IBM Support

IBM Software Electronic Delivery Change

News


Abstract

On May 1, 2021, IBM is planning to remove support for Transport Layer Security (TLS) 1.0 and TLS 1.1 from the following IBM software download servers:
“deliverycb-bld.dhe.ibm.com” with IP addresses 129.35.224.117 or 170.225.15.117
“deliverycb-mul.dhe.ibm.com” with IP addresses 129.35.224.118 or 170.225.15.118

Content

                    IBM software electronic delivery change - take notice!

On May 1, 2021, IBM is planning to remove support for Transport Layer Security (TLS) 1.0 and TLS 1.1 from the following IBM software download servers. 

    “deliverycb-bld.dhe.ibm.com” with IP addresses 129.35.224.117 or 170.225.15.117

    “deliverycb-mul.dhe.ibm.com” with IP addresses 129.35.224.118 or 170.225.15.118

This change affects:

  • FTPS direct to host downloads of z/OS product and service orders. 

This does not affect:

  • HTTPS direct to host downloads, which is the highly recommended download method
  • IBM Download Director downloads to a workstation then upload to the z/OS host system.
  • HTTPS via browser downloads to a workstation

The affected IBM software download servers support downloads of:

  • z/OS and z/VM and z/VSE product and service orders from Shopz
  • z/OS and z/VM an z/VSE service orders from ServiceLink
  • z/OS service and HOLDDATA orders via SMP/E RECEIVE ORDER

More specifically, on May 1, 2021 at 8pm Eastern, the affected IBM software download servers will require download operations to connect to the server using TLS 1.2 or higher. Connection attempts using TLS 1.0 or TLS 1.1 will no longer be accepted. The SMP/E HTTPS client used for download operations will automatically use TLS 1.2 when connecting to the server. However, the z/OS Communications Server FTP client program will use TLS 1.2 only if configured to implement TLS using AT-TLS. Therefore, if customers currently use FTPS as their download method, they must do one of the following to ensure they can continue to download from the IBM software download servers:

For information on converting the FTP client from native System SSL to AT-TLS, see Steps for migrating the FTP server and client to use AT-TLS (https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz002/ftp_use_attls.htm).

The cipher suites that will be enabled for AT-TLS for using FTPS are:

Cipher Suite Name (OpenSSL)

Cipher Suite Name (IANA/RFC)

AES128-SHA

TLS_RSA_WITH_AES_256_CBC_SHA   

AES256-SHA

TLS_RSA_WITH_AES_128_CBC_SHA   

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

AES256-SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

AES256-GCM-SHA384 

TLS_RSA_WITH_AES_256_GCM_SHA384

As of May 1, 2021, the Connectivity Test for SW Download Readiness can be used to test FTPS connections to the IBM download servers using TLS 1.2.  Go to Connectivity Test for SW Download Readiness (https:/www.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=cbct) and select option “Secure FTP (FTPS) for ServerPac / CBPDO / CustomPac”.

Since HTTPS Direct to Host is the recommended download method, as of May 1, 2021 the Customized Offerings Driver will only support HTTPS Direct to Host and IBM Download Director to a workstation download methods for downloading the z/OS ServerPac or z/OS CBPDO order to be installed using the Customized Offerings Driver as the driving system.

As a reminder since this is important to know, the following download methods on these servers are not affected:

  • HTTPS Direct to Host
  • IBM Download Director to a workstation
  • HTTPS via browser to a workstation

[{"Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)"}]

Document Information

Modified date:
28 June 2021

UID

ibm16417233

Page Feedback