We've been trying to get the word out on this change, and it's important that everyone that does electronic software acquisition know about this. That's just about everyone, I reckon.
This should be read by all IBM customers that download software (products and service) to see if they are impacted, and for possible changes.
On April 30, 2021, IBM is planning to remove support for Transport Layer Security (TLS) 1.0 and TLS 1.1 from the IBM software download servers. The affected servers are used for downloading files for the following z/OS software offerings:
- PTFs and HOLDDATA ordered using the SMP/E RECEIVE ORDER command
- PTFs ordered using Shopz
- PTFs ordered using ServiceLink
- Products in ServerPac and CBPDO offerings ordered using Shopz
- Products in CustomPac offerings
If clients currently download files for any of the above offerings directly to their z/OS system using the HTTPS protocol, then they will not be affected. However, if the FTPS protocol is used to download any of the above offerings directly to their z/OS system, then they may be affected and should take action now to ensure your ability to download software products and fixes is not impacted.
More specifically, on April 30, 2021, the IBM software download servers will require download operations to connect to the server using TLS 1.2 or higher. Connection attempts using TLS 1.0 or TLS 1.1 will no longer be accepted. The SMP/E HTTPS client used for download operations will automatically use TLS 1.2 when connecting to the server. However, the z/OS Communications Server FTP client program will use TLS 1.2 only if configured to implement TLS using AT-TLS. Therefore, if clients currently use FTP as your download protocol, they must do one of the following to ensure they can continue to download from the IBM software download servers:
- Use HTTPS instead as your download protocol. IBM recommends clients consider using HTTPS instead of FTPS, as this method often alleviates network, proxy, and firewall issues in an enterprise typical of using FTPS, and it is currently in use by many clients.
- Verify the FTP client program is configured to implement TLS using AT-TLS (the TLSMECHANISM statement in FTP.DATA [ftp://ftp.data/] indicates ATTLS).
To learn more about using the HTTPS download protocol and how to indicate which download protocol SMP/E, see the Preparing for secure Internet delivery https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.gim3000/dsetups.htm webpage.
For information on configuring an IBM z/OS Communications Server FTP client, see the TLSMECHANISM (FTP client and server) statement https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz001/ftpcastlsmechanism.htm webpage.
See this reference for converting the FTP client from native System SSL to AT-TLS: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.halz002/ftp_use_attls.htm
For those of you asking about the ciphersuites that will be enabled for AT-TLS for using FTPS, here they are:
Only the following download servers are affected.
- “delivery-bld.dhe.ibm.com” with IP addresses 188.8.131.52 or 184.108.40.206
- “delivery-mul.dhe.ibm.com” with IP addresses 220.127.116.11 or 18.104.22.168
They support downloads of:
- z/OS and z/VM and z/VSE product and service orders from Shopz
- z/OS and z/VM an z/VSE service orders from ServiceLink
- z/OS service and HOLDDATA orders via SMP/E RECEIVE ORDER
And, to recap as this is important to know, the following types of downloads on these servers are NOT affected:
- FTPS Direct to Host using AT-TLS
- HTTPS Direct to Host
- HTTPS to a workstation
- Download Director to a workstation