Jon D.

jXchange and Opening Act Security

Jon D. asked 3 months ago in Banktastic
I Like It!5

Has anyone in the group implemented Opening Act and jXchange? If so, could you briefly describe your security setup for these products?

We were always under the impression that the connection between the two would occur within the secure part of our network. We were surprised to find out that we had to open a hole in our firewall and provide a public IP address to our jXchange server. We are now having to redo our risk assessment based upon these new facts that were “conveniently” left out in the discovery process.

Neither Jack Henry nor Meridian Link (ProfitStars’ Opening Act) are very forthcoming in their responses to our inquiries.

Related Content: Jack Henry

Sort By: Date | Community Rating
Henry E.

Henry E.

08/22/08 at 02:47 PM

Sorry Jon, I just saw this on BT. This is the comments I had for Ricky.

JXCHANGE is a VERY powerful tool that allows any and all systems to send and receive data from the iSeries. Even those systems that are not a part of the JHA family. JHA has developed this system to handshake between it’s products, mainly.

The user profile for JXCHANGE will more than likely have ALL OBJECT authority which means it can get to ANYTHING on the iSeries. In my opinion, it should be limited to JHA libraries, should not have a password and should have someone periodically monitoring the activity. If I remember correctly, it use a service on the iSeries called DDM that will not require a specific port. Meaning without controls on the user profile and it’s access, it can do anything. Can be pretty scary…

Ricky R.

Ricky R.

08/22/08 at 03:05 PM

Jack Henry does not use DDM to communicate with the iSeries but instead uses TCP sockets to communicate with the JX server(s) and the messages are in XML format.

Henry E.

Henry E.

08/22/08 at 03:25 PM

That may even be worse…how are the authenticating? We wrote a sockets program when they AS/400 first came out for a Teller system interface and when we got in, we had full access. They are skilled enough in iSeries-AS/400 I bet they have it locked some way. Maybe you should ask if they have set up special Network attributes on the iSeries side.

Aiden M.

Aiden M.

08/27/08 at 10:29 PM

We are still “deploying” opening act (even though the contract is about to begin maintenance billing) – We were also only looking at allowing the opening of Savings Accounts to mitigate risks. I will see if we have any written policies for this yet and let you know.

(On a side note – we just finished our FDIC examination and didn’t want that new offering available yet, they are EXTREMELY picky right now )

Sponsors

CoNetrix
CalTech

Request Information on Becoming a Sponsor