IBM i 7.6 Brings More Security Improvements Than Just MFA
April 14, 2025 Alex Woodie
Multi-factor authentication (MFA) is the big headliner with IBM i 7.6, which IBM begins shipping at the end of the week. This is good and right, since IBM i customers have been begging IBM to add MFA to the platform for so long. But the new IBM i release brings several other major security enhancements that customers will appreciate too, including a new command to disable non-secure connections, new encryption algorithms, streamlined regulatory compliance, and an easy way to tell what security patches have been applied, among others.
IBM has made it clear that it is taking security seriously on its IBM i platform. This is good news for the IBM i community, which has labeled security the top concern for eight straight years, according to Fortra’s IBM i Marketplace Study. IBM i may be among the most secure-able systems on the planet, but too many IBM i shops have not taken the steps to properly configure their systems, which leaves data and applications vulnerable.
That’s not to say that IBM is not involved in improving security. Big Blue has done lots of things to improve security in IBM i over the years, including tightening password requirements, limiting unsecure default settings, jettisoning Level 20 security, making TLS the default for wire encryption, and making it easier to analyze the audit journal. Going all the way back to 1994, the addition of exit points with OS/400 V3R1 can even be considered a security enhancement.
IBM made security a big focus with the launch of IBM i 7.5, which eliminated the ability to use default passwords (remember the good old days when your password could be the same as your user ID?), among other things. But with the launch of IBM i 7.6, one could make the argument that IBM has never focused as much on improving security as it has with this release.
The new release is chock full of security improvements, starting with the introduction of a native MFA facility that uses time-based one-time passcodes (TOTP) passwords generated by authentication apps to authenticate IBM i users when they sign-in. It is, indeed, a “massive security improvement,” as the IBM i security architect Tim Mullenbach told IT Jungle for last week’s IBM i 7.6 launch.
A native IBM i MFA facility had been requested so many times over the years by so many influential groups – the COMMON Americas Advisory Council (CAAC), COMMON Europe Advisory Council (CEAC), the Large User Group (LUG), and IBM’s ISV Advisory Council – that customers gladly accepted a delay in other IBM i feature requests to get MFA done.
“Some of these things – and MFA is one of them – are so pervasive throughout the operating system that if we choose to do that, we have to delay doing other things,” IBM i CTO Steve Will, who also holds the title of IBM i chief architect and IBM Distinguished Engineer, said during his “Three Steves” webinar on IBM i 7.6 last week. “Every one of these advisory councils, when they saw the things we could work on, said ‘Absolutely, you guys are right. You should work on MFA. Yes, those other things are important, but we really ought to have MFA.’”
The good news is that the all-hands-on-deck push to build MFA and extend its tentacles throughout the operating system didn’t prevent IBM from working on other security enhancements in 7.6. IBM also is shipping IBM i 7.5 Technology Refresh 6 this Friday – Good Friday, as it were (and we hope it will be one) – but the vast majority of security enhancements will require a move to 7.6.
For starters, IBM is delivering a new Configure Host Server (CFGHOSTSVR) command that allows the administrator to control whether non-secure connections are allowed for supported host servers, including central, database, data queue, file, network print, remote command, and sign-on.
The command allows admins to individually enable, disable, or allow loopback for non-secure connections for each of these servers. For host servers that only support non-secure connections, including the virtual print, transfer, and network drive servers, the command allows the admin to set whether the LISTEN keyword is enabled or not. More information about CFGHOSTSVR can be found on the IBM Support website here.
IBM is also delivering a new function that lets admins create user profiles that have read-only rights to viewing I/O systems configuration information, without *IOSYSCFG Special Authority. This could be useful for granting outside auditors with some access to the system, but without giving them too much authority (which would not be good for passing an audit. More information is available from IBM Support at this link.
Strong AES encryption algorithms are now enabled by default when using Kerberos, the network authentication protocol that’s widely used for single sign-on (SSO) environments. The default encryption types when creating a new entry are now AES256 and AES128. Previously, admins could select from a range of encryption types when configuring Kerberos, including Cipher Block Chaining with Data Encryption Standard (CBCDES), CBCDES3, DESHMAC, and Arcfour, in addition to the AES crypto algorithms. You can read more about that here.
IBM has updated the crypto algorithms used under its IBM i Cryptographic Services APIs. First, IBM has created a new Key Derivation Function (QC3KDF) API that uses an algorithm recommended by the NIST for password hashing, dubbed the Password Based Key Derivation Function 2 (PBKDF-2). This algorithm derives keying material from passwords, master keys, or other secret values, according to IBM’s documentation on QC3KDF.
When using the new QC3KDF API, IBM is enabling customers to use other crypto algorithms with their keystores and existing APIs, including four new EllipticalCurve (ECC) key types (x25519, x448, ed25519, and ed448), and several new symmetric key types (ChaCha20, Poly1305, SHA3-224, SHA3-256,SHA3-384 and SHA3-512). Together with built-in MFA, this should go a long way to bolstering authentication.
IBM has enhanced the IBM i Debugger servers to support TLS v1.3 with IBM i 7.6 when configured using Digital Certificate Manager (DCM) application definitions. “Each IBM i Debugger client user performs one-time configuration actions to store a local copy of the issuing Certificate Authority [CA] certificate to verify the server’s identity,” IBM writes in its software announcement. “The client user then selects the Transport Layer Security check box when performing the Sign On action.”
IBM has supported encryption of Auxiliary Storage Pool (ASP) for many years, and now, finally, users can encrypt data held in the system ASP, or ASP1. This is done through the System Service Tools (SST) disk configuration options, assuming a user has installed option 45 (Encrypted ASP Enablement), which is necessary for this to work.
The encryption keys are stored in the LIC, and there is no downtime associated with turning the ASP1 encryption on and off, said Steve Bradshaw, the managing director of Rowton IT Solutions and IBM Champion. “This was something that I’ve personally been championing for,” Bradshaw added during the “Three Steves” webcast.
IBM has also added an option to store the iSCSI Challenge-Handshake Authentication Protocol (CHAP) authentication credentials in PowerVM’s Platform KeyStore (PKS). This provides an extra layer of encryption to protect sensitive information stored iSCSI connected devices, such as virtual tape libraries (VTLs). Users can create isolated PKS repositories and allocate access to the data on a per logical partition (LPAR) basis. You can read more about this here and here.
The final IBM i 7.6-specific security enhancement has to do with program temporary fixes (PTFs), specifically security PTFs. IBM is now giving customers an easy way to tell when a specific security PTF has been applied to their systems.
“As tracking security PTFs becomes increasingly important, reporting when the latest Security PTF Group was applied is also important information,” IBM says in its announcement letter. “The PTF Group apply date is now shown on the Display PTF Group (DSPPTFGRP) display to help simplify the task of tracking the apply date without having to track down individual PTFs within the group. The PTFGroup apply date can also be retrieved with the List PTF GroupDetails (QpzListPtfGroupDetails) API.”
IBM i 7.5 TR6 also brings one security enhancement: Improvements to the DCM.
DCM has been enhanced to require communications using TLS across the internal network; improvements to how certificate hierarchy is viewed; the capability to export a server/client certificate to a PKCS12 file with a private key without including the private key; a “show/hide” icon added to the password’s login page; a new MFA “additional factor” field; and new selection buttons and filters on the “add and remove certificate assignment” actions to perform bulk actions. This enhancement is also available in 7.6.
You can read more about the new releases of IBM i on the IBM i Technology Updates portion of the IBM Support website. You can also read the IBM i 7.6 announcement here, while the IBM i 7.5 TR6 announcement letter is here.
RELATED STORIES
IBM i 7.6 Delivers “Massive Security Improvement” With Built-In MFA
Cybersecurity Still Top IBM i Concern, But AI And Others Are Creeping Up
Thoroughly Modern: Still Making These Six IBM i Security Faux Pas? STOP!
