IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Delivered
Workspace IBM i
Categories Security
Created by Guest
Created on Nov 14, 2016

RELATED IDEAS

DCM - allow automation of Let's Encrypt certificates

The Let's Encrypt certificate authority is emerging as a free and open minimum starting point for SSL certificates. However they only issue 90 day certificates which currently would mean manually installing a new certificate at least 4 times per year. From a security standpoint this is good because it minimizes potential for stolen or wrongfully issued keys to be used improperly but adds burden to IT staff. (see https://letsencrypt.org/2015/11/09/why-90-days.html)

Given the importance of encryption for securing servers and in the interest of making that as easy as possible, I am asking IBM to enhance DCM to provide either direct functionality to use the Let's Encrypt CA automatically (once configured) or API's to allow user space programs to import certificates and assign applications so it can be done in an automated fashion. Also this fits well with other IBM i self-managing capabilities and would be a nice feature to ease SSL implementation.

I think given the complexities of fully automating this in DCM and how new everything is it would probably be best to initially provide API's and then re-evaluate if more functionality should be added to DCM. Also an API to do this would provide the greatest flexibility for everybody that a specific solution might not.

Please see https://letsencrypt.org/ for more information.


Use Case:

Use case 1 - API to import and assign applications

1a open key database and import certificate in specified format
- key database (ifs path or *SYSTEM for example)
- KDB password
- import certificate format
- import certificate label
- import certificate ifs path

1b change application certificate assignment
- key database (ifs path or *SYSTEM)
- KDB password
- application id (ie QIBM_HTTP_SERVER_xxxxxx)
- certificate label from step 1a


Use case 2 - direct functionality built in to DCM

2a new configuration screen in DCM to set up ACME specification details (see https://github.com/ietf-wg-acme/acme/)
- external server name, ie www.somecompany.com
- ifs path where temporary verification files can be stored accessible via https (or other protocol specific configuration info)
- certificate label naming scheme (or managed automatically by DCM)
- list of applications that should be updated when a new certificate is installed
- some sort user space trigger when new certificates are installed so a restart program can be run to restart web servers and so on as appropriate

2b - program to be run from job scheduler to automatically check certificates and renew if needed


Idea priority Medium
  • Guest
    Reply
    |     Sep 25, 2020

    Please backport this API to V7R3.

    See https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=145325

  • Guest
    Reply
    |     Jul 7, 2020

    APIs are available in IBM i 7.4 to help automate a Let's Encrypt scenario.

    The primary API that was provided in IBM i 7.4 to enable the scenario is QycdRenewCertificate. When using this API with format RNWC0300, the updated certificate gets imported into the the DCM certificate store. The automated renewal process with Let's Encrypt uses the original certificate signing request (CSR) to request subsequent certificate requests which means the original private key remains in the DCM certificate store and the new certificate from Let's Encrypt containing the associated public key will replace the old certificate during import. Continually using the existing CSR to receive a new certificate from Let's Encrypt and calling QycdRenewCertificate with format RNWC0300 to import the new certificate is therefore the preferred method to automate the Let's Encrypt scenario.

    If the automated process generates a new public/private key pair and new CSR using QycdRenewCertificate format RNWC0100, the import of the certificate
    with format RNWC0200 generates a new certificate label. This process requires special handling of the CSR data and requires additional calls to update the certificate assignment for the Application Definitions using QycdRemoveCertUsage and QycdUpdateCertUsage APIs.

  • Guest
    Reply
    |     May 4, 2018

    DCM is expanding the list of APIs in the future to allow more management of certificates to be done via customized automated applications.
    The APIs that can be expected in the future include the following:

    1. Update an application with a specified certificate.
    2. Check for a certificate associated with an application.
    3. Remove a certificate from an application.
    4. Add a CA trust relationship with an application.
    5. Check for CA trust relationship with an application.
    6. Remove CA trust from application.
    7. A. Request a certificate to be renewed and get a certificate signing request.
    B. Import an issued certificate that was requested for renewal.

  • Guest
    Reply
    |     Sep 25, 2017

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Security
    Operating system - IBM i
    Source - None

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - Power Systems
    Product - IBM i
    Component - Web Serving
    Operating system - IBM i
    Source - None

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.