Lack Of Ciphers In IBM i 7.1 Raises Concern
February 1, 2017 Alex Woodie
Companies running IBM i version 7.1 may be up for a rude awakening when they try to establish an encrypted communication session with a trading partner. According to several reports from users, IBM i servers on V7.1 are being blocked from accessing partner systems via SSL/TLS because they’re not using the latest encryption algorithms required by their partners.
“There are a number of ciphers major trading partners are insisting you use for SSL communications which are not available on IBM i 7.1,” Rob Berendt, a system and security analyst at Group Dekko, says in a recent LinkedIn post titled Is IBM i 7.1 already obsolete?
“This seems to be a busy quarter for several people implementing tougher cipher restrictions and people are getting clobbered,” Berendt continues. “Even though 7.1 is ‘supported,’ IBM will not be bringing some of these newer ciphers to it.”
Elliptic Curve
IBM first shipped IBM i 7.1 back in 2010, and has subsequently delivered 12 technology refreshes for that operating system. Big Bleu significantly expanded its cipher support with IBM i 7.2, which the company shipped in the spring of 2014—right around the time the Heartbleed vulnerability in OpenSSL was taking the security world by storm–and then expanded cipher support even further with IBM i 7.3, which shipped in the spring of 2016. (You can view the specific ciphers supported in IBM i 7.1 by clicking here. IBM i 7.2 cipher support can be found here and IBM i 7.3 cipher support can be found here.)
The biggest change in the cipher support with the introduction of IBM i 7.2 revolves around the adoption of Elliptic Curve Diffie-Hellman key exchange (ECDHE) and Elliptic Curve Digital Signature Algorithm (ECDSA) ciphers. IBM relied on Rivest Shamir Adleman (RSA) implementations of public key encryption technologies like AES and 3DES, for years. But as vulnerabilities were found in older SSL versions and the security world moved to TLS for encrypting data in motion, elliptic curve ciphers became more prevalent.
Another change with i 7.2 appears to be the capability for an IBM i shop to simultaneously use multiple certificates. According to IBM’s website, the purpose of the Multiple Certificate Selection enhancement in 7.2 is “to enable Elliptic Curve Digital Signature Algorithm [ECDSA] certificates while still allowing RSA certificates to be used with clients that require RSA.”
No Updates for 7.1
IBM currently has no plans to add these newer ciphers to IBM i 7.1, says Allison Butterill, IBM’s offering manager for IBM i in Rochester, Minnesota.
“It’s not in our current plans to put it back on 7.1, no,” Butterill tells IT Jungle. “The purpose of a support and service contract is not to roll new functions back into old releases. It is to continue to provide good support and service for what they have, and to help them with bugs and fixes by providing them PTFs.”
IBM continually listens to its customer base, and meets with COMMON and COMMON Europe advisory councils, the ISV advisory council, and the Large User Group to gather technical requirements for new releases of the operating system, Butterill says. While the issue of ciphers in IBM i 7.1 was brought up in last week’s LUG meeting in Rochester—where the focus was security–IBM was not receptive to the request, according to one LUG member.
At least one IBM i shop is offline as a result of the cipher issue in 7.1. But according to Butterill, this isn’t a break-fix issue that should be dealt with through technical support or a PTF, but rather a business that has found the functionality in a seven-year-old operating system to be lacking.
Her advice? Upgrade to something newer, like IBM i 7.2 or 7.3.
“If it was a difficult barrier [to move to IBM i 7.2 or 7.3], the decision might be different,” Butterill concedes. “But it’s a very simple process to move to 7.2 and 7.3, and we have almost all the major ISVs certified at those releases.”
ISV Impact
The issue is also impacting ISVs, although not in the same ways, because not all ISVs use IBM ciphers.
For example, Linoma Software, a division of HelpSystems, supports a broad range of ciphers and the latest TLS standards with its GoAnywhere product. “We are not reliant on IBM’s operating system since we ported our own SSL/TLS implementation to the IBM i,” Linoma’s Bob Luebbe tells IT Jungle.
Creating your own implementation of encryption algorithms is not a simple task, and that’s why other vendors choose to use the ciphers that IBM provides. One vendor that’s taken that route, and run into the problem with IBM i 7.1 is BVS Tools, which develops a variety of communication utilities for IBM i.
Bradley Stone, president of BVS Tools, tells IT Jungle that some customers of his GETURI tool running on IBM i 7.1 have been denied access to their partner’s servers as a result of the lack of support for newer ciphers in 7.1.
“This was interesting, but not surprising,” Stone wrote in a column on Field Exit in December. “I knew sooner or later it would happen. SSL has been in a state of accelerated updates ever since the Heartbleed and other security holes have been found. But in this case, the V7R1 Operating System doesn’t have the newer ciphers in use by the servers that are slowly updating their SSL certificates.”
EOL 7.1?
Stone has told IBM about the issue, and has formally submitted requests for enhancements (RFE), without success. In lieu of IBM back-porting the newer ciphers into IBM i 7.1 with a PTF, Stone and others in the IBM i community want IBM to do what they view as the next best thing: kill IBM i 7.1.
“Either end support for V7R1 (which it’s a little late for that now) or honor your commitment to your paying customers,” Stone writes.
Berendt has the same view. “In all honesty I would just as soon see 7.1 die,” he says. “The only reason I care about the ciphers is one more nail in the coffin.”
Stone and Berendt may soon get their wishes for IBM i 7.1 to reach end of life (EOL), according to Butterill. “If you look at our IBM i history, we typically do not have three releases that are available in marketing and support at the same time,” she says. “We currently have three. Doesn’t that tell you something?”
There are a number of us out here in the field beating the drum for IBM to declare and EOS date for i 7.1. It is past time, as mentioned here already too late, but end the bleeding IBM. PLEASE!
“If it was a difficult barrier [to move to IBM i 7.2 or 7.3], the decision might be different,” Butterill concedes. “But it’s a very simple process to move to 7.2 and 7.3, and we have almost all the major ISVs certified at those releases.”
While ISV support may be there, certain aspects of hardware (and even some software configurations) are not supported. Thus upgrading may entail the purchase of a new system. That’s not as simple as Allison makes it sound. We have some PC-based servers more than 7 years old. We’ve found the premium charge for IBM i to be well worth it, but this reduces the value. How long until features aren’t supported on a POWER8 server we may need to buy to get to 7.3?