Selecting IBM WebSphere® Application Server cipher suites
The ciphers described in this topic have been selected to run the performance test.
- Access to the benchmark application is SSL secured with a strong encryption
- The ciphers involved should be fully supported by System z® cryptographic features
- SSL symmetric cipher: AES-256
- SSL asymmetric cipher: RSA with 2048-bit and 4096-bit key length
Various SSL cipher suites can be enabled or disabled using the IBM WebSphere Application Server (WAS) administration console. For the System Under Test (SUT) a single cipher suite is selected to force the use of the given ciphers.
Production systems often have other requirements related to supported SSL cipher suites for an application server. Usually they are not restricted to a single suite. However, you should take care that the selected cipher suites are fully supported by IBM® System z cryptographic features. A lot of cipher suites are only partially or not supported by cryptographic hardware features.
Tip: icainfo lists ciphers supported by libICA. Use the icastats command to check that the desired ciphers show request counts in the hardware column.
Table 1 shows some examples of RSA-AES cipher suite variants offered by WAS Version 8. But not all cipher suites are supported in the same manner. First, depending on the System z system (CPACF level) and CEX features, not all ciphers are supported. Second, not all cipher suite variants are supported.
WAS Version 8 cipher suite |
IBM System z cryptographic stack support |
---|---|
SSL_RSA_WITH_AES_256_CBC_SHA |
Full support |
SSL_RSA_WITH_AES_256_CBC_SHA256 |
Not supported Currently no SHA-256 support for openCryptoki / ICA token with RSA * |
SSL_DHE_RSA_WITH_AES_256_CBC_SHA |
Only partially supported DHE-RSA in software; AES in hardware |
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA |
Not supported ECDH-RSA currently not supported |
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA |
Not supported ECDHE-RSA currently not supported |
* SHA-256 standalone is supported (see icainfo output), but not in combination with a RSA cipher suite.
The WAS administration console provides a dialog for configuring SSL cipher suites. The administration console navigation path is:
![Screen shot showing the QoP fields and possible settings](06awascrypt.jpg)
SSL_RSA_WITH_AES_256_CBC_SHA has been chosen for the SUT. This suite is fully supported by the System z cryptographic features and meets the requirements for the test as a strong cipher suite.