IBM i Security and Vulnerabilities User Group

Hello

I noticed that there is the possibility to set "Encryption required=Yes" for a share and to set "Encrypt connections = Required" on IBM i NetServer Properties.
Has anybody experience with this ?
I have set it up on my test server, and restarted NetServer.
My shares still work fine. But is the connection encrypted ?

I am wondering that IBM just ignore that field in this description Creating an IBM i NetServer File Share
And I can't find other relevant documentation.

Hello Denis,
not sure which IBM i release you are on, but please have a look at the following IBM Technote: https://www.ibm.com/support/pages/ibm-i-netserver-smb-protocol-version-control-guide to check SMB support per IBM i OS version. 
To my understanding, by setting Encrypted connections to REQUIRED and the same for each file share, as well as, by making sure you have enabled both protocols SMB2 and SMB3 on IBM i Netserver, I think you are ok, assuming your Windows environment supports SMB3.

Please note the following statement from the above IBM Technote:

"SMB3 will not work if you disable SMB2.  Right now on the IBM i SMB3 is a superset of SMB2.
SMB2 must stay enabled! To make Clients negotiate with SMB3 only you must have SMB2 enabled and set the option Encrypt connections to *REQUIRED. "

And lastly the encrypted traffic will go through the usual port 445.

Good luck,
regards,

Nikos

Hello

I noticed that there is the possibility to set "Encryption required=Yes" for a share and to set "Encrypt connections = Required" on IBM i NetServer Properties.
Has anybody experience with this ?
I have set it up on my test server, and restarted NetServer.
My shares still work fine. But is the connection encrypted ?

I am wondering that IBM just ignore that field in this description Creating an IBM i NetServer File Share
And I can't find other relevant documentation.

Thank you very much Nikos.

This technote is just the one that I couldn't find myself.

We upgraded earlier this year from V7R2 to V7R5 and I forgot to check which SMB version we were running on the new server. Now this is also done. Thank you again.

Hello Denis,
not sure which IBM i release you are on, but please have a look at the following IBM Technote: https://www.ibm.com/support/pages/ibm-i-netserver-smb-protocol-version-control-guide to check SMB support per IBM i OS version. 
To my understanding, by setting Encrypted connections to REQUIRED and the same for each file share, as well as, by making sure you have enabled both protocols SMB2 and SMB3 on IBM i Netserver, I think you are ok, assuming your Windows environment supports SMB3.

Please note the following statement from the above IBM Technote:

"SMB3 will not work if you disable SMB2.  Right now on the IBM i SMB3 is a superset of SMB2.
SMB2 must stay enabled! To make Clients negotiate with SMB3 only you must have SMB2 enabled and set the option Encrypt connections to *REQUIRED. "

And lastly the encrypted traffic will go through the usual port 445.

Good luck,
regards,

Nikos

Hello

I noticed that there is the possibility to set "Encryption required=Yes" for a share and to set "Encrypt connections = Required" on IBM i NetServer Properties.
Has anybody experience with this ?
I have set it up on my test server, and restarted NetServer.
My shares still work fine. But is the connection encrypted ?

I am wondering that IBM just ignore that field in this description Creating an IBM i NetServer File Share
And I can't find other relevant documentation.