Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Workspace z/OS
Created by Guest
Created on Mar 3, 2021

Enhance AT-TLS filters to allow hostname specification for RemoteAddr

For AWS ELB (Amazon Web Services Elastic Load Balancing), we need support destination host name (instead of IP only) for attaching an SNI header using TTLSRules

AWS Load Balancer externally uses multiple IP addresses of the range assigned to the entire AWS location. The IPs assigned to the host names are changed daily without prior warning and there is no predictability when they change. Also, IPs are added/removed to the host names based on load, i.e. more IPs are spun up the more connections you make to the host name.

Any outbound connection from Z to an application hosted on AWS (all cloudpak for data apps use a front-end ELB) requires SNI headers to be attached to reach the correct app behind the load balancer. If no SNI is specified then only the load balancer itself is reached.

SNI headers are added in AT-TLS through a TTLSRule. However, it is only possible to identify the target using IP addresses, which means that AT-TLS cannot be used for any communication to services behind an AWS ELB in a useful way since the IP address(es) will change regularly while
the TTLSRule is a more static element.

Therefore we request an enhancement to AT-TLS that connections can be filtered on remote addresses specified as host names which would then be matched to the currently active resolved IP address(es).

AWS hostnames typically have a TTL of 60s.

Here is a link that describes the AWS ELB behavior: https://aws.amazon.com/articles/best-practices-in-evaluating-elastic-load-balancing/

Idea priority High
  • Guest
    Reply
    |
    Dec 12, 2022

    We have exactly the same issue but now with Google cloud. The server address change frequently.

  • Guest
    Reply
    |
    Jul 3, 2022

    In the modern era where z/OS applications are making outbound requests to multiple cloud-based services, some ability to filter rules by remote hostname is vital. I'm conscious of the potential latency and ambiguity introduced by a name resolution (compared to the name resolution presumably already carried out by the local application), but it is worth some effort to find a way forward, IMHO.