• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Lack Of Ciphers In IBM i 7.1 Raises Concern

    February 1, 2017 Alex Woodie

    Companies running IBM i version 7.1 may be up for a rude awakening when they try to establish an encrypted communication session with a trading partner. According to several reports from users, IBM i servers on V7.1 are being blocked from accessing partner systems via SSL/TLS because they’re not using the latest encryption algorithms required by their partners.

    “There are a number of ciphers major trading partners are insisting you use for SSL communications which are not available on IBM i 7.1,” Rob Berendt, a system and security analyst at Group Dekko, says in a recent LinkedIn post titled Is IBM i 7.1 already obsolete?

    “This seems to be a busy quarter for several people implementing tougher cipher restrictions and people are getting clobbered,” Berendt continues. “Even though 7.1 is ‘supported,’ IBM will not be bringing some of these newer ciphers to it.”

    Elliptic Curve

    IBM first shipped IBM i 7.1 back in 2010, and has subsequently delivered 12 technology refreshes for that operating system. Big Bleu significantly expanded its cipher support with IBM i 7.2, which the company shipped in the spring of 2014—right around the time the Heartbleed vulnerability in OpenSSL was taking the security world by storm–and then expanded cipher support even further with IBM i 7.3, which shipped in the spring of 2016. (You can view the specific ciphers supported in IBM i 7.1 by clicking here. IBM i 7.2 cipher support can be found here and IBM i 7.3 cipher support can be found here.)

    The biggest change in the cipher support with the introduction of IBM i 7.2 revolves around the adoption of Elliptic Curve Diffie-Hellman key exchange (ECDHE) and Elliptic Curve Digital Signature Algorithm (ECDSA) ciphers. IBM relied on Rivest Shamir Adleman (RSA) implementations of public key encryption technologies like AES and 3DES, for years. But as vulnerabilities were found in older SSL versions and the security world moved to TLS for encrypting data in motion, elliptic curve ciphers became more prevalent.

    Another change with i 7.2 appears to be the capability for an IBM i shop to simultaneously use multiple certificates. According to IBM’s website, the purpose of the Multiple Certificate Selection enhancement in 7.2 is “to enable Elliptic Curve Digital Signature Algorithm [ECDSA] certificates while still allowing RSA certificates to be used with clients that require RSA.”

    No Updates for 7.1

    IBM currently has no plans to add these newer ciphers to IBM i 7.1, says Allison Butterill, IBM’s offering manager for IBM i in Rochester, Minnesota.

    “It’s not in our current plans to put it back on 7.1, no,” Butterill tells IT Jungle. “The purpose of a support and service contract is not to roll new functions back into old releases. It is to continue to provide good support and service for what they have, and to help them with bugs and fixes by providing them PTFs.”

    IBM continually listens to its customer base, and meets with COMMON and COMMON Europe advisory councils, the ISV advisory council, and the Large User Group to gather technical requirements for new releases of the operating system, Butterill says. While the issue of ciphers in IBM i 7.1 was brought up in last week’s LUG meeting in Rochester—where the focus was security–IBM was not receptive to the request, according to one LUG member.

    At least one IBM i shop is offline as a result of the cipher issue in 7.1. But according to Butterill, this isn’t a break-fix issue that should be dealt with through technical support or a PTF, but rather a business that has found the functionality in a seven-year-old operating system to be lacking.

    Her advice? Upgrade to something newer, like IBM i 7.2 or 7.3.

    “If it was a difficult barrier [to move to IBM i 7.2 or 7.3], the decision might be different,” Butterill concedes. “But it’s a very simple process to move to 7.2 and 7.3, and we have almost all the major ISVs certified at those releases.”

    ISV Impact

    The issue is also impacting ISVs, although not in the same ways, because not all ISVs use IBM ciphers.

    For example, Linoma Software, a division of HelpSystems, supports a broad range of ciphers and the latest TLS standards with its GoAnywhere product. “We are not reliant on IBM’s operating system since we ported our own SSL/TLS implementation to the IBM i,” Linoma’s Bob Luebbe tells IT Jungle.

    Creating your own implementation of encryption algorithms is not a simple task, and that’s why other vendors choose to use the ciphers that IBM provides. One vendor that’s taken that route, and run into the problem with IBM i 7.1 is BVS Tools, which develops a variety of communication utilities for IBM i.

    Bradley Stone, president of BVS Tools, tells IT Jungle that some customers of his GETURI tool running on IBM i 7.1 have been denied access to their partner’s servers as a result of the lack of support for newer ciphers in 7.1.

    “This was interesting, but not surprising,” Stone wrote in a column on Field Exit in December. “I knew sooner or later it would happen. SSL has been in a state of accelerated updates ever since the Heartbleed and other security holes have been found. But in this case, the V7R1 Operating System doesn’t have the newer ciphers in use by the servers that are slowly updating their SSL certificates.”

    EOL 7.1?

    Stone has told IBM about the issue, and has formally submitted requests for enhancements (RFE), without success. In lieu of IBM back-porting the newer ciphers into IBM i 7.1 with a PTF, Stone and others in the IBM i community want IBM to do what they view as the next best thing: kill IBM i 7.1.

    “Either end support for V7R1 (which it’s a little late for that now) or honor your commitment to your paying customers,” Stone writes.

    Berendt has the same view. “In all honesty I would just as soon see 7.1 die,” he says. “The only reason I care about the ciphers is one more nail in the coffin.”

    Stone and Berendt may soon get their wishes for IBM i 7.1 to reach end of life (EOL), according to Butterill. “If you look at our IBM i history, we typically do not have three releases that are available in marketing and support at the same time,” she says. “We currently have three. Doesn’t that tell you something?”

    RELATED STORIES

    What Was Discussed At the Big LUG Meeting

    Heartbleed, OpenSSL, and IBM i: What You Need to Know

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: cipher, IBM i

    Sponsored by
    WorksRight Software

    Do you need area code information?
    Do you need ZIP Code information?
    Do you need ZIP+4 information?
    Do you need city name information?
    Do you need county information?
    Do you need a nearest dealer locator system?

    We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!

    The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.

    PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.

    Just call us and we’ll arrange for 30 days FREE use of either ZIP/CITY or PER/ZIP4.

    WorksRight Software, Inc.
    Phone: 601-856-8337
    Fax: 601-856-9432
    Email: software@worksright.com
    Website: www.worksright.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    See Something, Say Something Some Power Systems Tweaks And Sales Withdrawals

    2 thoughts on “Lack Of Ciphers In IBM i 7.1 Raises Concern”

    • Larry Bolhuis says:
      February 1, 2017 at 9:12 am

      There are a number of us out here in the field beating the drum for IBM to declare and EOS date for i 7.1. It is past time, as mentioned here already too late, but end the bleeding IBM. PLEASE!

      Reply
    • M Q says:
      February 22, 2017 at 11:59 am

      “If it was a difficult barrier [to move to IBM i 7.2 or 7.3], the decision might be different,” Butterill concedes. “But it’s a very simple process to move to 7.2 and 7.3, and we have almost all the major ISVs certified at those releases.”

      While ISV support may be there, certain aspects of hardware (and even some software configurations) are not supported. Thus upgrading may entail the purchase of a new system. That’s not as simple as Allison makes it sound. We have some PC-based servers more than 7 years old. We’ve found the premium charge for IBM i to be well worth it, but this reduces the value. How long until features aren’t supported on a POWER8 server we may need to buy to get to 7.3?

      Reply

    Leave a Reply Cancel reply

TFH Volume: 27 Issue: 5

This Issue Sponsored By

  • BCD Software
  • T.L. Ashford
  • COMMON
  • WorksRight Software
  • Manta Technologies

Table of Contents

  • Lack Of Ciphers In IBM i 7.1 Raises Concern
  • See Something, Say Something
  • IBM i Priorities For 2017: Pivot To Defense
  • 2017 IBM i Predictions: Take Three
  • Cilasoft Polishes IBM i Security And Compliance Auditing Software

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Meet The Next Gen Of IBMers Helping To Build IBM i
  • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
  • Will Independent IBM i Clouds Survive PowerVS?
  • Now, IBM Is Jacking Up Hardware Maintenance Prices
  • IBM i PTF Guide, Volume 27, Number 24
  • Big Blue Raises IBM i License Transfer Fees, Other Prices
  • Keep The IBM i Youth Movement Going With More Training, Better Tools
  • Remain Begins Migrating DevOps Tools To VS Code
  • IBM Readies LTO-10 Tape Drives And Libraries
  • IBM i PTF Guide, Volume 27, Number 23

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle