Watson Supply Chain Ideas

Submit new product ideas for Watson Supply Chain solutions. Before you submit, please review existing ideas; if an idea close to yours already exists, it's better to add comments or vote on the existing idea. We will review your ideas and use them to help prioritize our product development. Best of all, the portal will automatically update you when the status of your idea has been changed.

Connect with users and IBM experts on the B2B Collaboration Community

Submit ideas for other Watson Customer Engagement Products:

Watson Marketing
Watson Campaign Automation
Watson Commerce

Request to disable SFTP Weak Encryption and MAC Algorithms

Our B2BI is running in IBM SoftLayer data center, base on the IBM security polices, SFTP/SSH Weak Encryption and MAC Algorithms are not allowed, we need to be able disable the following weak algorithms. The following are the weak algorithms and vulnerability ID.

>>>>>>
Medium - [22/tcp/ssh] - SSH Weak Algorithms Supported
Vuln ID 381945 - Nessus Plugin ID 90317
The following weak server-to-client encryption algorithms are supported : arcfour arcfour128 arcfour256 The following weak client-to-server encryption algorithms are supported : arcfour arcfour128 arcfour256

Low - [22/tcp/ssh] - SSH Weak MAC Algorithms Enabled
Vuln ID 353707 - Nessus Plugin ID 71049
The following client-to-server Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96
<<<<<<<<

Support suggested to use NIST mode, but this limits the SFTP key size to 2048 or higher, but there are partners use 1024 keysize
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Dec 19 2017
  • Already exists
How will this idea be used?
What is your industry?
What is the idea priority? High
DeveloperWorks ID DW_ID95901
RTC ID RTC_ID517637
Link to original RFE http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=95901
  • Attach files
  • Admin
    Ryan Wood commented
    February 13, 2018 21:52

    Thank you for participating in the idea community. We can confirm that this has been delivered. 

    Please see the following blog:

    In IBM B2B Integrator 5.2.6.3_2 it is now possible to restrict the use of specific Ciphers, MAC(Message Authentication Code algorithm), and Key exchange algorithm in both the client and server side of the SFTP protocol:

    https://www.ibm.com/developerworks/community/blogs/2f9ef931-1ac3-4d9b-a8ca-6e3f01b13889/entry/IBM_Sterling_B2B_Integrator_How_to_restrict_specific_Ciphers_Algorithm_in_SFTP_Communication?lang=en_nz

    You can add the parameters to customer_overrides.properties for example:

    security.SSHMacAlgList=hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-md5,h
    mac-sha1