IBM To Stop Unencrypted Fix Downloads In February
November 28, 2022 Timothy Prickett Morgan
We have caught word from the IBM business partner community that starting on February 15, 2023, Big Blue will stop allowing customers to get operating system software patches that are not encrypted.
The notification, which you can see here, was sent to business partners on November 23, just before the Thanksgiving Day holiday in the United States. Various IBM support methods, including IBM Electronic Fix Distribution (EFD), IBM Electronic Customer Care (ECC), and IBM Fix Central are all affected by this change.
“Many leaders of the internet industry – such as World Wide Web Consortium (W3C), Internet Engineering Task Force (IETF), and Internet Architecture Board (IAB) – state that universal use of encryption is the way forward for the Internet traffic,” the announcement reads. “Therefore Web platforms should be designed to actively prefer secure communication so data is protected in transit and at rest. Aligned with this industry direction, IBM IT Security Standards have been enforcing the use of encrypted communications. Therefore IBM Electronic Fix Distribution (EFD), IBM Electronic Customer Care (ECC), and IBM Fix Central systems will stop supporting unencrypted fix downloads on February 15, 2023 to improve user privacy and security and enforce compliance with IBM IT Security Standards. Shortly after that date, unencrypted fix download flows will NOT be allowed anymore.”
Having data encrypted between machines on the Internet certainly does improve security, and it is amazing that IBM is only getting around to this now. Part of the reason, no doubt, is that it is a pain in the neck to reconfigure machines to support encryption on the customer end of the Internet.
As one partner put it to me: “Most IBM shops are lazy. They know they need to do it, but they don’t know enough about their systems to go for it. For my client base, that means a huge undertaking at each client. Just on the IBM side, there are three different entities to change: Service, Fix Central, and MGTools – and then independent FTP that needs to go to SFTP, then the system and desktops need to consider TLS 1.2 or 1.3 instead of SSH/SSL. Then in each shop you have Windows servers and desktops. . . . This is going to be a challenge.”
IBM provides tech support for a number of operating systems, including IBM i and OS/400 as well as AIX and Linux on Power Systems, but also a wide variety of Linuxes and Unixes and its various mainframe platforms, plus Windows Server and VMware hypervisors. Fixes for all of these platforms will soon be only available encrypted.
It is best to figure this out before too long. Like you needed another thing to do before the end of the year. We know.
It’s all well and good that IBM is dictating this change… But I disagree that IBM i shops are “lazy”. The lack of effort on IBM’s behalf to make this an easy transition for customers is ridiculous. The security implementation of MG Tools alone is a real PITA. And don’t even get me started on SFTP.
If IBM is forcing shops to adopt encrypted communications, then they need to make it easier to implement.
The notice went out to everyone, including customers, on Nov 23.
For anyone subscribing to IBM notifications, it was titled:
HIPER / IBM i / IBM Electronic Fix Distribution / IBM Fix Central systems will end support for unencrypted fix downloads