IBM Support What's New?

IT09929: SECURITY TOKEN PASSWORD STORED IN CLEAR TEXT IN DATABASE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct link to fix

APAR status

  • Closed as program error.

Error description

  • Environment Info
    IBM Sterling B2B Integrator 5.2.5
    Microsoft SQL Server 2008 10.00.1600
    Linux 3.0.101-0.46-default
    
    Problem Statement
    Security Token password stored in clear text in database.
    
    According to the documentation:
    http://www-01.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.i
    bm.help.web_services.doc/SI_Create_Username_ScrtyTkn.html
    when you set a security token to digest, the password is hashed
    for storage and for sending.
    
    However, it looks like the password is stored in plain text in
    the database regardless of the setting. To test, create two
    security tokens, one with digest and one without. Then do a
    select on SECURITY_TOKEN_PAR.  You will see both passwords in
    plain text.  One is marked as digest, the other not.
    
    Simulation Steps
    1) Go to Deployment > Web Services > Security Tokens.
    2) Create 2 security tokens.  On the Create UserName Token
    screen select Use Digest for one and don't select it for the
    other.
    3) Run the query:  SELECT * FROM SECURITY_TOKEN_PAR
    4) Observe that the password for each of the tokens is stored
    in clear text.
    
    
    TOKEN_NAME     TOKEN_VERSION     NAME     VALUE
       JPMTEST1    1    DIGEST    false
       JPMTEST1    1    PASSWORD    123456789
       JPMTEST1    1    USERNAME    foo
       JPMTEST2    1    DIGEST    true
       JPMTEST2    1    PASSWORD    123456789
       JPMTEST2    1    USERNAME    foo2
    

Local fix

  • STRRTC - 462514
    PC / PC
    Circumvention: None
    

Problem summary

  • Users Affected:
    Web Services users
    
    Problem Description:
    Web Services Security Token passwords are getting stored in
    clear text in the database.
    
    
    Platforms Affected:
    All
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IT09929

  • Reported component name

    STR B2B INTEGRA

  • Reported component ID

    5725D0600

  • Reported release

    525

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-07-08

  • Closed date

    2015-10-28

  • Last modified date

    2016-01-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR B2B INTEGRA

  • Fixed component ID

    5725D0600

Applicable component levels

  • R526 PSY

       UP



Document information

More support for: Sterling B2B Integrator

Software version: 5.2.5

Reference #: IT09929

Modified date: 2016-01-04