IBM Security Guardium Ideas Portal

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Post your ideas

Start by posting ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The offering manager team will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.


Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Post an Idea

To post a new idea - click on the "Add a new idea" button and select the appropriate capability area this idea relates to. Do provide requested information to allow us to get a better understanding of your request. If 'Guardium Data Protection' capability is selected, you will be prompted to select the category/product the idea relates to. If you are not sure of the category/product your idea would fall under, then select 'IBM Guardium Other' in the drop down list and proceed from there.


Please note: The purpose of the Ideas Portal is to tap the creativity of the Guardium Data Protection community so that we can enhance the product for everyone! If you need to report a defect or get help, please use our normal support channel. Click here to open a support ticket.


For IBMers, click here to submit an idea on behalf of a customer, if the customer prefers to keep their use case and idea private.

Technology/Platform support for Access Methods(BDT and Java Library) and GAE

Certain access methods (specifically Batch Data Transformation (BDT) tool and Java library API) need to be certified with and support a broader set of technologies/platforms, which also included our GAE encryption agent.

+Severity: LIKELY SHOWSTOPPER

Why is this an issue: Being a large, global enterprise, RBC uses various middleware technologies on various platforms that need to perform encryption/decryption functions, Not all of these middleware technologies and platforms are supported by our solution. Specifically, we need to support IBM's JDK (instead of just Oracle JDK and OpenJDK) so that mission critical middleware used at RBC that are based on IBM's JDK (such as IBM DataStage -- which is an industry leading ETL tool that RBC used extensively) can run the BDT and can use the Java library API. In addition, the mainframe environment (at minimum, Linux on z) needs to be able to use the BDT and Java library API, which also means the GAE agent needs to be certified on this platform.

+Potential mitigations:
...For the BDT used with distributed platform middleware that runs an IBM JDK: At RBC, many DataStage jobs perform a function of bulk loading flat files into Teradata using Teradata's MultiLoad, FastLoad and TPump utilities. The BDT is a Java application. For RBC's DataStage servers, we believe it may be possible for RBC to install a separate OpenJDK on their DataStage servers, such that the BDT should be callable from DataStage (which is using IBM's JDK). This has yet to be proven in RBC's PoC. We are currently encountering some issues that may be the result of library conflicts. So further investigation is underway. If it works without issue, this might be a workable mitigation -- for RBC's DataStage servers. At present, we're not aware of additional IBM middleware that RBC will immediately need to use the BDT so this might remain a sufficient mitigation.

...For the BDT used with mainframe platform applications: At RBC, many mainframe jobs create a flat file that is bulk loaded to Teradata using Teradata's MultiLoad, FastLoad and TPump utilities. Without support of the BDT on the mainframe (say Linux on z - either with IBM JDK or a supported version of OpenJDK for this platform -- and which therefore means the GAE agent will also need to be certified for this platform) RBC will have to look at alternatives such as transferring the files to a distributed platform (such as DataStage) so that the distributed platfrom can invoke the BDT and invoked the Teradata utilities. However RBC has advised that this isn't workable for all scenarios due to SLA restrictions (ie very large files that need to be processed on the mainframe). We are working with them to understand this issue better but they have indicated they need support for the mainrame platform.

...For the Java library APIs used with distributed platform middleware that runs an IBM JDK: At RBC, many DataStage jobs load data into RBC's Hortonwork environment via direct file system (HDFS) access. In order to encrypt data, their DataStage jobs will need to implement an additional step to call our Java library APIs. Although DataStage uses an IBM JDK, we are exploring (with IBM DataStage lab) if it's possible to invoke OpenJDK within DataStage so that at the job level, our OpenJDK-certiffied API can be used. We have RBC experimenting with this right now, but we have some concerns about potential library conflicts. If it does work without issue, this might be a workable short term mitigation -- for RBC's DataStage servers, howeer our DataStage lab has indicated they would only support RBC for this for an interim period -- until Thales formally supports an IBM JDK. In addition, it's likely that RBC will need to perform encryption/decryption using IBM middleware that uses in IBM JDK -- such as WebSphere Application Server (WAS), IBM Integration Bus (IIB) and others. As one example, WAS apps that read off an MQ queue (and which feed Teradata or Hortonworks) that need to encrypt portions of the message will need to have the ability use the Java library API.

...For the Java library APIs used with mainframe platform middleware that runs an IBM JDK: Similar to the above issue, RBC has jobs that populate MQ queues (that feed, for instance, Teradata) with messages that will need certain fields encrypted. This means they will need the ability to use the Java library API (which also includes the need to use the GAE agent) on that platform - at minimum the Linux on Z environment). We have been exploring with RBC the option of using java applications running on a distributed platform to intercept the MQ messages, encrypt them and put them on a new queue for Teradata to ingest. This may be workable, but this likely will not be satisfactory for all scenarios at RBC. Further there may be additional applications (like Spark on the mainframe, or WAS apps or others) that will ultimately dictate the need to support the mainframe (at minimum Linux on z)

  • Guest
  • Jan 26 2021
  • Planned for future release

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.