Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only

  • 1.  Need help to configure e-mail listener with OAuth 2.0

    Posted Thu May 13, 2021 05:12 AM
    Hi!
    Being on Maximo 7612 at one of our customer, we have email listener configured and connected to office365 mail account. 
    Currently we're using pop3s protocol and everything works fine.
    However - IT department of that customer would like us to use more "modern" protocol for accessing this account, therefore we're pushed to switch to OAuth 2.0. 
    We've requested for attributes which are necessary (from Maximo point of view) to connect to mailbox through OAuth 2.0:
    - Client ID
    - Client Secret
    - Refresh Token
    - Token URL

    Later we've received values for Client ID and Client Secret but we're not sure what exactly we should put for Refresh Token and Token URL

    We have links to Authorization endpoint (example:https://login.microsoftonline.com/xxxx/oauth2/v2.0/authorize) and to Token Endpoint (example: https://login.microsoftonline.com/xxxx/oauth2/v2.0/tokenbut most probably these are not values for Refresh Token and Token URL, are they?


    I've tried to look for documentation how to set up connection to office365 using OAuth, but without success.

    Also IBM article with such promising title Configuring e-mail listeners for OAuth 2.0 provides nothing more than I can get hitting ALT+F1 while configuring email listener :/

    Do you have any example of how such listener connected via OAuth 2.0 may look like?
    Thanks in advance for any support.

    Regards
    Piotr Ozaist
    Trivalo

    ------------------------------
    Piotr Ozaist
    ------------------------------

    #Maximo
    #AssetandFacilitiesManagement


  • 2.  RE: Need help to configure e-mail listener with OAuth 2.0

    Posted Fri May 14, 2021 09:03 AM
    I went through this and definitely understand the frustration. Before going too far, make sure you're on a recent IFIX of 7.6.1.2. We found a few issues, but this one in paritcular: IJ28331: 7.6.1.2 - OFFICE 365 OAUTH ACCESS TOKENS CAPTURED WITH DOUBLE QUOTES (ibm.com) is unfixable without java customizations. You can address the size issues with access token, but that was also created as an APAR (IJ27950: EMAIL LISTENER OAUTH ACCESS TOKEN THAT GETS GENERATED IS LARGER THAN THE 1024 (ibm.com)). I believe these were both fixed in IFIX 03.

    Beyond that, be aware that OAuth only supports IMAPS (not POP3). This caused our email listener accounts to be bumped up from an Office 365 licensing perspective as the kiosk licensing we were using does not support IMAPS. That wasted a lot of time because the failure was not obvious. 

    Then on the setup, you have a client id and secret which is good. That means your team has setup the application in Azure AD. You should ensure they granted the IMAP.AccessAsUser.All & offline_access API permissions. 

    The token URL is indeed https://login.microsoftonline.com/xxxx/oauth2/v2.0/token, with the xxxx replaced with your tenant id for Office 365.

    To get your initial refresh token, you need to make a request to the authorize endpoint with a request like:
    https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?client_id={client id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost&response_mode=query&scope=offline_access%20https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office365.com%2FSMTP.Send&state=12345

    Replace the tenant id and client id (including the curly brackets) with the appropriate values. After you authorize the access, it'll look like you get an error because it will redirect to https://localhost and nothing will obviously be listening on that. But in that URL it will provide a code that you use as your refresh token moving forward. 



    ------------------------------
    Steven Shull
    Director of Development
    Projetech Inc
    Cincinnati OH
    ------------------------------

    Original Message


  • 3.  RE: Need help to configure e-mail listener with OAuth 2.0

    Posted Sun May 16, 2021 07:50 AM
    Hi,

    I was curious to know if OAUTH2.0 authentication can be implemented for MAXIMO inbound transactions? If an external system is pushing data into MAXIMO, how can the authentication be achieved? What about API keys? Is it secure enough?

    Any thoughts on how this can be done will be appreciated.

    Regards,

    ------------------------------
    Priyaranjandas Kolambkar
    ------------------------------

    Original Message


  • 4.  RE: Need help to configure e-mail listener with OAuth 2.0

    Posted Mon May 17, 2021 08:34 AM
    I'd recommend opening a separate topic for this to give it proper visibility and discussion as it's not related to email listener. Currently there is no OAuth inbound support for integrations and I don't think there will be. You must utilize API keys or connect to LDAP and provide that as your authentication. In our opinion, API keys until Maximo 7.6.1.2 were definitely not secure enough. They were stored in plain text in the database and any user who could create API keys could create it for any user. 7.6.1.2 added various options to address our feedback including:

    1) encrypt the credentials (mxe.secureapikey, enabled by default)
    2) Prevent certain users from having API keys created for them (mxe.apikeysysusers, empty by default)
    3) Prevent any user from creating an API key for another user (mxe.apikeyforloggedinuser, off by default)

    If you're on 7.6.1.2, it's still up to the organization to determine whether or not this addresses their security concerns. Each organization has different risk tolerances so a blanket statement as to secure/insecure is just too difficult to make. I can say a lot of systems utilize an API key so it's not uniquely Maximo. I'd also suggest whether utilizing API keys or not to focus heavily on permissions to ensure you restrict access to the subset required to support the integration.

    ------------------------------
    Steven Shull
    Director of Development
    Projetech Inc
    ------------------------------

    Original Message


  • 5.  RE: Need help to configure e-mail listener with OAuth 2.0

    Posted Tue May 18, 2021 10:58 AM
    Thank you for the detailed information.

    I will open a new topic as recommended.

    Regards,

    ------------------------------
    Priyaranjandas Kolambkar
    ------------------------------

    Original Message


  • 6.  RE: Need help to configure e-mail listener with OAuth 2.0

    Posted Fri May 27, 2022 09:15 AM
    Edited by System Admin Wed March 22, 2023 11:50 AM

    Hi Piotr (and everyone else who ran into this),

    I have created a case at IBM Maximo support which eventually led to a better documented instruction on how you can configure the E-mail Listener using the OAuth 2.0 / Office365 protocol: Email Listener OAuth Configuration with Office 365 (ibm.com)

    PS. After following those steps I still ran into an issue with the Initial Refresh token being to large: java.sql.SQLException: ORA-12899: value too large for column "MAXIMO"."INBOUNDCOMMCFG"."OAUTHACCESSTOKEN" (actual: 2032, maximum: 2000).


    IBM advised the following, which worked for me: "There is a limitation on Oracle where crypto fields cannot be expanded beyond 2000. The access token is transitory and doesn't need to be persistent. Re-create the fields as non-persistent and expand it, fixing the issue you are observing."


    Regards,

    Lars



    Original Message