Selecting IBM WebSphere® Application Server cipher suites

Edit online

The ciphers described in this topic have been selected to run the performance test.

For Scenario 1 the following assumptions have been made:
  • Access to the benchmark application is SSL secured with a strong encryption
  • The ciphers involved should be fully supported by System z® cryptographic features
The following ciphers have been chosen to conduct the performance test:
  • SSL symmetric cipher: AES-256
  • SSL asymmetric cipher: RSA with 2048-bit and 4096-bit key length
Note: Crypto Express3 (CEX3) feature support of RSA keys with 4096-bit length became available for z196 with MCL N29766.021 in December, 2010.

Various SSL cipher suites can be enabled or disabled using the IBM WebSphere Application Server (WAS) administration console. For the System Under Test (SUT) a single cipher suite is selected to force the use of the given ciphers.

Production systems often have other requirements related to supported SSL cipher suites for an application server. Usually they are not restricted to a single suite. However, you should take care that the selected cipher suites are fully supported by IBM® System z cryptographic features. A lot of cipher suites are only partially or not supported by cryptographic hardware features.

Tip: icainfo lists ciphers supported by libICA. Use the icastats command to check that the desired ciphers show request counts in the hardware column.

Table 1 shows some examples of RSA-AES cipher suite variants offered by WAS Version 8. But not all cipher suites are supported in the same manner. First, depending on the System z system (CPACF level) and CEX features, not all ciphers are supported. Second, not all cipher suite variants are supported.

Table 1. Overview of WAS SSL cipher suites with AES-256

WAS Version 8 cipher suite

IBM System z cryptographic stack support

SSL_RSA_WITH_AES_256_CBC_SHA

Full support

SSL_RSA_WITH_AES_256_CBC_SHA256

Not supported

Currently no SHA-256 support for openCryptoki / ICA token with RSA *

SSL_DHE_RSA_WITH_AES_256_CBC_SHA

Only partially supported

DHE-RSA in software; AES in hardware

SSL_ECDH_RSA_WITH_AES_256_CBC_SHA

Not supported

ECDH-RSA currently not supported

SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA

Not supported

ECDHE-RSA currently not supported

* SHA-256 standalone is supported (see icainfo output), but not in combination with a RSA cipher suite.

The WAS administration console provides a dialog for configuring SSL cipher suites. The administration console navigation path is:

Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings

Figure 1. Quality of Protection (QoP) settings
Screen shot showing the QoP fields and possible settings

SSL_RSA_WITH_AES_256_CBC_SHA has been chosen for the SUT. This suite is fully supported by the System z cryptographic features and meets the requirements for the test as a strong cipher suite.