Support of Diffie Hellman Algorithm- Swithcing from SHA1 to SHA2

There were large architecture changes required to support these ciphers. This is subject to change, however, It is our intent to back-port this stack update in an upcoming 526x FixPack (Likely 5264) by the end of the year. 

Thank you very much Mr. Ryan for the update;

Like I conveyed earlier, We are on SI 525 and we are unlikely to upgrade to SI 6.0 at the moment. We might plan to upgrade to 526 may be in next year, I am not sure at the moment.

Do you have any plan to back port these features to SI 526 and SI525 releases ? If yes, in which Fix pack this is expected.

Kind Regards,

Harish

Please review the 6.0 documentation as cipher support has been upgraded. Review the following documentation

https://www.ibm.com/support/knowledgecenter/SS3JSW_6.0.0/integrating/integrating/integrator/SFTP_Client_Begin_Session_svc.html

You cannot configure the SSH Key Exchange algorithms to be used with SFTP in the Sterling B2B Integrator UI. To select strong SSH Key Exchange algorithms, specify the values to be used in SSHKeyExchangeAlgList in the security.properties file. For example, SSHKeyExchangeAlgList=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1. You can verify the algorithm used in the SFTP Client Begin Session service status report.

diffie-hellman-group-exchange-sha256 key exchange mechanism is what we are critically interested in and any other associated key exchange mechanisms which supports SHA2 is most welcome.

We would prefer this at the earliest due to the criticality of losing partner who are strictly enforcing SHA2 key exchange mechanisms to communicate with us using SFTP.

We also request IBM to add support for SHA256 ciphers as well.

Dear Mr. Ryan,

We had requested for SHA2 support in SSH Handshake in IBM B2B Integrator product. I also created an RFE for this. As per below email I understand it as IBM is planning this feature in future releases. I do not understand which release this feature is being planned. Just to let you know, we are on 5.2.5 release and we do not have immediate plan for upgrading to new release; at-least for the next couple of months.

As per my knowledge the current version of Maverick jars (used for SSH functionalities) does support SHA2 handshake, that way I guess with minimal effort this feature can be provided in the current release.

Not having SHA2 support in SSH handshake is preventing our customers to trade with some critical partners as some of their partners are enforcing strict SHA2 support during SSH handshake. This is impacting our business with critical partners in a big way. I would request you to expedite this feature implementation and provide this in the current release we are on. This will help our business in a big way.

Thank you very much for your understanding

Kind Regards,
Harish

Hello, thank you for particiapting in the 'Request for Enhancement' community. Your input is valued. We agree with this request and have short term plans to deliver this functionality. Fundamentally there are some stack updates required in the product before we can offer these new algorithms, however that work is well under way. Please check back here for updates and/or notify your sales account team.

All the best,

Ryan Wood

Offering Manager

Watson Customer Engagement

woodry@us.ibm.com

Several of our important partners are upgrading security standards and will not be allowing lesser algorithm than SHA2 for SSH handshake. We have been informed that we will not be able to communicate with these trading partners when the grace period runs out.

Tyco Electronics is looking to have the capability to choose to use SHA2 when directing traffic to different partners as required. We are looking at a critical business impact if the flexibility is not available soon.

Please add SHA2 support for SSH handshake as many of our partners are strictly enforcing SHA2 handshake during SSH handshake.