Watson Supply Chain Ideas

Use this form to submit an idea for a new product feature. The product team will review your input and provide status updates as decisions are made regarding the request.

Before you submit a new idea, please view requests that have already been submitted. If your idea has already been submitted, you can add comments or vote on the existing idea, thereby indicating your agreement with the idea. We may use this information to help prioritize development of new features.

 

Submit ideas for Watson Marketing and Watson Commerce products

Request to disable SFTP Weak Encryption and MAC Algorithms

Our B2BI is running in IBM SoftLayer data center, base on the IBM security polices, SFTP/SSH Weak Encryption and MAC Algorithms are not allowed, we need to be able disable the following weak algorithms. The following are the weak algorithms and vulnerability ID.

>>>>>>
Medium - [22/tcp/ssh] - SSH Weak Algorithms Supported
Vuln ID 381945 - Nessus Plugin ID 90317
The following weak server-to-client encryption algorithms are supported : arcfour arcfour128 arcfour256 The following weak client-to-server encryption algorithms are supported : arcfour arcfour128 arcfour256

Low - [22/tcp/ssh] - SSH Weak MAC Algorithms Enabled
Vuln ID 353707 - Nessus Plugin ID 71049
The following client-to-server Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96
<<<<<<<<

Support suggested to use NIST mode, but this limits the SFTP key size to 2048 or higher, but there are partners use 1024 keysize
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Dec 19 2017
  • Already exists
How will this idea be used?
What is your industry?
What is the idea priority? High
DeveloperWorks ID DW_ID95901
RTC ID RTC_ID517637
Link to original RFE http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=95901
  • Attach files
  • Admin
    Ryan Wood commented
    February 13, 2018 21:52

    Thank you for participating in the idea community. We can confirm that this has been delivered. 

    Please see the following blog:

    In IBM B2B Integrator 5.2.6.3_2 it is now possible to restrict the use of specific Ciphers, MAC(Message Authentication Code algorithm), and Key exchange algorithm in both the client and server side of the SFTP protocol:

    https://www.ibm.com/developerworks/community/blogs/2f9ef931-1ac3-4d9b-a8ca-6e3f01b13889/entry/IBM_Sterling_B2B_Integrator_How_to_restrict_specific_Ciphers_Algorithm_in_SFTP_Communication?lang=en_nz

    You can add the parameters to customer_overrides.properties for example:

    security.SSHMacAlgList=hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-md5,h
    mac-sha1