Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace IBM i
Categories PTF and Service
Created by Guest
Created on Nov 22, 2021

IBM to allow IBM Download Director to explicitly support NTLMv2 as an authentication method

At our bank, usually we download patches for our iSeries servers from IBM Fix Central website using FTP non-secured. But recently IBM stopped supporting anonymous/unsecure FTP clients and allows only Secure FTP (SFTP). Unfortunately, we are not able use this function since ANZ network doesn’t allow to reach the IBM site with SFTP. Our team has been downloading patches from IBM fix central website for years together – recently this change from IBM has put us into trouble in downloading PTFs that resulted us to face compliance issues as well.
We tried to use one of the downloading options “IBM Download Director”. But it didn’t work since it does not support NTLM V2 authentication for the proxy servers. To overcome this issue, we got in touch with our account manager from IBM for helping us to have the NTLM V2 authentication. The part of the response from the IBM account manager is below.
“As you can see, there are a number of different options available, but I understand that ANZ's preferred option to obtain fixes and patches is via HTTPs through their proxy servers. The proxies use NTLMv2 protocol for authentication, so any method to transfer via HTTPs must implicity or explicity support this method e.g. if IBM Download Director is used, it must support authentication via NTLMv2 (which it does not currently).

So, I think the best path forward - and this is my suggestion only - is to request an enhancement to IBM Download Director to explicitly support NTLMv2 as an authentication method, so that it can be then used to download any IBM fixes via Download Director (which uses multiple HTTPs streams).
If you can raise an RFE to request this - or if you have some other ANZ-supported method in mind - then I will try to get a call set up with the right development support folks to get us all on the same page.

Regards,

Ian Nash
Client Technical Architect
IBM Systems

IBM Australia, 60 City Road, Southbank, VIC
Office: +613-9626-6923
Mobile: 0401 717 460”

Also we got in touch with one of the architects in the IBM Electronic Support area to ask what other options can be made available - noting works for ANZ restrictions around using SFTP/FTPS secure transfer methods, and only acceptable option is to use an HTTPs method via a proxy server with NTLM v2 authentication. Current download director doesn’t support NTLM v2 authentication. We need this urgently for us to download patches from IBM website and deal with compliance/audit.


Use Case:

Trying to download PTFs but we are not able to download.


Idea priority Urgent
  • Guest
    Feb 9, 2022

    Thank you for confirming that the alternate solution worked for you. This RFE is being Declined.

  • Guest
    Feb 8, 2022

    Hello IBM Developers,
    As you said, we checked with SNDPTFORD. We can confirm that SNDPTFORD is working in our environment. You can close this RFE. Thanks much for your support.

  • Guest
    Feb 8, 2022

    The CAAC has reviewed this requirement and recommends that IBM not implement this request. Due to Security concerns, we do not recommend use of NTLMv2 as an authentication mechanism -- it is not appropriate for use in 2022.

    Background: The COMMON Americas Advisory Council (CAAC) members have a broad range of experience in working with small and medium-sized IBM i customers. CAAC has a key role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community, and has therefore reviewed your RFE.

    For more information about CAAC, see www.common.org/caac

    Nancy Uthke-Schmucki - CAAC Program Manager

  • Guest
    Jan 19, 2022

    Another way to order fixes for IBM i is with the SNDPTFORD command, which uses HTTPS. This command has options for save files or images. SNDPTFORD would be typed into your IBM i partition, and the images would go to the IBM i partition directly rather than to a PC. More details are available at https://www.ibm.com/support/pages/using-sndptford-image-orders

    Would that work for you as an alternative to using Fix Central?

  • Guest
    Jan 12, 2022

    We choose "Download virtual images using Download Director" and under that "Download to PC"

  • Guest
    Dec 21, 2021

    We need more information about your request.

    Which option are you using?

    Option "Download individual fixes to my PC for installation using Systems Director"
    Option "Download virtual images using Download Director"
    --- If using the virtual image option, are you using the first button at the bottom of the screen for "Download to PC" or the second button for "Download to image catalog"?

  • Guest
    Nov 30, 2021

    More broadly, downloads of IBMi PTFs should support an HTTPs method, like downloads for AIX and Z/OS do today. While SFTP/FTPS is one option to make downloads more secure, many other Operating System fix downloads support HTTPs as a method for download from fix repositories, as port 80/443 is always allowed through externally from Corporate DMZs. Other IP ports may be restricted, or require additional justification to allow.

  • Guest
    Nov 24, 2021

    The downloads via the Java applet are another issue as it is since long not supported anymore.

    IBM should look for a replacement of the jnlp stuff.