Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Delivered
Workspace DataPower Gateway
Created by Guest
Created on Mar 14, 2019

RELATED IDEAS

DataPower IDG7.6.0.12 to Stop Logging Sensitive Information

Issue reported by Cyber team:
----------------------------------
AppSec have discovered that the Mobile DataPower IDG box (IDG.7.6.0.12) is logging the Bearer (Session) Tokens which is accessible to support engineers.

Please ensure that no sensitive information like bearer/access tokens, biometric access tokens, passwords, cryptographic keys or PCI Card information is logged by DataPower.

There is a Cyber monitoring use case that requires tracking if bearer tokens are being used by multiple devices and they need the real access token has to be replaced with hashed version of it.

Please let us know how to mask the sensitive information of the bearer token. It would be great if this is sorted out as early as possible.

Example logs:
----------------
Access token is visible in logs. I'm not able to attach log file due to space constraint.

AAILTW9iaWxlX3VzZXJYt6AudkzTQ_gtp1fJhwRg8nLwYHeAivTH1k0QJ8Kg9DLPorf1tvydCdvcclaOoZm9cVNJG4_aRlz2KPgXOTit

20190314T155326Z [0x80e0083d][mpgw][debug] mpgw(Mobile_MPG): tid(10103152)[request][172.22.32.5]: Transaction processing started: [eb806e585c8a78f6009a2970].
20190314T155326Z [0x80e0084a][mpgw][debug] mpgw(Mobile_MPG): tid(10103152)[request][172.22.32.5]: Transaction information: [eb806e585c8a78f6009a2970], [0], [], [], [], [https://172.22.39.13:8135/mobile/account/summary].
20190314T155326Z [0x80e0068c][memory-report][debug] mpgw(Mobile_MPG): tid(10103152)[172.22.32.5]: Request Started: memory used 241624
20190314T155326Z [0x80c0004e][multistep][debug] mpgw(Mobile_MPG): tid(10103152)[request][172.22.32.5]: Stylesheet URL to compile is 'store:///dp/aaapolicy.xsl'
20190314T155326Z [0x80a002aa][xslt][debug] xmlmgr(Mobile_MPG_XML_Manager): tid(10103152)[172.22.32.5]: xslt Compilation Request: Checking cache for URL 'store:///dp/aaapolicy.xsl'.
20190314T155326Z [0x80a002ac][xslt][debug] xmlmgr(Mobile_MPG_XML_Manager): tid(10103152)[172.22.32.5]: xslt Compilation Request: Found in cache store:///dp/aaapolicy.xsl.
20190314T155326Z [0x83800024][aaa][debug] mpgw(Mobile_MPG): tid(10103152)[request][172.22.32.5]: Extracting identity using "oauth"
20190314T155326Z [0x84e0004b][oauth][info] mpgw(Mobile_MPG): tid(10103152)[request][172.22.32.5]: [Mobile_user] Verifying access_token AAILTW9iaWxlX3VzZXJYt6AudkzTQ_gtp1fJhwRg8nLwYHeAivTH1k0QJ8Kg9DLPorf1tvydCdvcclaOoZm9cVNJG4_aRlz2KPgXOTit
20190314T155326Z [0x84e00041][oauth][info] mpgw(Mobile_MPG): tid(10103152)[request][172.22.32.5]: *[Mobile_user] access_token 'AAILTW9iaWxlX3VzZXJYt6AudkzTQ_gtp1fJhwRg8nLwYHeAivTH1k0QJ8Kg9DLPorf1tvydCdvcclaOoZm9cVNJG4_aRlz2KPgXOTit' is verified for 00000066784 with requested scope /**

Thank You!
Bhuvana
+44 7469466597

Idea priority High
RFE ID 130967
RFE URL
RFE Product IBM DataPower Gateways
  • Guest
    Reply
    |     Jun 19, 2019

    Hi Team,

    I have received below update from OM team.

    Our team is accepting this fix and working on implementing testing and merging it as quickly as possible in accordance with existing priorities. We anticipate delivering a fix on this item this summer.

    Thanks,
    Bhuvana

  • Guest
    Reply
    |     Mar 29, 2019

    Hi Team,

    Kindly let us know the update. It's been waiting for a long time. Their is no reply from your side.

    Thanks,
    Bhuvana
    +44 7469466597

  • Guest
    Reply
    |     Mar 14, 2019

    Attachment (Description)

    Capture_Evidenc...
    Capture_EvidenceOfAccessToken.PNG
    Open full size
    Capture_EvidenceOfAccessToken.PNG

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.