API SERVICE DISRUPTION: March 1st, 2018

IBM Cloud will stop supporting TLS 1.0 and 1.1 on api.softlayer.com and api.service.softlayer.com

What Is Happening?

On March 1, 2018 at 0900 UTC (0300 CDT) IBM Cloud Infrastructure will stop supporting TLS 1.0 and 1.1 encryption on api.softlayer.com and api.service.softlayer.com; these API endpoints will only support callers using TLS 1.2 encryption levels or higher.

When Will It Happen?

On March 1, 2018 at 0900 UTC (0300 CDT) TLS 1.0 and TLS 1.1 will no longer be supported and TLS 1.2+ is required.

Who Will This Affect?

Any users with code or services that reference the softlayer.com API endpoints for IBM Cloud Infrastructure services with encryption levels older than TLS 1.2.

Confirming and Testing Upgrades to TLS 1.2 or Higher The enhanced security configuration is currently enforced on alternate endpoints. You can test your services against them now to ensure there will be no disruption once the primary endpoints receive the updated configuration:

• api-dev.softlayer.com (instead of api.softlayer.com)
• api-dev.service.softlayer.com (instead of api.service.softlayer.com)

These alternative endpoints only use encryption levels TLS 1.2 or higher. Successfully testing your code and services against these alternative endpoints means your code and services will work properly on the transition date. These alternative endpoints will only be available until the transition date.

What Do I Do Next?

1. Test your service against the alternative endpoints listed above.
2. If your code and service work as expected then update your production code to utilize TLS 1.2 in the current production environment and current production endpoints. Once that is complete no further action is required on your part.
3. If your code or service fails change your code to utilize TLS 1.2 and test against the alternative endpoints and upon working properly update production.

• The current production environment supports TLS 1.0, TLS 1.1 and TLS 1.2.
• Once you have completed your TLS 1.2 testing against the temporary end points you can make your production code changes to utilize the production TLS 1.2 at any time prior to March 1, 2018.
• Once your production environment is utilizing TLS 1.2 you have no further action.
• If you make your production changes before March 1, 2018 you should see no impact on March 1, 2018 when TLS 1.0 and TLS 1.1 are no longer available.

What Will Happen If I Make No Change?

If you make no change and your code or services do not support encryption levels TLS 1.2 or higher, you will start to experience connection errors on the transition date. These errors may appear as “transport errors” and contain messages like SSLV3_ALERT_HANDSHAKE_FAILURE. Your code and services will no longer function until you upgrade it to support TLS 1.2 or higher.

If My Code Starts Failing Do I Have Any Temporary Recourse? If you start to experience connection errors on the transition date, the best course of action is to upgrade your code or services to support TLS 1.2 or higher. If you cannot do that immediately, there will be alternative endpoints provided temporarily to allow you to upgrade your code or services:

• api-deprecated.softlayer.com (instead of api.softlayer.com)
• api-deprecated.service.softlayer.com (instead of api.service.softlayer.com)

These endpoints will become available on the transition date, and will continue to support TLS 1.0 and 1.1. You can change failing code or services to use these endpoints temporarily while you upgrade your systems to support TLS 1.2 or higher. These endpoints will only be available until March 30, 2018 to allow you to make this transition. You must upgrade all your systems and start using the standard API endpoints by March 1, 2018.

Why Are We Making This Change?

This is part of IBM’s commitment to offering a cloud that is secure to the core and in alignment with industry best practices for security and data privacy.

Portal

• User should be get locked for 30 minutes when they enter invalid TOTP code more than 10 times.
• Remove forum link from Notification Messages
• Modifies translation text for the order checkout page to use ‘user data’ instead of ‘metadata.’

API

• Check if active user is parent of user being edited dutring addPortalPermission and removePortalPermission
• Support forced delete of scale groups regardless of status
• Added http://sldn.softlayer.com/reference/services/SoftLayer_Virtual_Guest/getBootMode
• updated validationRules for partitionName to allow for slashes.
• Improve performance of API calls to get order items.
• Add APIs to allow customer to specify preferred SSL ciphers for the load balancer

Backend

• Fixed a bug where VLANs were not being properly reclained.
• Fixed a bug where some overage items would not be added to a bill.
• Keep company name synced with PaaS for linked accounts.
• Add storage chassis ordering capabilities for bare metal servers.\Improve validation of billing information on new customer orders.
• Validation for Object Storage orders with invalid datacenter names
• Fix bug with post provision script execution
• Fixed a bug where some snapshot creations would fail.
• Fixed an issue where Replicant volumes missed being updated on very rare occasion.

Portal

• Improvement to verbiage shown for servers with active billing for an inactive package.
• GPU Flavor prices were not factoring the price of the GPU.
• Fixed an issue where the master user could set themselves as “VPN_ONLY” user.

API

Backend

• Fix Reloads being blocked when a user suppresses the email for RELOAD_COMPLETE
• Fix Micron Hard Drive Storage Group Member’s Grow Flag
• Update automated messaging update on Data Transfer Request tickets
• Add dal10 to the list of data centers supporting security groups.

Portal

• Allow customers to suppress order emails

API

• Exception message should mention ‘.. to change a user link’ instead of ’to edit a user’ when resetOpenIdConnectLink is called
• Exception message should mention ‘Access Denied. Only the Master user..’ instead of ‘Account 1234 is authenticated by IBMid…’ when resetOpenIdConnectLink is called for subuser
• Validator added for bare metal servers orders that use the userData field, the allowed length is 2000 characters.
• Update getCreateObjectOptions to return Spot options
• Child user is now unable to delete his/her own Phone Factor authentication using the APIs
• A bootMode property is added to the SoftLayer_Container_Product_Order_Virtual_Guest class to allow customers to specify the mode the VSI should be booted in. A bootMode property is also added to SoftLayer_Virtual_Guest_SupplementalCreateObjectOptions so that the boot mode can be specified during when calling SoftLayer_Virtual_Guest::createObject. The data will be verified and the customer informed if they have submitted an invalid boot mode.
• Added the ability to getAllObjects on SoftLayer_Network_Storage_Allowed_Host using objectFilters and objectMask

Backend

• Fixed an issue where fixed configuration preset orders are verified but the preset is not entirely available yet provides more information about why it is failing to verify the order.
• Enable the Security Group feature in Dal01, Lon06, and Sea01.
• Support new VSI type called Spot
• Improve the audit log functionality of security groups.
• Modified provisioning to use boot mode provided by customer.
• When downgrading the CPU on a Guest with a Dedicated Host, the Guest Type is no longer overwritten as Public Guest
• Fix Storage As A Service orders validation which was previously accepting orders that did not conform to product business rules
• Fix bug that would delay the completion of an hourly volume reclaim process because it would create an unnecessary process instance.
• Adds complex password support for EVault. New passwords will be 12 characters long and contain special characters

Portal

• Fixes bug when checking for available vGPU resources.
• Update favicon on IBM cloud template
• Fixed an informative popup to properly display entire username when deleting or disabling a user with a long username

API

• SoftLayer_Network_Storage::getAllowableDatacenters() performance improvements
• Added a SUPPORTED_BOOT_MODE attribute to the SoftLayer_Virtual_Disk_Image_Attribute_Type class to hold what boot modes the image can support.
• Update SLDN doc for Virtual_Guest.createObject to add Security Group parameters
• Replace checking for parentId with isMasterUser flag for add/remove device access
• Added quantity validation on StaaS orders. SoftLayer_Container_Product_Order_Network_Storage_AsAService can only be ordered one at a time. If quantity is greater than 1, an exception will now be thrown. Before the order was just placed as quantity 1.
• Remove the default SEV4 setting on all tickets created and require employees to set the ticket severity on the first update
• Parent user who doesn’t have the VPN_MANAGE permission should be able to disable or delete the child user.
• Generic message is displayed when sub-user is trying to add External Binding for a child user. This has been changed to a message to indicate only the Master User can add external bindings

Backend

• Improve sanity checks and error messages when a user’s email field is changed after sending an IBMid invitation
• Remove weak SSL ciphers from LBaaS supported cipher list. Specifically
  1. DHE-RSA-AES256-GCM-SHA384
  2. DHE-RSA-AES256-SHA256
  3. DHE-RSA-AES128-GCM-SHA256
  4. DHE-RSA-AES128-SHA256
• Fixes an issue where extraneous SoftLayer_Network_Storage::activeTransactions could be present on a volume which actually has no active transactions running.
• Block Live Migrations for GPU Guests
• Enable Order Support for External Resources
• “Insufficient Resources” error has been changed to “Insufficient Capacity”.

SLCLI

https://github.com/softlayer/softlayer-python/releases/tag/v5.4.0

• Changes: https://github.com/softlayer/softlayer-python/compare/v5.3.2...v5.4.0

• Upgraded Requests and Urllib3 library to latest. This allows the library to make use of connection retries, and connection pools. This should prevent the client from crashing if the API gives a connection reset / connection timeout error

• reworked wait_for_ready function for virtual, and added to hardware managers.

• fixed block/file iops in the slcli block|file detail view

• Added sub items to hw detail --price, removed reverse PTR entries

Added to CLI

• slcli order
• [Example slcli order useagecontent/python/ordering_slcli.md
• ](https://softlayer.github.io/python/ordering_slcli/)

$ ./slcli order
Usage: slcli order [OPTIONS] COMMAND [ARGS]...

Options:
  -h, --help  Show this message and exit.

Commands:
  category-list      List the categories of a package.
  item-list          List package items used for ordering.
  package-list       List packages that can be ordered via the...
  package-locations  List Datacenters a package can be ordered in.
  place              Place or verify an order.
  preset-list        List package presets.

Portal

• Replace “formerly IBM Cloud” with “formerly SoftLayer” in all affected templates.

API

• Autoscale: Prevent Multiple Scale Actions per Policy. https://stackoverflow.com/questions/39696067/invalid-guest-template-for-autoscale-in-sl
• Only block BYOL sharing and making it public if the software description is a licensed product.
• Adds support for Spot instances to simple VSI ordering. spotGuestFlag would be used to indicate in a createObject() parameter block if the order is for a Spot Instance. http://sldn.softlayer.com/reference/services/SoftLayer_Virtual_Guest/createObject
• Added an API to tell if an account is eligible to link with PaaS. http://sldn.softlayer.com/reference/services/SoftLayer_Account/isEligibleToLinkWithPaas

Backend

• This fixes a problem where volumes could be end up with lesser than assigned quota size.
• Removed deprecated abuse field from RIPE registration person details.

Portal

• Adds warning messages to that will pop to alert EU only processing users that they are selecting a data center or package that it not EU compliant.
• This change will add a checkbox on the WWW order from checkout page that allows customers to opt-in to EU localized support. For a customer that opts-in, any servers they have in an EU datacenter will only be serviced by technicians also in the EU.
• Removes the VSI section from the Server Listings page (of the Control Portal).

API

• Update the “refreshAuthentication” method to accept the POST request with the basic authentication.
• Added EU compliant field to datacenters, ORM flag and enable/disable methods for EU Support on the account. Currently in the EU AMS01, AMS03, FRA02, LON02, MIL01, OSL01, PAR01
• An exception will be thrown if a customer tries to place a BYOL order for Windows on that is not for a dedicated host instance.
• Fixed a bug with removeHardwareAccess not properly removing a user if their premission had been grandted with grantHardwareAccess(id=0)

Backend

• Adding EU compliance support to Ticket system
• Removed all code referencing NETWORK_MESSAGE_QUEUE. The Message Queue product is now EOL.
• Made changes so that the order indexes and names/slots of the hard-drives being swapped in get the same order indexes and names of the swapped-out hard drives.
• Prevent accounts with BAP tier 1 support from enrolling in EU support.
• Remove the use of PPTP VPN from EU flagged accounts
• Prevent setting EU security level for accounts with PPTP usage
• Enable Security Groups in the AMS01, SEO01, SJC01 and SJC03 data centers.

Portal

• Fix issue where LVM was set on storage groups erroneously when editing a configuration on the order form.
• Add a new order approval e-mail notification template for SAP Certified servers.

API

• Added account validation support for combining unicode characters, such as diacritical arabic characters.
• Added new check to prevent multiple partitions being set with grow flag.
• Allow the customers who does not have USER_MANAGE permission to see their own login attempts.
• Only master user, parent user or user itself can add API key.
• Increase the permission action description column size to 256
• Adds support for upgrading existing File and Block storage volumes. Volumes’ size can now be increased, and volumes’ IOPS can now be increased and decreased. Certain limits do apply, see Sales and Support for details. SLCLI version 3.0.1 supports this action.
• Do not require customers to explicitly state the billing type (hourly/monthly) when upgrading a volume, as that can be inferred from the volume billing records

Backend

• Fixed generic internal error message during an OS reload where the image template is missing to throw correct message.
• Removed “account.companyName” mask from the hardware search, specifically only for the scenario where the user is attempting to export a CSV / excel.
• Scrub Security answers for users based on security level of employee and account.
• Fixed the issue that getLoadBalancerStatistics API not collecting stats from Retired appliances
• Cancel image store action jobs when a provision is cancelled

Portal

• Fixed an issue where editing virtual dedicated instance orders would display an error message.
• Reworded the error message when trying to un-suspend an autoscaling group.

Backend

• Added more validation around partition sizeing
• Changed the wording on raid alert tickets
• Fixed an issue reclaiming Virtual Servers
• Fixes bug when trying to find reverse DNS records.
• Fixed an issue with account link invitations not getting a proper activation url
• Fixed a bug preventing some provisioning transactions from completing automatically