

  • Admin
    Chris Sanders commented
    7 Sep, 2018 02:47pm

    Thank you for opening this enhancement request with IBM.  I have reviewed the request with my development team and we believe that this capability is provided by the IBM Download Director when can be used to download installers from our Passport Advantage or Fix Central portals.  This should meet your needs, so I will need to reject this enhancement request, but should you run across other suggestions please do let us know.


    Sincerely,

    Chris Sanders

    Connect:Direct Offering Manager