Security management and features in IBM Sterling B2B Integrator and

Sterling File Gateway

Manisha Khond, Software Engineer, IBM Sterling B2B Integrator

Oct 25, 2017 11AM EDT

This session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information that you do not want shared publicly in the replay. By speaking during this presentation, you assume liability for your comments.

Agenda

� Overview

� Access controls

• Multifactor Authentication

• Access controls using Roles and Groups

• Single sign on

� Security

• Certificates

• Secure UI (Dashboard, Mailbox Browser Interface, File Gateway, MyFileGateway)

• Document Encryption

• Secure communication/protocols

• Web of Trust

• Signing/Encryption

Agenda

� Security Administration / Risk management

� Compliance with controls

� Patch management

� Change management

� Security impact assessment

� Security awareness and training

� Incident response and recovery.

� Security testing

� Interpreting scanning and testing results

© 2015 IBM3

Overview

�A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product.

• Compromise data.

• Financial loss.

• Fines.

• Loss of consumer trust.

Remediate security vulnerability

�Secure application, database, network, devices, firewall, servers.

�Secure the stored data and data in transit.

�Secure the communication.

�Secure the login/access to an application.

�Proactively look for security threats.

• Security scan

• Penetration testing

�Disaster planning and recovery.

�Application/Database/Operating System maintenance.

Access Controls: Authentication

� Multifactor Authentication

• Secure UI access with HTTPS: IBM Sterling B2B Integrator Dashboard, Mailbox Browser Interface, Sterling File Gateway, MyFileGateway.

o Dashboard: Access on base port + 1

o MBI, SFG, MyFilegateway – Deploy the war on HTTP Server Adapter that is configured to use SSL.

• Use the certificate from Certificate Authority for securing UI access, rather than using self signed certificate.

� Single Sign ON

� Users

• Internal: Authenticated against IBM Sterling B2B Integrator database.

• External: Authenticated outside of Sterling B2B Integrator e.g. LDAP.

• Use the secure communication between Sterling B2B Integrator and LDAP.

� Password Policy

• Choose Strong password Policy (special chars, password expiry, password length) and assign to every user account.

Access Controls: Authorization

�Assign permissions to the user based on the roles.

�Dashboard Accounts -> Groups has predefined groups.

�Ability to create customized group with proper permissions.

�Users with the same permissions required can be assigned the same group.

�Use the Principal of Least Privilege (assign minimum permissions that are required for the job function) while assigning group to the users.

�Automatic logoff based on inactivity.

Access Controls – Single Sign on (SSO)

�Allows an individual user access to multiple systems, resources and applications by using single set of credentials.

�User is not prompted to sign in multiple times.

�Simplifies Identity management as a central database or directory is used to store user identity information and credentials.

�Once the user is authenticated, system grants the user access to all relevant resources that the user has access to.

� Increased security - Only one set of credentials for the user to remember (less likely to record).

�SBI Supports SSO with Netegrity Siteminder.

Secure UI

� Access dashboard with HTTPS on base port + 1.

https://www-

01preview.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.security.doc/SSL_SI

_SwitchHTTPtoHTTPbaseport.html

� Support of accessing Mailbox Browser Interface, Sterling File Gateway and MyFileGateway on the Secure

HTTP Server Adapter.

� Parameters in the application to automatically redirect a user to the HTTPS instance of the web application.

https://www-

01preview.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.security.doc/SSL_SI_EnableAutoR

edirectHTTPS.html

Document encryption

� Document encryption is a feature provided with IBM Sterling B2B Integrator that allows

for the configuration of an additional layer of security beyond the traditional file and

database permissions. The feature is to protect the data at rest. Sterling File Gateway

uses the same document encryption feature for protecting data at rest.

� The Document encryption feature is intended to protect data at rest from snooping. The

feature allows you to encrypt the payload data stored in the database and/or the file

system. It is also designed to prevent someone outside the system from viewing the

payload data by directly accessing the database or file system.

� Uses symmetric encryption – the same key is used to both encrypt and decrypt the data.

Document encryption

� Important aspects of document encryption:

• The default configuration is no encryption. If you want to have your documents encrypted, you will need

to turn on this feature.

• You can turn this feature on at any time, but only documents received after encryption is turned on are

encrypted.

• Once you turn on this feature, encryption is for all payloads across the entire system.

• Only the document payload data is encrypted, not the meta data.

• The purpose of turning document encryption is to safeguard the document/payload at rest. If you turn off the document encryption, the document/payload will not be stored in encrypted format and there is a risk of tampering the data at rest.

• If the document encryption certificate is replaced with new certificate, the documents that are encrypted by the old certificate can be retrieved as long as the old document encryption certificate is not deleted.

Document encryptionHow to turn on Document Encryption?

� The system uses a predefined certificate to generate and encrypt the keys that are used to encrypt the documents.

User have a choice to use different certificate to encrypt the document.

� In order to turn on Document encryption, create a document encryption certificate (system certificate) and reference

the certificate in customer_overrides.properties as below:

security.CERT_NAME=docenccert

� The user have a choice to encrypt all the documents or only the document stored in the database or only document

stored on File System. Use the customer_overrides.properties setting depending on your requirements.

security.ENC_DECR_DOCS=ENC_ALL {Encrypt all documents}

security.ENC_DECR_DOCS=ENC_DB {Encrypt the documents stored on the database}

security.ENC_DECR_DOCS=ENC_FS {Encrypt the documents stored on File System}

� Disable the Document encryption is simple with customer_overrides.properties setting:

security.ENC_DECR_DOCS=NONE

Public Key Cryptography / Asymmetric encryption

� Unique Public and Private keys are issued to identities.

� Stored in Digital Certificates.

� Encryption uses the Public key.

� Decryption uses related Private Key.

� Scalable because Public key can be distributed.

� Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by adversary

as the receiver. Generally, this type of cryptosystem involves trusted third party which certifies that a

particular public key belongs to a specific person or entity only.

� Encryption algorithm is complex enough to prohibit attacker from unencrypting the data using encryption

public key.

� Though private and public keys are related mathematically, it is not be feasible to calculate the private key

from the public key.

Public Key Cryptography / Asymmetric encryption

Security – Certificates/Ciphers

� Creation of Certificates

• Self signed.

• Certificates from Certificate Authority (CA).

� Importing trading partner’s certificates (CA, Trusted).

� Capture Trading Partner certificate using Certificate Capture Utility (FTPS, HTTPS)

� Use certificates from Certificate Authority, rather than self signed certificates.

� Use 2048-bit Private Keys – The bigger the private key the harder it is to crack.

� Protect Private Keys – Make sure you create your own private keys on a secure and trusted computer. Only

give access to private keys as needed. When an employee with private key access leaves the company,

generate a new private key.

� Choose a Reliable Certification Authority (CA).

� Always use Strong Ciphers. Disable weak ciphers.

Secure Communication/Protocols (SSL/TLS)

Secure communication Support in Adapters/Services

Communication with Email Server B2B Mail Client Adapter, SMTP Send Adapter

Command Line Adapter 2 Command Line Adapter 2

FTP FTP Client Adapter and Services, FTP Server Adapter

HTTP HTTP Client Adapter and Services, HTTP Server Adapter

JMS JMS 1.1 Acquire Connection and Session Service

JMS 1.1 Async Receive Adapter

TCP/IP Socket Socket Client Adapter, Socket Server Adapter, Socket Connect Service

WebSphere MQ WebSphere MQ Suite Async Receiver Adapter

Secure Communication/Protocols (SSL/TLS)

Secure communication Support in Adapters/Services

WebServices SOAP Inbound Service, SOAP Outbound Service, SOAP Inbound Security

Service, SOAP Outbound Security Service.

WebSphere MQ File Transfer

Edition

WebSphere MQ File Transfer Edition Agent Adapter.

Odette FTP Support of SSL in Partner Profile.

File Gateway Custom Protocols

Connect:Direct Connect:Direct Secure+

Other security features.

� MSMQ Adapter, MSMQ Send Service – Message Encryption.

� Perimeter Services.

� Hardware security module.

• Supports devices SafeNet Eracom ProtectServer Orange External, ProtectServer Gold PCI devices.

� Communication with LDAP using SSL/TLS.

� Password encryption.

� Proxy Servers.

� Federal Information Processing Standards (FIPS).

Secure Communication/Protocols (SFTP/SCP over SSH)

� SFTP provides secure File transfer over SSH.

Secure Communication/Protocols (SFTP/SCP over SSH)

�STRONG AUTHENTICATION WITH SSH KEYS

• Public Key authentication

o Uses a cryptographic key pair/SSH keys - public key and private key

o The public key on a server to authorize access and grant anyone who has a copy of

the private key.

• Password authentication

o Authentication with user name and password

Secure Communication/Protocols (SFTP/SCP over SSH)

� STRONG ENCRYPTION AND INTEGRITY PROTECTION

• During the negotiation the client and server agree on the symmetric encryption algorithm

to be used and generate the encryption key that will be used.

• Once a connection has been established between the SSH client and server, the data that

is transmitted is encrypted according to the parameters negotiated in the setup.

� IBM Sterling B2B integrator/Sterling file Gateway

• SFTP Client Adapter and Services.

• SFTP Server Adapter.

• Partner creation.

Digital Signature

�Provides

•Proof of origin.

•Non-repudiation - ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document.

•Message integrity.

�Created by

•Processing a plaintext message through a hashing algorithm resulting in unique hash value (message digest).

•Hash value is encrypted using private key which is accessible to the owner only.

�Get verified using related public key.

Digital Signature support

� XML Digital Signature service

� ebXML XML Digital Signature Service

� ebXML Validation Service

� Cryptographic Message Service

� AS2

� Web Services

� Electronic Banking Internet Communication Standard (EBICS)

� B2B Mail Client Adapter (SMIME)

� SMTP Send Adapter (SMIME)

� SOA Inbound Security Service, SOA Outbound Security Service, SOAP Inbound Service, SOAP Outbound Service

Web of Trust (PGP)

� Peer validation

• Does not use Certificate Authorities (CA)

• Decentralized model

• Every entity is similar to PKI CA

� Alternative to PKI, a centralized model

• Indirect validation of entity public keys. If first entity trust public key of second entity and the second entity trust public key of third, then the first entity trust public key of third.

� PGP

• Uses Web of Trust.

• Widely used Public Key Cryptography for Signing, Encryption/Decryption.

Web of Trust (PGP)

� How does the PGP work?

• PGP creates one time session key.

• Session key encrypts plaintext resulting in ciphertext.

• Session key is encrypted with the recipient public key.

• The ciphertext and encrypted session key are sent to the recipient.

• The recipient uses their private key for decryption to reveal the session key.

• The revealed session key is used to decrypt the ciphertext back into plaintext.

• Public keys need to be trusted between different parties.

� Adapters/Services: PGP Package Service, PGP Unpackage Service.

� PGP Support in Sterling File Gateway.

National Institute of Standards and Technology (NIST) security compliance (5.2.4.2 or higher)� NIST security standards, see http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

� Strict NIST 800-131a compliance.

� Algorithms and key strengths that are not allowed for strict NIST 800-131a compliance include:

RSA keySize < 2048

DSA keySize < 2048

EC keySize < 224

SHA1

MD2, MD4, MD5

RC2, RC4

DES

� In strict NIST 800-131a compliance mode, only TLS 1.2 can be used.

NIST Security Compliance Support

�EBXML, SFTP, FTP, MSMQ, AS2, OSCP, EBICS Client, EBICS Server, Connect:Direct, PGP, MQFTE, SFG, Rosettanet, CLA2, OFTP, JMS, WebSphere MQ Adapters/Services.

�Enable NIST compliance, add below line in security.properties

• NIST.800-131a=strict

� To disable NIST compliance, modify the below property in security.properties.

• NIST.800-131a=off

Security Administration / Risk management

� Compliance controls

• Determine the roles to the authorized users (Application Administrators, Application users, Mailbox Administrators, SFG admin, SFG Operator etc).

• Determine the access (OS, DB, Application). Periodically review access.

• Determine managerial role (the a person who defines and grants an access).

• Revoke access when the user is not a valid authorized user anymore.

• Make sure that external media (NAS/SAN) storage is secure.

� Patch management

• Apply patches on database, operating system, application to comply with security standards.

• Check out IBM security bulletins and release notes periodically. Perform assessment on security fixes and take action to apply the fixes.

Security Administration / Risk management

� Risk management

• Identify potential risks by vulnerability assessment.

• Assessment of risks (prioritize, categorize).

• Mitigation measures.

� Change management

• Document patch applications, application upgrades, customer specific ifixes, customization in UI, SFG rebranding etc.

• Document business process modifications, Addition/Deletion of user accounts, Grant/Revoke of user roles, Service/Adapter modifications, Custom implementation, TP onboarding, Properties modifications etc.

• Document and secure information such as Private Keys, System Passphrase, system account username/password to start Sterling B2B Integrator/Sterling File Gateway.

Security Administration / Risk management

� Incident response and recovery

• Regular back up of application install, database. Store back up on secured storage server in encrypted

format.

• Make use of the IBM Sterling B2B Integrator cluster (multiple nodes).

• Disaster recovery system in place. The system should be refreshed periodically with data. Disaster

recovery systems should be maintained by applying patches/upgrade (same as live production

systems).

• Real time data replication.

• Application logs, change logs.

� Security awareness and training

• Train the ream members on how to handle compliance controls, patch management, change

management, incident response and recovery.

• Clearly defined goals and outcomes.

Security testing to determine the Security vulnerabilities

� Awareness

� News, Media (Poodle, Ransomware etc).

� Explicitly researching National Vulnerability Database.

https://nvd.nist.gov/vuln/search.

� Penetration Testing.

� Security scan (HP WebInspect, Netsparker, BurpSuite etc).

� Vulnerabilities due to other product dependencies (OpenSSL, ActiveMQ, Struts etc).

Security testing: Penetration testing� Manually explore the application.

� Use the testing tools such as Fiddler, Burp Suite, WGET, Postman to examine the

request and responses to identify security vulnerabilities.

� Review webpage comments and metadata for information leakage.

� Check out HTTP headers, Cookies, HTML source code, Specific files and folders, File

extensions, Error Message.

� Check out web application fingerprinting to know the version and type of a running web

server to determine known vulnerabilities and the appropriate exploits to use during

testing.

� Test how session management is handled (session token, cookies, session termination

after timeout, session termination upon logoff, CSRF, clickjacking).

Security testing: Penetration testing

� Identify technologies used.

� Test the authentication and authorization by logging in with different user accounts with different roles.

� Identify third party libraries used within an application.

� Check for Cryptography (data encryption, ciphers, certificate length, certificate issuer).

� Test for secure transmission (Use of secure protocols).

� Check out that the Sterling B2B Integrator adapters can be accessed by valid users/trading partner. Check out firewall setting to make sure only valid external users are allowed access.

� Check out the security vulnerabilities for OS, Database by searching vendors knowledge base or security bulletin or checking National Vulnerability Database.

� Check out IBM Security bulletins and take action to remediate the security vulnerability (apply fixes/solution, patch, upgrade etc).

Security testing: Running Security scan Security vulnerability report

Analysis Security vulnerability report

Security vulnerability report

Analysis of Security vulnerability report

Analysis of Security vulnerability report

Determining severity of the issue based on CVSS score

https://nvd.nist.gov/vuln-metrics/cvss

• Vulnerabilities are labeled "Low" severity if they have a CVSS base score

of 0.0-3.9.

• Vulnerabilities will be labeled "Medium" severity if they have a base CVSS

score of 4.0-6.9.

• Vulnerabilities will be labeled "High" severity if they have a CVSS base

score of 7.0-8.9.

• Vulnerabilities will be labeled "Critical" severity if they have a CVSS base

score of 9.0-10.0.

Summary

�Discussed the topics per agenda.

Additional References

� Sign up to receive weekly technical My Notifications emails

http://www.ibm.com/software/support/einfo.html

� developerWorks Forums, Communities and Technical Topics

http://www.ibm.com/developerworks/

� Quick Reference Guide for Using Service Request Tool

http://www.ibm.com/support/docview.wss?uid=swg21207945

� IBM Support Assistant

http://www.ibm.com/software/support/isa/

� Access product show-me demos and tutorials by visiting IBM Education Assistant

http://www.ibm.com/software/info/education/assistant

� IBM Client Success Portal

https://support.ibmcloud.com/Support/5377/5383/en-US/Account/Login?ReturnUrl=https%3A%2F%2Fsupport.ibmcloud.com%2FSupport%2F5377%2F5383%2Fen-US%2FPortal%2FIndex

� IBM Support

https://www.ibm.com/support/home/

Questions & Answers

This Support Technical Exchange session will be recorded and a replay will be available on IBM.COM sites and possibly social media sites such as YouTube. When speaking, do not state any confidential information, your name, company name or any information you do not want shared publicly in

the replay. By speaking in during this presentation, you assume liability for your comments.

THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION

CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON IBM’S CURRENT PLANS AND STRATEGY, WHICH ARE

SUBJECT TO CHANGE BY IBM WITHOUT NOTICE. IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING

OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION,

NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO NOR SHALL HAVE THE EFFECT OF CREATING ANY

WARRANTIES OR REPRESENTATIONS FROM IBM (OR ITS SUPPLIERS OR LICENSORS), OR ALTERING THE TERMS

AND CONDITIONS OF ANY AGREEMENT OR LICENSE GOVERNING THE USE OF IBM PRODUCT OR SOFTWARE.

Copyright and Trademark Information

IBM, The IBM Logo and IBM.COM are trademarks of International Business Machines Corp., registered in many jurisdictions

worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks

and others are available on the web under “Copyright and Trademark Information” located at

www.ibm.com/legal/copytrade.shtml.43