IBM Support

IT09929: SECURITY TOKEN PASSWORD STORED IN CLEAR TEXT IN DATABASE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct link to fix

5.2.6.0

 

APAR status

  • Closed as program error.

Error description

  • Environment Info
IBM Sterling B2B Integrator 5.2.5
Microsoft SQL Server 2008 10.00.1600
Linux 3.0.101-0.46-default

Problem Statement
Security Token password stored in clear text in database.

According to the documentation:
http://www-01.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.i
bm.help.web_services.doc/SI_Create_Username_ScrtyTkn.html
when you set a security token to digest, the password is hashed
for storage and for sending.

However, it looks like the password is stored in plain text in
the database regardless of the setting. To test, create two
security tokens, one with digest and one without. Then do a
select on SECURITY_TOKEN_PAR.  You will see both passwords in
plain text.  One is marked as digest, the other not.

Simulation Steps
1) Go to Deployment > Web Services > Security Tokens.
2) Create 2 security tokens.  On the Create UserName Token
screen select Use Digest for one and don't select it for the
other.
3) Run the query:  SELECT * FROM SECURITY_TOKEN_PAR
4) Observe that the password for each of the tokens is stored
in clear text.


TOKEN_NAME     TOKEN_VERSION     NAME     VALUE
   JPMTEST1    1    DIGEST    false
   JPMTEST1    1    PASSWORD    123456789
   JPMTEST1    1    USERNAME    foo
   JPMTEST2    1    DIGEST    true
   JPMTEST2    1    PASSWORD    123456789
   JPMTEST2    1    USERNAME    foo2

Local fix

  • STRRTC - 462514
PC / PC
Circumvention: None

Problem summary

  • Users Affected:
Web Services users

Problem Description:
Web Services Security Token passwords are getting stored in
clear text in the database.


Platforms Affected:
All

Problem conclusion

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT09929
    • 

  • Reported component name
    STR B2B INTEGRA
    • 

  • Reported component ID
    5725D0600
    • 

  • Reported release
    525
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-07-08
    • 

  • Closed date
    2015-10-28
    • 

  • Last modified date
    2016-01-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR B2B INTEGRA
    • 

  • Fixed component ID
    5725D0600
    • 



Applicable component levels


    

  • R526  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.5","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 January 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback