Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Under review
Workspace IBM i
Categories Security
Created by Guest
Created on Jun 13, 2024

Make managing ciphers in QSSLCSL easier using 2-digit cipher codes and use these codes everywhere

It would be easier to manage ciphers in the system value using the 2-digit codes simply because ciphers also have to be managed in SST (SSLCONFIG/TLSCONFIG) where the 2-digit code in required when adding/removing ciphers to the eligible list. Given that there are 2 places for ciphers to be managed and usually security administrators have to initially work off something like spreadsheet to cross check (VLOOKUP) existing ciphers vs recommended ciphers and also take into account weak ciphers that may need to be dropped, it can be challenging comparing long cipher names.

It's made more challenging by the fact that when comparing cipher names as listed in the system value QSSLCSL vs ciphers as represented in the output of TLS traces, wherein the latter case, ciphers are usually prefixed with "TLS" and may include "WITH_" in the name.


Example of SSL Trace spool file

*TLS_RSA_WITH_AES_256_CBC_SHA256 (often split over 2 lines - see IBMI-I-4114)

Example of SST when using TLSCONFIG command -connectioncounts:display

*TLS_RSA_WITH_AES_256_CBC_SHA256

Example of SST when using TLSCONFIG command -display

RSA_AES_256_CBC_SHA256*

Example of system value QSSLCSL

RSA_AES_256_CBC_SHA256


Due to this, it would be far simpler if adding/removing ciphers in QSSLCSL could be done using the 2-digit codes. By all means still display the corresponding long cipher name next to it.

It would be ideal if IBM also ensured that these 2-digit codes were always shown alongside lists of cipher names in various material. An example would be this link, which is an important reference for security administrators.

https://www.ibm.com/support/pages/configuring-your-ibm-i-system-secure-sockets-layer-ssltransport-layer-security-tls-protocols-and-cipher-suites

In that link, the 2-digit codes are listed in various parts of that page, but, for example, the Weak Ciphers section lists ciphers, but not wikth the 2-digit code, so one has to go off and cross match long names from that page vs what's on your system.

Ultimately, this request is about moving from comparing long cipher names to comparing a simple list of 2-digit codes.


Phil Howells

Australia

Idea priority Medium
  • Guest
    Reply
    |
    Jul 12, 2024
    IBM has received your Idea and is evaluating it. IBM will provide a response after evaluation is complete.

    IBM Power Systems Development