Technical Blog Post
How secure is MxLoader?
Some customers are a little bit worried about security of this tools so I need to clarify how MxLoader works and how to ensure data in Maximo is protected from unauthorized access.
In simple words, MxLoader uses Microsoft VBA code to exchange data with Maximo Integration Framework Object Structure service.
Without going into much details, the Object Structure service allows to access to access Maximo data in a synchronous way through HTTP by simply defining Object Structures. This means that MxLoader inherits the authentication and authorization of the Maximo OS HTTP service.
Unfortunately the HTTP servlet is not secured by default. This means that any person can connect to the OS service and exchange data without authenticating circumventing any control. This has been changed in Maximo 126.96.36.199 fixpack as part of a security bullettin.
However this may be not enough since the Object Structure service checks authorization only if the Authorized Application is set on the corresponding Object Structure in Maximo. So the last step for a safe configuration of Maximo is to set the Authorized Application in each Object Structure that has to be used by MxLoader or any external application using HTTP OS Service.
Here is an example for the MXASSET object structure.
Finally, a small peek. Development is implementing some improvements on Object Structures authorization. Stay tuned!
For more information refer to the following articles and documentation:
- Configuring Integration Security when using Maximo Authentication
- Enable MIF Authentication using native security
- Integration security