It's all about the answers!

Ask a question

In RTC 5.0.2: Is the source code added in Jazz source control is encrypted?

Muhammad Moid (141634) | asked Jun 02 '16, 3:19 a.m.
edited Jun 03 '16, 6:13 p.m. by David Lafreniere (4.8k7)

We are using RTC 5.0.2 in our distributed environment and for that reason our security team just want to know that the source code Delivered in Jazz repository is in encrypted form or not.

Muhammad Moid

One answer

permanent link
Ralph Schoon (63.3k33646) | answered Jun 02 '16, 3:44 a.m.
edited Jun 02 '16, 3:48 a.m.
Communication between client and server uses HTTPS and is encrypted. The code changes are stored in the database as blobs. The content is compressed (if compression saves space) but not encrypted.

So during transfer the data - all data - is encrypted due to HTTPS, but in the database it is not encrypted.

Muhammad Moid commented Jun 02 '16, 4:09 a.m.
Hmmm. I am trying to understand it since I can see encrypted data in the database.

Let me rephrase my question again.Can the IBM CLM Application do the encryption for the source code?

Also, I would appreciate if you can answer below security related questions as well:

Can we store CLM application & Tomcat logs in SQL native DB log? Or can we send them directly to syslog server or be integrated security information and event management (SIEM) solution.
Is the tunnel(Communication medium) between application and database is encrypted using TLS1.2 ?

Ralph Schoon commented Jun 02 '16, 4:53 a.m. | edited Jun 02 '16, 4:56 a.m.

As I said, the change is compressed usually. Just because you can not see/understand the data does not mean it is encrypted. Look at any compressed file and try to figure what the data is.

Again, there is no encryption done by the application, prior to storing the data in the database. There are no mechanisms to do encryption for scm data in the application either as far as I am aware.

The logs are stored in the file system, it is your admin's duty to make them accessible only to the users that should be able to. If you want to send the logs somewhere, you would have to come up with a custom solution to do it.

The application uses plain a plain JDBC connection to the database. If your DB Vendor JDBC driver uses TLS1.2 fine. The database should be very close to your application server. So I am not sure why you want the additional performance impact due to encryption.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.