Skip to Main Content
IBM Sterling


This portal is to open public enhancement requests for IBM Sterling products and services. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Categories Security
Created by Guest
Created on Mar 14, 2024

Allow System Certificates to work the same as CA Certificate groups

Currently when we generate a new System Certificate and want to install it to our HTTP Server Adapters, we need to take our environment down and schedule/coordinate the change of the certificates with all our AS2 customers. Not an easy task given our volume.


Would like to have the System Certificate worked the same way as the CA Certificate groups do. The "Group" concept allows for multiple certificates, and handles negotiating which one to use.


Other MFT software, can do this, since some of our AS2 customers just ask for the new certificate.


We are being told that in the next 2 years we are going to have to change every 90 days. This will end up being a nightmare, as well as not a good customer experience.

What is your industry? Travel & Transportation
How will this idea be used?

Need using Certificates to not be a disruptive and time consuming task.

  • Admin
    Mark Allen
    Reply
    |
    Jul 17, 2024

    Thank you for working with us to clarify your requirement. It's a good idea and we will work this into future release plans.


    Your request may not be delivered within the release currently under development, but the theme aligns with our current roadmap and, as such, is being tagged for future consideration and is part of our long-term strategy. We cannot commit to a delivery window at this time, but this is something we agree would be beneficial in the product.

    We truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations, and ideas.

    If you have any additional feedback or thoughts, or if there is anything else I can do, please do not hesitate to reply to this message to continue the conversation. We recommend having discussions with your account team in 6-9 months for roadmap updates.

    Please note: IBM's statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM's sole discretion.

  • Admin
    Mark Allen
    Reply
    |
    Jul 10, 2024

    Hi Attila,

    In the FTP server, we have the following configuration that allows for selecting multiple certificates, each with their own start and end date:


    In the HTTP server configuration, there is only a dropdown. Just to clarify, you'd like the above mechanism implemented for the HTTP server adapter. Is this correct?


    Looking forward to your response.

    1 reply
  • Admin
    Mark Allen
    Reply
    |
    Jun 19, 2024

    Thank you for your patience. We have been discussing this internally with our development and security experts.


    We have some additional questions on your request. The original RFE body asks for one behavior, but your latest response mentions another behavior.


    A couple of options:

    1. Support multiple certificates with different time ranges. System automatically chooses the one that is not expired - avoid downtime when certs need to cut over due to expiry.

    2. Support multiple certificates with different hostnames - SNI like behavior where system matches the client's certificate with a system certificate based on hostname in the hello handshake


    Are any of the options above capturing what you are asking for? Did we get this correct or is there another option you are looking for?


    Additional questions:

    • Are you using Sterling Secure Proxy where SSL is being terminated there?

    • Are you using another proxy service that terminates SSL?


    I'm looking forward to your response. Once I can develop a clear picture of your request, I'll be able to let you know if we can add your idea to our future offering roadmap.

    1 reply
  • Admin
    Mark Allen
    Reply
    |
    May 22, 2024

    Thank you for taking the time to provide your ideas to IBM. We truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations, and ideas.

    We are currently reviewing this request with our technical team and will update the status once our analysis is complete.

  • Admin
    Mark Allen
    Reply
    |
    Apr 24, 2024

    Thank you for taking the time to provide your ideas to IBM. I truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations and ideas.

    I need a little more information to understand your idea. Are you expecting to configure multiple system certificates for the HTTP Server adapter? A system certificate typically presents a single certificate at a time, so would you expect some kind of cut-over period where one certificate stops being used at a certain datetime and cuts over to a new certificate?

    1 reply