OAuth 2.0 Makes Its Way Onto the IBM i

March 18, 2015 Alex Woodie

Don’t look now, but OAuth, the open standard for authentication first described by Twitter for allowing people to share data without using a password, is making its way into the enterprise. It’s even becoming adopted in the IBM i ecosystem, where a number of vendors, including BVS Tools, are adopting it as a standard authentication system for IBM i communication utilities.

The folks at Twitter initially started developing OAuth nine years ago to provide a way to share files over the Web without passing user IDs and passwords. Instead of sharing credentials, the OAuth protocol allows users to approve one application interacting with another on their behalf, without involving any passwords.

This is handy in the Web 2.0 world of social media. If you’ve ever been on a website and been presented the opportunity to post something to social media–say your Twitter feed or your Facebook page–then OAuth is the magic glue that makes that happen.

BVS started adopting OAuth 2.0 with its IBM i utilities with the 2013 launch of the GreenTools for Google Apps (G4G), which connect IBM i data with Google Apps, notably Google’s Drive, Cloud Print, Contacts, and Calendar apps. Soon thereafter, BVS supported OAuth 2.0 with GreenTools for Microsoft Apps (G4MS), which similarly use Microsoft’s APIs to upload IBM i-resident data to Microsoft OneDrive.

Now BVS is adopting OAuth in MAILTOOL, its popular tool that allows users to send emails from the IBM i server using a command line or RPG program. Specifically, BVS is supporting OAuth 2.0 in MAILTOOL Plus, an add-on to MAILTOOL that allows users to bypass the IBM SMTP server and send IBM i-generated emails via Gmail and Microsoft‘s Office 365 accounts.

As BVS’ Brad Stone explains, the changes will enable MAILTOOL PLUS customers to stay straight on the narrow OAuth 2.0 path. “In a nutshell, it allows those wanting to send email from their IBM i using Gmail to take advantage of OAuth 2.0, which means they don’t need to store passwords on their system,” Stone says via email.

Stone would have preferred to concentrate his efforts on building out the G4G and G4MS product sets, but he said he believed the writing was on the wall regarding the eventual demise of older authentication methods for hosted email.

“It seems Google is slowly moving this way for all their application access,” Stone says. “They’ve already deprecated the old ClientLogin method for most Google Apps and moved to OAuth 2.0. I have a feeling the same will happen with Gmail.”

OAuth 2.0 certainly has momentum. It’s used exclusively by social media sites like Facebook, Instagram, and Foursquare, as well as big cloud email providers like Google and Microsoft. But there’s trouble brewing in the house of OAuth, and some sites, like Twitter, Salesforce.com, and LinkedIn, support both OAuth 1 and OAuth 2.

The OAuth 1.0 protocol was originally published in 2010 by the Internet Engineering Task Force. In 2012, the standards were re-written with OAuth 2.0, which is not backward compatible with OAuth 1.0. Eran Hammer, the lead author of the OAuth 2.0 project, quit because he believed the enterprise focus of OAuth 2.0 was leading it down the road of being too complex, too incomplete, and too insecure (you can read all about the hubbub on Wikipedia).

MAILTOOL Plus, by the way, never used OAuth 1.0. Instead, it supported only “plain” and “basic” authentication mechanisms, so OAuth 2.0 should be a big improvement in any event.

New BVS Tools Hook IBM i to Google Apps

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”¹

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com

^{1. https://theconversation.com/cyberattacks-are-on-the-rise-amid-work-from-home-how-to-protect-your-business-151268}

A Ruby And RPG Conversation OpenPower Could Take IBM i To Hyperscale And Beyond

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search