Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Submitted
Workspace DataPower Gateway
Created by Guest
Created on May 12, 2026

RELATED IDEAS

Enable IBM DataPower Validation Credentials for TLS Client Profiles to support CA bundle / multi-certificate PEM files by importing and validating all certificates contained in a single PEM bundle.

Who would benefit:


DataPower administrators, security teams, platform engineers, and enterprises managing outbound TLS connections would benefit by reducing manual certificate import effort, improving CA trust-store maintainability, and aligning DataPower behavior with common CA bundle usage in tools such as OpenSSL, curl, Java-based trust stores, and enterprise PKI processes.

How should it work:

When a PEM file contains multiple -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- blocks, DataPower should parse all certificates in the file, create or expose each certificate as an individual trusted CA entry, and allow all of them to be referenced by Validation Credentials for TLS Client Profile trust validation. This should support root  CA certificates while preserving certificate visibility, validation logging, and administrative control.

Idea priority Urgent
  • Guest
    May 12, 2026

    In large enterprise environments, DataPower may act as a TLS client for outbound connections to hundreds or thousands of external partner, SaaS, API, banking, healthcare, or cloud endpoints. For example, a single DataPower estate may need to connect to 5,000+ external TLS endpoints.

    Today, because DataPower Validation Credentials for TLS Client Profiles do not support CA bundle / multi-certificate PEM files, administrators must import and maintain each trusted root CA certificate as a separate PEM file and explicitly add each one to the Validation Credential. This creates significant operational overhead, increases the risk of missed CA updates, and makes certificate lifecycle management difficult at scale.

    The requested enhancement is for DataPower to support standard CA bundle PEM files for TLS Client Profile Validation Credentials. DataPower should parse all certificates in a multi-certificate PEM bundle and make them available for outbound TLS trust validation.

    This would allow organizations to maintain a centrally approved public CA bundle, such as one aligned with root CAs trusted by major browser and operating system trust programs, and require external endpoint owners to present certificates chaining to one of those approved public CAs.

    This model would reduce the need to load and maintain each external endpoint’s specific root CA certificate individually. It would also improve consistency with common TLS trust practices used by browsers, operating systems, OpenSSL-based clients, Java trust stores, curl, Kubernetes, Linux distributions, and enterprise PKI governance processes.

    The expected behavior should be:

    • Allow upload/import of a PEM file containing multiple CA certificates.
    • Parse all certificates between each -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- block.
    • Make each certificate in the bundle available for trust validation.
    • Allow Validation Credentials used by TLS Client Profiles to trust the full bundle.
    • Provide visibility into certificates contained in the bundle, including subject, issuer, serial number, validity dates, and fingerprint.
    • Support bundle replacement/update as part of certificate lifecycle management.
    • Preserve audit logging and validation failure diagnostics.

    This enhancement would significantly simplify DataPower outbound TLS administration for environments with large numbers of external endpoints while still allowing enterprises to enforce a controlled and approved CA trust policy.

    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.