IBM Sterling Ideas

formerly Watson Supply Chain

Submit new product ideas for IBM Sterling solutions. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed. Order Management, Store Engagement, Watson Order Optimizer, Inventory Visibility, CPQ and Call Center are now part of Watson Supply Chain

Connect with IBM experts and your peers on the Supply Chain Collaboration Community and the Order Management Interest Group

Enable myFileGateway multi-factor authentication. Different fields be added for token and password

Enable different fields to be added in the Login's Page for myFilegateway.

Ex:

Username:

Password:

Token:

 

We need to receive an extra field during login authentication on myFileGateway, as a random Token for example.

 Using pre-login Exit, User and Pasword are validated against B2Bi core product users. And token (extra field) validated using as user custom code.

 

Sugestion: 

If in IUserLoginUserExit_preAuthenticate class, we could pass a "clean" password to B2B (outargs), so the core product could authenticate using the password in outargs, instead of what user has typed.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jul 22 2019
  • Under Consideration
IBM File Gateway / Security
How will this idea be used?

When an user access myFileGateway web interface, he will input credencials as below.
 
User ID: client username
Password: password local in user tables + token 6 digits
 

The Sign In button is already calling a plug-in (external code), that is receiving this credentials.
It splits the password, validates the token successfully. This is working fine.
The problem is when this code is trying to validate the password on B2B.
 
SI stores a base64 encoded SHA1 hash of the password into database instead of raw password to protect credentials. Before hashing a password a string of random characters is appended to it (a different random string is used for every password) and the password hashed. 
It is stored on YFS_USER table.
 
First, they tried to follow this method and compare the password returned from YFS_USER table. But is not possible because we cant recover the random string that was appended (and for me, doen't make sense try to do this, since the system can not allow this kind of vulnerability, which would basically open the security mode of the application)
 
So, the second plan, is verify if there is any method or class , which we could pass the credentials, and B2B returns true of false, or validates those credentials.

 

The perfect solution would be an extra field so we can enable a multi-factor authentication. This extra field could be validate thought pre authentication user exit.

Token.pptx
×

Attachments Open full size

What is your industry? Banking
What is the idea priority? Urgent
DeveloperWorks ID
RTC ID
Link to original RFE
  • Attach files

Related ideas

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please log into the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about your idea submissions.