Direct links to fixes
si_52_build_5020500_interimfix_15
si_52_build_5020500_interimfix_15
Media_IM_5020601_7
Media_IM_5020601_7
Media_IM_5020601_7
Media_IM_5020601_7
Media_IM_5020603_2
iSeries_Media_5020603_2.zip
iSeries_Media_5020603_2.zip
Media_IM_5020603_2
iSeries_Media_5020602_6.zip
iSeries_Media_5020602_6.zip
Media_IM_5020602_6
Media_IM_5020602_6
APAR status
Closed as program error.
Error description
Disable SSH or SFTP weak algorithms. You can restrict SFTP Ciphers using the property SSHCipherList where you one can specify the list of allowed ciphers and exclude whatever is not required.
Local fix
RTC - 554341
Problem summary
Users Affected: All Problem Description: Disable SSH or SFTP weak algorithms. Platforms Affected: All
Problem conclusion
Resolution Summary: Following set of algorithms are newly supported. To use, one has to enable the required algorithm list from security.properties, by default, they are not enabled. SSHKeyExchangeAlgList=diffie-hellman-group-exchange-sha1,diffie- hellman-group1-sha1,diffie-hellman-group14-sha1 SSHMacAlgList=hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-md5,hm ac-sha1 SSHCipherList=aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256 -cbc,aes256-ctr,cast128-cbc,3des-cbc,twofish128-cbc,twofish192-c bc,twofish256-cbc,blowfish-cbc When SSHMacAlgList or SSHCipherList are enabled (uncommented), they appear on the SFTP client/server adapter configurations. Also under SSH profiles. SSHKeyExchangeAlgList is not exposed on the UI and if enabled you can cross validate it in the BP status to confirm the right algorithm is used. security.properties: # This list once enabled will be master list of algorithms for these categories for SFTP Client and SFTP Server # If you switch to NIST mode then this list will be filtered based on NIST Compliance # If you add CBC ciphers then please set supportCBCCiphers=true to allow the CBC ciphers in this list #SSHKeyExchangeAlgList=diffie-hellman-group-exchange-sha1,diffie -hellman-group1-sha1,diffie-hellman-group14-sha1 #SSHMacAlgList=hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-md5,h mac-sha1 #SSHCipherList=aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes25 6-cbc,aes256-ctr,cast128-cbc,3des-cbc,twofish128-cbc,twofish192- cbc,twofish256-cbc,blowfish-cbc Note:When you exclude a particular cipher from Cipher list or MAC from MAC list, and your SFTP adapter is already configured, at that time make sure that Preferred Cipher and Preferred MAC selected was one from the modified list. In case, your adapter was configured with a particular cipher or particular MAC , and the same cipher/MAC you eventually removefrom SSHCipherList/MAClist, then at that time when you restart SI, you will notice that adapter startup will fail.So make sure preferredcipher/Preferred MAC is configured as per the list. Delivered In: 5020500_15 5020601_7 5020603_2 5020602_6
Temporary fix
Comments
APAR Information
APAR number
IT16762
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
525
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-25
Closed date
2017-01-30
Last modified date
2018-06-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"Sterling B2B Integrator"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.5","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
31 August 2023