Skip to Main Content
IBM Power Ideas Portal

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Post your ideas

Start by posting ideas and requests to this portal to enhance a Power product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas and add comments to ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Help IBM prioritize your ideas and requests

The IBM team may need your help to refine the ideas so they may ask for more information or feedback. The Power teams will then decide if they can begin working on your idea. If they can start during the next development cycle, they will put the idea on the priority list. Each team at IBM works on a different schedule, where some ideas can be implemented right away, others may be placed on a different schedule.

Receive notification on the decision

Some ideas can be implemented at IBM, while others may not fit within the development plans for the product. In either case, the team will let you know as soon as possible. In some cases, we may be able to find alternatives for ideas which cannot be implemented in a reasonable time.


Specific link you will want to bookmark for future use

IBM Unified Ideas Portal - https://ideas.ibm.com/ - Use this site to create or search for existing Ideas across all IBM products that are outside of Power, and track all of your personal interactions with all Ideas.

Status Not under consideration
Workspace IBM i
Categories PTF and Service
Created by Guest
Created on Nov 22, 2021

IBM to allow IBM Download Director to explicitly support NTLMv2 as an authentication method

At our bank, usually we download patches for our iSeries servers from IBM Fix Central website using FTP non-secured. But recently IBM stopped supporting anonymous/unsecure FTP clients and allows only Secure FTP (SFTP). Unfortunately, we are not able use this function since ANZ network doesn’t allow to reach the IBM site with SFTP. Our team has been downloading patches from IBM fix central website for years together – recently this change from IBM has put us into trouble in downloading PTFs that resulted us to face compliance issues as well.
We tried to use one of the downloading options “IBM Download Director”. But it didn’t work since it does not support NTLM V2 authentication for the proxy servers. To overcome this issue, we got in touch with our account manager from IBM for helping us to have the NTLM V2 authentication. The part of the response from the IBM account manager is below.
“As you can see, there are a number of different options available, but I understand that ANZ's preferred option to obtain fixes and patches is via HTTPs through their proxy servers. The proxies use NTLMv2 protocol for authentication, so any method to transfer via HTTPs must implicity or explicity support this method e.g. if IBM Download Director is used, it must support authentication via NTLMv2 (which it does not currently).

So, I think the best path forward - and this is my suggestion only - is to request an enhancement to IBM Download Director to explicitly support NTLMv2 as an authentication method, so that it can be then used to download any IBM fixes via Download Director (which uses multiple HTTPs streams).
If you can raise an RFE to request this - or if you have some other ANZ-supported method in mind - then I will try to get a call set up with the right development support folks to get us all on the same page.

Regards,

Ian Nash
Client Technical Architect
IBM Systems

IBM Australia, 60 City Road, Southbank, VIC
Office: +613-9626-6923
Mobile: 0401 717 460”

Also we got in touch with one of the architects in the IBM Electronic Support area to ask what other options can be made available - noting works for ANZ restrictions around using SFTP/FTPS secure transfer methods, and only acceptable option is to use an HTTPs method via a proxy server with NTLM v2 authentication. Current download director doesn’t support NTLM v2 authentication. We need this urgently for us to download patches from IBM website and deal with compliance/audit.


Use Case:

Trying to download PTFs but we are not able to download.


Idea priority Urgent
  • Guest
    Feb 9, 2022

    Thank you for confirming that the alternate solution worked for you. This RFE is being Declined.

  • Guest
    Feb 8, 2022

    Hello IBM Developers,
    As you said, we checked with SNDPTFORD. We can confirm that SNDPTFORD is working in our environment. You can close this RFE. Thanks much for your support.

  • Guest
    Feb 8, 2022

    The CAAC has reviewed this requirement and recommends that IBM not implement this request. Due to Security concerns, we do not recommend use of NTLMv2 as an authentication mechanism -- it is not appropriate for use in 2022.

    Background: The COMMON Americas Advisory Council (CAAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CAAC has a key role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community, and has therefore reviewed your RFE.

    For more information about CAAC, see www.common.org/caac

    Nancy Uthke-Schmucki - CAAC Program Manager

  • Guest
    Jan 19, 2022

    Another way to order fixes for IBM i is with the SNDPTFORD command, which uses HTTPS. This command has options for save files or images. SNDPTFORD would be typed into your IBM i partition, and the images would go to the IBM i partition directly rather than to a PC. More details are available at https://www.ibm.com/support/pages/using-sndptford-image-orders

    Would that work for you as an alternative to using Fix Central?

  • Guest
    Jan 12, 2022

    We choose "Download virtual images using Download Director" and under that "Download to PC"

  • Guest
    Dec 21, 2021

    We need more information about your request.

    Which option are you using?

    Option "Download individual fixes to my PC for installation using Systems Director"
    Option "Download virtual images using Download Director"
    --- If using the virtual image option, are you using the first button at the bottom of the screen for "Download to PC" or the second button for "Download to image catalog"?

  • Guest
    Nov 30, 2021

    More broadly, downloads of IBMi PTFs should support an HTTPs method, like downloads for AIX and Z/OS do today. While SFTP/FTPS is one option to make downloads more secure, many other Operating System fix downloads support HTTPs as a method for download from fix repositories, as port 80/443 is always allowed through externally from Corporate DMZs. Other IP ports may be restricted, or require additional justification to allow.

  • Guest
    Nov 24, 2021

    The downloads via the Java applet are another issue as it is since long not supported anymore.

    IBM should look for a replacement of the jnlp stuff.