IBM i 7.3 Encryption Bolstered With TR8
April 15, 2020 Alex Woodie
Customers running IBM i 7.3 got some good news on the security front when IBM announced that the operating system would get support for the latest Transport Layer Security (TLS) protocol, version 1.3. And that’s not the only security-related enhancement this group of users received with the new Technology Refreshes.
Last year, IBM gave IBM i shops the ability to use TLS 1.3, which is strongest publicly available encryption protocol used on the Internet today. TLS 1.3 debuted in the summer of 2018 and has since been adopted by nearly a quarter of sites on the Web, according to surveys. It’s faster than TLS 1.2, but more importantly, TLS 1.3 is more secure, as it eliminated security ciphers that posed a security vulnerability of their own.
However, IBM i customers had to move to the latest release of the operating system, IBM i version 7.4, to get TLS 1.3. IBM remedied that situation with this week’s introduction of IBM i 7.3 TR8, which adds support for TLS 1.3 in that version of the operating system.
In a COMMON Webcast yesterday announcing the new TRs, IBM i Chief Architect Steve Will acknowledged that IBM was aware of the security shortcoming in IBM i version 7.3 when it shipped 7.4 last year. “That support [for TLS 1.3] was put into 7.4, but we knew at the time that putting it into 7.4 was not going to be sufficient,” he said.
IBM i 7.3 is still used by 50 percent of the installed base, according to the 2020 version of HelpSystems Marketplace Survey, compared to just 4 percent on IBM i 7.4. Those numbers have surely narrowed, as HelpSystems conducted the survey last fall and many undoubtedly have upgraded since then. But IBM i 7.3 will likely have a significant number of users for years to come, so it behooved IBM to make it as secure as possible.
HelpSystems Marketplace Survey
IBM i shops aren’t always the most security conscious, as we’ve come to learn. But IBM clearly understood the importance of adding support for the latest encryption technology to a mainstream and fully supported release of a server operating system that would be around for years.
TLS 1.3, which took 10 years to develop, will eventually replace TLS 1.2, just as TLS replaced Secure Sockets Layer (SSL) technology before that. Nobody is saying TLS 1.2 is unsafe to use (yet), but TLS 1.3 clearly is the encryption technology that forward-looking, security-conscious firms use today.
“The key is that all of the support that you might want to talk to the [TLS] 1.2 partners that you have or the [TLS] 1.3 partners that you have are now part of our two most recent releases, 7.4 and 7.3,” Will said in the COMMON webcast. “Therefore, you can get all the necessary TLS 1.3 attributes. All of that is available to you through the standard mechanism for configuring and for getting information out of IBM.”
Companies that use *OPSYS will automatically be presented with the option to use the new TLS 1.3 ciphers, Will said. Those shops that use other mechanisms for managing their SSL/TLS connections will need to manually make the change when IBM i 7.3 TR8 becomes available on May 15.
“We also added the system value support back in so that you could identify on your 7.3 system that you wanted to use TLS 1.3 where possible,” Will said. “In this case, demonstrator need to explicitly add the new values unless they were already using the *OPSYS for the SSL/[TLS] control.”
TLS 1.3 is the strongest publicly available encryption for data exchange over the Internet.
IBM also bolstered its support for TLS 1.2 in IBM i 7.4. The cryptographic community has made some changes to TLS 1.2 (which debuted way back in 2008) that will solidify its use going forward. Specifically, it added a handful of new cipher suites, including more elliptic curve algorithms for key exchanges. IBM added support for these TLS 1.2 enhancements with IBM i 7.4 TR1 last fall, and now it’s giving IBM i 7.3 customers the same support.
Supporting these TLS 1.2 enhancements ensures that IBM i customers can continue exchanging data with their trading partners in an unimpeded manner, Will said.
“While most of our clients will want to move to 1.3, they need a partner conversation that can also do 1.2,” he said. “If you’re dealing with somebody who is using 1.2 and hasn’t moved to 1.3 yet, you may still want to do things that are stronger in their encryption and so on. TLS 1.2 has some enhancements for that. We put those in 7.4. And now they are also in 7.3.”
This situation is similar to what IBM faced back in 2017, when a handful of IBM i 7.1 users were clamoring for IBM to add support for new SSL/TLS ciphers – specifically, the elliptic curve encryption algorithms — to that operating system.
At that time, IBM i customers were being turned down by their trading partners because they weren’t using the latest, greatest ciphers, which eliminated their ability to use standard Internet techniques to exchange data. IBM i 7.1 was still supported at the time, but both IBM i 7.2 and IBM i 7.3 were already out. IBM i 7.1 was nearing the end of its (very long) life, and IBM did not want to give these customers any more reason to stay on that release, so it didn’t add those new ciphers to 7.1.
However, there is one key difference between IBM’s TLS support now and back in 2017: IBM i 7.3 is expected to be around for quite a while (although IBM i 7.2 will be pulled from marketing at the end of April of this year and will be pulled from mainstream support at the end of April 2021). Getting TLS 1.3 running on IBM i 7.3, therefore, was a priority for IBM.
The new Digital Certificate Manager (DCM) interface that IBM introduced with IBM i 7.4 has also been added to 7.3. According to Will, the new GUI interface for DCM was received very positively by customers.
“But what we found was as people were introduced to this new interface on 7.4, they said ‘Absolutely — this is what we wanted. Now make it available to 7.3 because I’m managing multiple systems as well,’” Will said. “You can use the original one if it take you a little time to learn the new one. But what we’re finding is that it’s relatively straightforward . . . The ability to see certificates that are close to expirations so that you can act on them – its’ so much easier in this new interface, so you’ll want to take a look at that.”’
RELATED STORIES
Here’s What’s In the Latest IBM i Technology Refreshes
We’re at TR8 and when I look at the system value QSSLPCL, it doesn’t allow a value of *TLSV1.3.