IBM Support

IT16762: DISABLE SSH OR SFTP WEAK ALGORITHMS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Disable SSH or SFTP weak algorithms.
    
    You can restrict SFTP Ciphers using the property SSHCipherList
    where you one can specify the list of allowed ciphers and
    exclude whatever is not required.
    

Local fix

  • RTC -  554341
    

Problem summary

  • Users Affected:
    All
    
    Problem Description:
    
    Disable SSH or SFTP weak algorithms.
    
    Platforms Affected:
    All
    

Problem conclusion

  • Resolution Summary:
    
    Following set of algorithms are newly supported. To
    use, one has to enable the required algorithm list from
    security.properties, by default, they are not
    enabled.
    
    SSHKeyExchangeAlgList=diffie-hellman-group-exchange-sha1,diffie-
    hellman-group1-sha1,diffie-hellman-group14-sha1
    SSHMacAlgList=hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-md5,hm
    ac-sha1
    SSHCipherList=aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256
    -cbc,aes256-ctr,cast128-cbc,3des-cbc,twofish128-cbc,twofish192-c
    bc,twofish256-cbc,blowfish-cbc
    
    When SSHMacAlgList or SSHCipherList are enabled (uncommented),
    they appear on the SFTP client/server adapter
    configurations.
    Also under SSH profiles. SSHKeyExchangeAlgList is not
    exposed on the UI and if enabled you can cross validate it in
    the BP status to confirm the right algorithm is used.
    
    security.properties:
    # This list once enabled will be master list of algorithms for
    these categories for SFTP Client and SFTP Server
    # If you switch to NIST mode then this list will be filtered
    based on NIST Compliance
    # If you add CBC ciphers then please set supportCBCCiphers=true
    to allow the CBC ciphers in this list
    #SSHKeyExchangeAlgList=diffie-hellman-group-exchange-sha1,diffie
    -hellman-group1-sha1,diffie-hellman-group14-sha1
    #SSHMacAlgList=hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-md5,h
    mac-sha1
    #SSHCipherList=aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes25
    6-cbc,aes256-ctr,cast128-cbc,3des-cbc,twofish128-cbc,twofish192-
    cbc,twofish256-cbc,blowfish-cbc
    
    Note:When you exclude a particular cipher from Cipher list or
    MAC
    from MAC list, and your SFTP adapter is already configured, at
    that time make sure that Preferred Cipher and Preferred MAC
    selected was one from the modified list. In case, your adapter
    was configured with a particular cipher or particular MAC , and
    the same cipher/MAC you eventually removefrom
    SSHCipherList/MAClist, then at that time when you restart SI,
    you will notice that adapter startup will fail.So make sure
    preferredcipher/Preferred MAC is configured as per the list.
    
    Delivered In:
    5020500_15
    5020601_7
    5020603_2
    5020602_6
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT16762

  • Reported component name

    STR B2B INTEGRA

  • Reported component ID

    5725D0600

  • Reported release

    525

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-25

  • Closed date

    2017-01-30

  • Last modified date

    2018-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR B2B INTEGRA

  • Fixed component ID

    5725D0600

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.5","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
01 June 2018