Changes to data upload for IBM Support – Preparing customer firewalls and proxies for the upcoming infrastructure changes and disablement of deprecated ciphers – Enhanced Customer Data Repository (ECuRep) also used to upload files to Case

Flashes (Alerts)

Abstract

Risk classification – HIPER (High Impact and/or Pervasive)

Risk categories – Function Loss

Subcategories for Informational notifications – Exchanging diagnostic data with Enhanced Customer Data Repository (ECuRep) for various protocols and also used to upload files to Case

Affected Domain – Enhanced Customer Data Repository (ECuRep)

1. Public Internet IP addresses and host names
Public Internet IP addresses and DNS host names have changed for the IBM servers that support Enhanced Customer Data Repository (ECuRep) and exchanging diagnostic data and are used when support specialists may request that problem information, systems data, diagnostic data, etc. is sent to IBM. This change pertains to all operating systems and applications connecting to IBM ECuRep.

2. Disablement of deprecated ciphers
During the gradual transition to the new solution starting on 29th October 2024, and ending on 10th March 2025, IBM has disabled deprecated Ciphers used in connections to ECuRep.

Customer action might be required to ensure uninterrupted exchange of diagnostic data with ECuRep.

Content

1. Public Internet IP addresses and host names

New network connections between your machine and IBM servers are required to keep your ability to exchange diagnostic data with ECuRep. If you have a firewall in your network, you might need to make changes to allow the new connections.

IBM uses three host names for data exchange with ECuRep that are based on global load balancing and replacing the three independent installations. This document describes the DNS host names after all changes (table 1) and shows the changes required to achieve this target (table 2).

Here is the final schedule and important information to ensure a smooth completion of the gradual infrastructure transition.

Protocol	DNS host name – use host name –	Region	IP address
HTTPs	www.ecurep.ibm.com	GLOBAL	192.148.6.11 2620:1f7:c010:1:1:1:1:11 Static IP access not intended
FTPS (FTP over TLS), passive mode only	ftps.ecurep.ibm.com	GLOBAL	149.81.237.70 52.118.103.99 165.192.140.113 Static IP access not intended
SFTP (Secure FTP (SSH))	sftp.ecurep.ibm.com	GLOBAL	149.81.237.70 52.118.103.99 165.192.140.113 Static IP access not intended

Protocol

DNS host name
– use host name –

Region

IP address

HTTPs

www.ecurep.ibm.com

GLOBAL

192.148.6.11
2620:1f7:c010:1:1:1:1:11

Static IP access not intended

FTPS (FTP over TLS),
passive mode only

ftps.ecurep.ibm.com

GLOBAL

149.81.237.70
52.118.103.99
165.192.140.113

Static IP access not intended

SFTP (Secure FTP (SSH))

sftp.ecurep.ibm.com

GLOBAL

149.81.237.70
52.118.103.99
165.192.140.113

Static IP access not intended

Table 1, DNS host names for data exchange with ECuRep

Recommended Action

Firewall

IP addresses for www.ecurep.ibm.com and www.secure.ecurep.ibm.com have changed.
Ensure that the following DNS host names, IP addresses, and ports are open on your firewall. If these connections are NOT currently allowed, then you must create new firewall rules that allow them to flow. Add firewall rules for ALL new IP addresses and host names. Remove existing firewall rules where applicable.

Note 1: IP addresses are subject to change. Use DNS names whenever possible.
Note 2: Applies to protocols: HTTPS (port 443)
Note 3: www.secure.ecurep.ibm.com is scheduled for decommissioning on 2nd June, 2025.

For HTTPS, static IP address usage (non-DNS) for data exchange with ECuRep access has been deprecated. This is critical to protect ECuRep assets’ data privacy, improve the IBM ECuRep IT infrastructure security posture.

ECuRep related Testcase server directories were permanently disablement on April 21, 2025, see details here: https://www.ibm.com/support/pages/node/7173090 .

Protocol	DNS host name – use host name –	Current IP addresses (IPv4 and IPv6)	New IP addresses (IPv4 and IPv6)	Target date
HTTPS	www.ecurep.ibm.com	192.109.81.20	192.148.6.11 2620:1f7:c010:1:1:1:1:11	Implemented on Oct 29th, 2024 Use host name
HTTPS	www.secure.ecurep.ibm.com	~~192.109.81.21~~	192.148.6.11 2620:1f7:c010:1:1:1:1:11	Implemented, use www.ecurep.ibm.com Use host name Sunset of www.secure.ecurep.ibm.com on Jun 2nd, 2025 at 09:00 UTC
HTTPS	~~www.ap.ecurep.ibm.com~~	~~169.56.38.170~~	n/a	Deactivated on March 10, 2025 Use www.ecurep.ibm.com
HTTPS	~~testcase.boulder.ibm.com~~	~~170.225.126.22~~	n/a	Deactivated on April 21, 2025 Use www.ecurep.ibm.com
FTPS	ftps.ecurep.ibm.com	~~192.109.81.10~~	149.81.237.70 52.118.103.99 165.192.140.113	Implemented on March 10, 2025 Use host name
FTPS	~~ftps.ap.ecurep.ibm.com~~	~~169.56.38.162~~	n/a	Deactivated on March 10, 2025 Use ftps.ecurep.ibm.com
FTPS	~~testcase.boulder.ibm.com~~	~~170.225.126.22~~	n/a	Deactivated on April 21, 2025 Use ftps.ecurep.ibm.com
SFTP	sftp.ecurep.ibm.com	~~192.109.81.25~~	149.81.237.70 52.118.103.99 165.192.140.113	Implemented on March 10, 2025 Use host name
SFTP	~~sftp.ap.ecurep.ibm.com~~	~~169.56.38.163~~	n/a	Deactivated on March 10, 2025 Use sftp.ecurep.ibm.com
SFTP	~~testcase.boulder.ibm.com~~	~~170.225.126.22~~	n/a	Deactivated on April 21, 2025 Use sftp.ecurep.ibm.com

Table 2, gradual transition

2. Deprecated ciphers

During the gradual transition (table 2) to the new solution starting on 29th October 2024, and ending on March 10, 2025, IBM has discontinued support for deprecated ciphers used in connections to ECuRep. Connections are impacted, if using deprecated ciphers to connect to the ECuRep data exchange environment using Secure FTP, Secure HTTP.

Ensure that the connections made to the IBM servers that support Enhanced Customer Data Repository (ECuRep) are using currently approved ciphers as listed by protocol.

Approved Cipher Suites [Hexadecimal code]	HTTPS	FTPS
[0x1301] TLS_AES_128_GCM_SHA256 ( TLSv1.3)	Yes	Yes
[0x1302] TLS_AES_256_GCM_SHA384 ( TLSv1.3)	Yes	Yes
[0x1304] TLS_AES_128_CCM_SHA256 ( TLSv1.3)		Yes
[0xc02b] ECDHE_ECDSA_AES128_GCM_SHA256 (FIPS approved; TLSv1.2)
[0xc02f] ECDHE_RSA_AES128_GCM_SHA256 (FIPS approved; TLSv1.2)	Yes	Yes
[0x02c] ECDHE_ECDSA_AES256_GCM_SHA384 (FIPS approved; TLSv1.2)
[0xc030] ECDHE_RSA_AES256_GCM_SHA384 (FIPS approved; TLSv1.2)	Yes	Yes

Table 3, approved cipher suites

SFTP Server on Port 22	*Key exchange (key)*	*Encryption (enc)*	*Key Type & Length (key)*	Server Key Fingerprint (sha256)
sftp.ecurep.ibm.com	diffie-hellman-group-exchange-sha256 (1024-bit) ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521	aes128-ctr aes192-ctr aes256-ctr	1. ecdsa-sha2-nistp521 (521-bit) 2. ssh-rsa (3072-bit)	1. cuct5SerokPF0nSpP0oJu0VrP84TXKTPePAvnhdUnlE (Last key update: Nov 15, 2022) 2. NmQSXbHir/W7ymYmJ9/5Noz0/VNiX3WZscvs9O/vNE8 (Last key update: April 8, 2021)

Table 4, information for SFTP (Secure FTP (SSH))

Ensure you have currently approved ciphers in place and update any procedures, including existing JCL, jobs or tools to use the higher ciphers.

To utilize ECuRep generally, refer to the comprehensive guidelines available at www.ibm.com/support/ecurep .

The changes announced here follow on already implemented realignments such as

Date first published

31 July 2024

Related Information

IBM Support – ECuRep

[{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"","label":""},"Product":{"code":"ECUREP","label":"ECuRep notice"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

Changes to data upload for IBM Support – Preparing customer firewalls and proxies for the upcoming infrastructure changes and disablement of deprecated ciphers – Enhanced Customer Data Repository (ECuRep) also used to upload files to Case

Flashes (Alerts)

Abstract

Content

Date first published

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?