Sidebar

Hardening Your IBM i Ciphers

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Moving to TLS 1.2 is not enough to keep your data secure.

 

I was at the COMMON Fall Conference in Columbus, Ohio, two weeks ago where I (among other things) presented two sessions on IBM i systems management. One of the sessions was called "IBM i and our False Sense of Security." It was essentially a mixture of a number of security-related articles I’ve been writing as of late.

 

The good news was that the session was absolutely packed. The bad news is that ciphers and encryption in general were subjects not well known to the audience in my session. That’s not a bad thing actually. It showed the necessity and relevance of the session’s content. It also showed that people are looking to modernize their security. Part of the session was built from another article I wrote this year entitled “Modernization of IBM i Security” in which I went in depth about ciphers and the different default values you get with IBM i 6.1, 7.1, and 7.2. With the release of IBM i 7.3, there’s some really good news on the encryption front, which I’ve added to my slides but also needed to share with you as an add-on article.

 

In the first article, I outlined the default ciphers loaded in each operating system release. The ciphers in this list are controlled by the QSSLCSL system value. They are outlined below with the exception of IBM i 6.1, which is no longer supported. The bold items have been deemed broken, weak, and insecure.

 

IBM i 7.1

 

*RSA_AES_128_CBC_SHA

*RSA_AES_128_CBC_SHA256 (requires TR6 or later installed and *TLSv1.2 enabled)

*RSA_AES_256_CBC_SHA

*RSA_AES_256_CBC_SHA256 (requires TR6 or later installed and *TLSv1.2 enabled)

*RSA_3DES_EDE_CBC_SHA

*RSA_3DES_EDE_CBC_MD5

*RSA_DES_CBC_SHA

*RSA_EXPORT_RC4_40_MD5

*RSA_EXPORT_RC2_CBC_40_MD5

*RSA_NULL_SHA

*RSA_NULL_MD5

*RSA_NULL_SHA256

*RSA_RC2_CBC_128_MD5

*RSA_DES_CBC_MD5

*RSA_RC4_128_SHA

*RSA_RC4_128_MD5

 

IBM i 7.2

 

*ECDHE_ECDSA_AES_128_CBC_SHA256

*ECDHE_ECDSA_AES_256_CBC_SHA384

*ECDHE_ECDSA_AES_128_GCM_SHA256

*ECDHE_ECDSA_AES_256_GCM_SHA384

*RSA_AES_128_CBC_SHA256

*RSA_AES_128_CBC_SHA

*RSA_AES_256_CBC_SHA256

*RSA_AES_256_CBC_SHA

*RSA_AES_128_GCM_SHA256

*RSA_AES_256_GCM_SHA384

*ECDHE_RSA_AES_128_CBC_SHA256

*ECDHE_RSA_AES_256_CBC_SHA384

*ECDHE_RSA_AES_128_GCM_SHA256

*ECDHE_RSA_AES_256_GCM_SHA384

*ECDHE_ECDSA_3DES_EDE_CBC_SHA

*ECDHE_RSA_3DES_EDE_CBC_SHA

*RSA_3DES_EDE_CBC_SHA

*ECDHE_ECDSA_RC4_128_SHA

*ECDHE_RSA_RC4_128_SHA

*RSA_RC4_128_SHA

*RSA_RC4_128_MD5

*RSA_DES_CBC_SHA

*RSA_EXPORT_RC4_40_MD5

*RSA_EXPORT_RC2_CBC_40_MD5

*ECDHE_ECDSA_NULL_SHA

*ECDHE_RSA_NULL_SHA

*RSA_NULL_SHA256

*RSA_NULL_SHA

*RSA_NULL_MD5

 

As you can see, IBM i 7.1 and 7.2 have many ciphers loaded by default that are not secure. Approximately 70 percent of the ciphers in 7.1 are weak. If you are on 7.1 Technology Refresh 6 and have manually added RSA_AES_128_CBC_SHA256 and RSA_AES_256_CBC_SHA256 to the list, then you’ve moved the needle to 63 percent insecure. You also had to change the QSSLCSLCTL (Secure Sockets Layer Cipher Control) system value from *OPSYS (operating system controlled) to *USRDEF (user defined) in order to make that change. That’s pretty alarming stuff.

 

IBM i 7.2 is much more secure, with 43 percent of the ciphers being insecure. This is due to the addition of the 12 elliptical curve ECDHE ciphers added to the operating system. Note that although 12 were added, only 10 are deemed secure. The old ciphers still exist on that list.

 

On 7.3, it becomes much more secure, but with a couple of caveats.

 

*ECDHE_ECDSA_AES_128_GCM_SHA256

*ECDHE_ECDSA_AES_256_GCM_SHA384

*ECDHE_RSA_AES_128_GCM_SHA256

*ECDHE_RSA_AES_256_GCM_SHA384

*RSA_AES_128_GCM_SHA256      

*RSA_AES_256_GCM_SHA384      

*ECDHE_ECDSA_AES_128_CBC_SHA256

*ECDHE_ECDSA_AES_256_CBC_SHA384

*ECDHE_RSA_AES_128_CBC_SHA256

*ECDHE_RSA_AES_256_CBC_SHA384

*RSA_AES_128_CBC_SHA256    

*RSA_AES_128_CBC_SHA        

*RSA_AES_256_CBC_SHA256    

*RSA_AES_256_CBC_SHA        

*ECDHE_ECDSA_3DES_EDE_CBC_SHA

*ECDHE_RSA_3DES_EDE_CBC_SHA

*RSA_3DES_EDE_CBC_SHA      

 

Each of these ciphers is loaded by default and is deemed secure. IBM has removed the older, insecure ciphers from the default list in 7.3. That’s good news for you. In fact, to keep up to date with IBM’s recommendations you should bookmark the following Technote. I agree with most of the content; however, we have a difference of opinion about whether TLS 1.0 is secure. It’s not, at least according to PCI compliance plans.

 

The caveat is that if you’ve edited the QSSLCSLCTL system value to *USRDEF in the past and manually specified what ciphers you wanted as part of the QSSLCSL system value, then those entries are in the list once you move to 7.3. The old ciphers are not the default any longer, but they’re still supported. That means if you’ve upgraded to 7.3 from 7.1, then you’re not taking advantage of the new ECDHE ciphers and it’s possible you’re using older, deprecated ones. Maybe you had to leave a broken cipher in place in 7.1 because an application required it at that release. Now the application will accept an old cipher plus the new ciphers but you’re still using the old.

 

In order to rectify this situation, when you move to 7.3, you can set the QSSLCSLCTL value back to *OPSYS and it will load only the default values for 7.3. When ciphers become obsolete, you can then change that system value back to *USRDEF and remove them manually from the list.

 

Sounds like a lot of work, doesn’t it? Ciphers can be daunting at first. But if we’re running secure applications, then we’re going to have to keep an eye on them because they do get broken and new ciphers do get added.

 

7.2 and 7.3 have also tightened things up on the Secure Sockets Layer (SSL) versus Transport Layer Security (TLS) protocol front. In 7.1, support for TLS 1.2 was only added in Technology Refresh 6, so it’s not turned on by default. You need to switch it on using the Secure Sockets Layer Protocols (QSSLPCL) system value. The default values for QSSLPCL are SSLv3 and TLS 1.0, both deemed weak in comparison to TLS 1.1 and 1.2.

 

In 7.2 and 7.3, IBM has ensured that only TLS 1.0, 1.1 and 1.2 are loaded by default in QSSLPCL. If you move to 7.3, you’ll notice that if you haven’t specified any values manually in QSSLPCL, the default value will be *OPSYS (i.e., values *tlsv1, *tlsv1.1, and *tlsv1.2). If you have specified it manually, you need to make sure that you don’t have *sslv2 or *sslv3 in there, because they’re still supported although highly insecure. In fact, I personally would change this from *OPSYS and manually specify only *tlsv1.1 and *tlsv1.2 because they’re the only really secure protocols. And if you are bound by PCI requirements, TLS 1.1 and 1.2 will soon be the standard you must abide by.

 

Depending on what protocols you use, you end up lopping off support for certain ciphers, which makes the really insecure ones a moot point to worry about. The ciphers that work over many protocols are the ones you need to worry about. For instance, take a look at the following ciphers:

 

*RSA_RC4_128_SHA

*RSA_RC4_128_MD5

*RSA_NULL_SHA

*RSA_NULL_MD5

 

All four of these broken ciphers will work no matter if you’re running SSLv3 through TLS 1.2. Simply moving to only TLS 1.2 will not be enough to be deemed secure. It’s locking the front door but leaving the windows open.

 

See the below chart cross-referencing the ciphers available versus protocol support. If I were slick, I’d find a way to put the IBM i version in there for default values, but considering IBM i will allow a lot of the values, it really doesn’t make a difference what version of the operating system you’re on. Like I said above, if you’ve hard-coded weak ciphers and protocols, then you’re using weak ciphers and protocols no matter the IBM i version.

 

Ideally, you need to be in the green based on what you have listed in QSSLCSL and QSSLPCL. If there’s a specific application that absolutely requires a weak cipher in order to maintain support for some reason, my recommendation would be to ensure you change all other applications to individually only load secure ciphers at the application configuration level. I explain how to do this in the “Modernization of IBM i Security” article. This way, you minimize your exposure level to that one insecure application while ensuring all other applications are not compromised.

 

 110716PitcherFigure1V2dmu

Figure 1: Protocol Versus Cipher Cross-Reference

 

This is a lot of work, but how important is it? With the advent of cloud computing, it’s super important. Cloud has given anyone with a PayPal account or a credit card the ability to put incredible horsepower at his or her fingertips, and cracking weak encryption keys now requires only minutes and hours instead of months and years. This particular RSA crack using Amazon’s EC2 cloud service took $75 worth of cloud computing and four hours. In 1999, it took a supercomputer and hundreds of other computers seven months to do the same job.

 

There’s not a major investment to harden our environments, but eventually you’ll have to answer the following:

 

“Why are you even doing that? Nobody would want our data.”

 

I hear this. A lot. From all sorts of people.

 

It’s a misconception, especially if you work for a small-to-medium business (SMB). The thing about SMBs is that they’re usually niche players that work with much larger players. They don’t have a large IT staff with security budgets. And they may certainly feel that they’re small enough that they’ll be overlooked by people with more important data like healthcare records. Starting to sound familiar?

 

In 2015, 74 percent of UK small businesses had a security breach (that they knew about) and 38 percent were attacked from the outside. That’s staggering. People want your data, no matter how big you are. While big companies are obvious targets, we need to stop thinking that we’ll never get hit. We also need to stop thinking that the IBM i operating system is completely secure. It’s not. It’s highly securable, and the degree has a lot to do with who’s doing the security and the effort they’re putting forth.

 

As time goes on and computing power gets stronger, we need to ensure we’re locking both the windows and the doors. If not, it’s our data that may be in jeopardy. Don’t say I didn’t warn you.

Steve Pitcher
Steve Pitcher works with iTech Solutions, an IBM Premier Business Partner. He is a specialist in IBM i and IBM Power Systems solutions since 2001. Feel free to contact him directly atspitcher@itechsol.com.
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

RESOURCE CENTER

  • WHITE PAPERS

  • WEBCAST

  • TRIAL SOFTWARE

  • White Paper: Node.js for Enterprise IBM i Modernization

    SB Profound WP 5539

    If your business is thinking about modernizing your legacy IBM i (also known as AS/400 or iSeries) applications, you will want to read this white paper first!

    Download this paper and learn how Node.js can ensure that you:
    - Modernize on-time and budget - no more lengthy, costly, disruptive app rewrites!
    - Retain your IBM i systems of record
    - Find and hire new development talent
    - Integrate new Node.js applications with your existing RPG, Java, .Net, and PHP apps
    - Extend your IBM i capabilties to include Watson API, Cloud, and Internet of Things


    Read Node.js for Enterprise IBM i Modernization Now!

     

  • Profound Logic Solution Guide

    SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation.
    Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects.
    The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the companyare not aligned with the current IT environment.

    Get your copy of this important guide today!

     

  • 2022 IBM i Marketplace Survey Results

    Fortra2022 marks the eighth edition of the IBM i Marketplace Survey Results. Each year, Fortra captures data on how businesses use the IBM i platform and the IT and cybersecurity initiatives it supports.

    Over the years, this survey has become a true industry benchmark, revealing to readers the trends that are shaping and driving the market and providing insight into what the future may bring for this technology.

  • Brunswick bowls a perfect 300 with LANSA!

    FortraBrunswick is the leader in bowling products, services, and industry expertise for the development and renovation of new and existing bowling centers and mixed-use recreation facilities across the entertainment industry. However, the lifeblood of Brunswick’s capital equipment business was running on a 15-year-old software application written in Visual Basic 6 (VB6) with a SQL Server back-end. The application was at the end of its life and needed to be replaced.
    With the help of Visual LANSA, they found an easy-to-use, long-term platform that enabled their team to collaborate, innovate, and integrate with existing systems and databases within a single platform.
    Read the case study to learn how they achieved success and increased the speed of development by 30% with Visual LANSA.

     

  • Progressive Web Apps: Create a Universal Experience Across All Devices

    LANSAProgressive Web Apps allow you to reach anyone, anywhere, and on any device with a single unified codebase. This means that your applications—regardless of browser, device, or platform—instantly become more reliable and consistent. They are the present and future of application development, and more and more businesses are catching on.
    Download this whitepaper and learn:

    • How PWAs support fast application development and streamline DevOps
    • How to give your business a competitive edge using PWAs
    • What makes progressive web apps so versatile, both online and offline

     

     

  • The Power of Coding in a Low-Code Solution

    LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks

     

     

  • Why Migrate When You Can Modernize?

    LANSABusiness users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
    In this white paper, you’ll learn how to think of these issues as opportunities rather than problems. We’ll explore motivations to migrate or modernize, their risks and considerations you should be aware of before embarking on a (migration or modernization) project.
    Lastly, we’ll discuss how modernizing IBM i applications with optimized business workflows, integration with other technologies and new mobile and web user interfaces will enable IT – and the business – to experience time-added value and much more.

     

  • UPDATED: Developer Kit: Making a Business Case for Modernization and Beyond

    Profound Logic Software, Inc.Having trouble getting management approval for modernization projects? The problem may be you're not speaking enough "business" to them.

    This Developer Kit provides you study-backed data and a ready-to-use business case template to help get your very next development project approved!

  • What to Do When Your AS/400 Talent Retires

    FortraIT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators is small.

    This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

    • Why IBM i skills depletion is a top concern
    • How leading organizations are coping
    • Where automation will make the biggest impact

     

  • Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

    Profound Logic Software, Inc.Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. In Part 2, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Attend this webinar to learn:

    • Different tools to develop Node.js applications on IBM i
    • Debugging Node.js
    • The basics of Git and tools to help those new to it
    • Using NodeRun.com as a pre-built development environment

     

     

  • Expert Tips for IBM i Security: Beyond the Basics

    SB PowerTech WC GenericIn this session, IBM i security expert Robin Tatam provides a quick recap of IBM i security basics and guides you through some advanced cybersecurity techniques that can help you take data protection to the next level. Robin will cover:

    • Reducing the risk posed by special authorities
    • Establishing object-level security
    • Overseeing user actions and data access

    Don't miss this chance to take your knowledge of IBM i security beyond the basics.

     

     

  • 5 IBM i Security Quick Wins

    SB PowerTech WC GenericIn today’s threat landscape, upper management is laser-focused on cybersecurity. You need to make progress in securing your systems—and make it fast.
    There’s no shortage of actions you could take, but what tactics will actually deliver the results you need? And how can you find a security strategy that fits your budget and time constraints?
    Join top IBM i security expert Robin Tatam as he outlines the five fastest and most impactful changes you can make to strengthen IBM i security this year.
    Your system didn’t become unsecure overnight and you won’t be able to turn it around overnight either. But quick wins are possible with IBM i security, and Robin Tatam will show you how to achieve them.

  • Security Bulletin: Malware Infection Discovered on IBM i Server!

    SB PowerTech WC GenericMalicious programs can bring entire businesses to their knees—and IBM i shops are not immune. It’s critical to grasp the true impact malware can have on IBM i and the network that connects to it. Attend this webinar to gain a thorough understanding of the relationships between:

    • Viruses, native objects, and the integrated file system (IFS)
    • Power Systems and Windows-based viruses and malware
    • PC-based anti-virus scanning versus native IBM i scanning

    There are a number of ways you can minimize your exposure to viruses. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected and compliant with regulations such as PCI.

     

     

  • Encryption on IBM i Simplified

    SB PowerTech WC GenericDB2 Field Procedures (FieldProcs) were introduced in IBM i 7.1 and have greatly simplified encryption, often without requiring any application changes. Now you can quickly encrypt sensitive data on the IBM i including PII, PCI, PHI data in your physical files and tables.
    Watch this webinar to learn how you can quickly implement encryption on the IBM i. During the webinar, security expert Robin Tatam will show you how to:

    • Use Field Procedures to automate encryption and decryption
    • Restrict and mask field level access by user or group
    • Meet compliance requirements with effective key management and audit trails

     

  • Lessons Learned from IBM i Cyber Attacks

    SB PowerTech WC GenericDespite the many options IBM has provided to protect your systems and data, many organizations still struggle to apply appropriate security controls.
    In this webinar, you'll get insight into how the criminals accessed these systems, the fallout from these attacks, and how the incidents could have been avoided by following security best practices.

    • Learn which security gaps cyber criminals love most
    • Find out how other IBM i organizations have fallen victim
    • Get the details on policies and processes you can implement to protect your organization, even when staff works from home

    You will learn the steps you can take to avoid the mistakes made in these examples, as well as other inadequate and misconfigured settings that put businesses at risk.

     

     

  • The Power of Coding in a Low-Code Solution

    SB PowerTech WC GenericWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks

     

     

  • Node Webinar Series Pt. 1: The World of Node.js on IBM i

    SB Profound WC GenericHave you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.
    Part 1 will teach you what Node.js is, why it's a great option for IBM i shops, and how to take advantage of the ecosystem surrounding Node.
    In addition to background information, our Director of Product Development Scott Klement will demonstrate applications that take advantage of the Node Package Manager (npm).
    Watch Now.

  • The Biggest Mistakes in IBM i Security

    SB Profound WC Generic The Biggest Mistakes in IBM i Security
    Here’s the harsh reality: cybersecurity pros have to get their jobs right every single day, while an attacker only has to succeed once to do incredible damage.
    Whether that’s thousands of exposed records, millions of dollars in fines and legal fees, or diminished share value, it’s easy to judge organizations that fall victim. IBM i enjoys an enviable reputation for security, but no system is impervious to mistakes.
    Join this webinar to learn about the biggest errors made when securing a Power Systems server.
    This knowledge is critical for ensuring integrity of your application data and preventing you from becoming the next Equifax. It’s also essential for complying with all formal regulations, including SOX, PCI, GDPR, and HIPAA
    Watch Now.

  • Comply in 5! Well, actually UNDER 5 minutes!!

    SB CYBRA PPL 5382

    TRY the one package that solves all your document design and printing challenges on all your platforms.

    Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product.

    Request your trial now!

  • Backup and Recovery on IBM i: Your Strategy for the Unexpected

    FortraRobot automates the routine tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
    - Simplified backup procedures
    - Easy data encryption
    - Save media management
    - Guided restoration
    - Seamless product integration
    Make sure your data survives when catastrophe hits. Try the Robot Backup and Recovery Solution FREE for 30 days.

  • Manage IBM i Messages by Exception with Robot

    SB HelpSystems SC 5413Managing messages on your IBM i can be more than a full-time job if you have to do it manually. How can you be sure you won’t miss important system events?
    Automate your message center with the Robot Message Management Solution. Key features include:
    - Automated message management
    - Tailored notifications and automatic escalation
    - System-wide control of your IBM i partitions
    - Two-way system notifications from your mobile device
    - Seamless product integration
    Try the Robot Message Management Solution FREE for 30 days.

  • Easiest Way to Save Money? Stop Printing IBM i Reports

    FortraRobot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing.
    Manage your reports with the Robot Report Management Solution. Key features include:

    - Automated report distribution
    - View online without delay
    - Browser interface to make notes
    - Custom retention capabilities
    - Seamless product integration
    Rerun another report? Never again. Try the Robot Report Management Solution FREE for 30 days.

  • Hassle-Free IBM i Operations around the Clock

    SB HelpSystems SC 5413For over 30 years, Robot has been a leader in systems management for IBM i.
    Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
    - Automated batch, interactive, and cross-platform scheduling
    - Event-driven dependency processing
    - Centralized monitoring and reporting
    - Audit log and ready-to-use reports
    - Seamless product integration
    Scale your software, not your staff. Try the Robot Job Scheduling Solution FREE for 30 days.