How To
Summary
A security report might identify "Weak SSL/TLS Key Exchange" for ports associated with WebSphere Application Server. This report identifies where the configuration of the application server currently permits cipher suites that the report considers weak. These cipher suites can be disabled.
Objective
This technote does not make any determination on whether a cipher suite is strong or weak. However, if a security report recommends disabling a cipher suite in WebSphere Application Server, these steps are applicable.
Steps
First, make sure to determine what cipher suites need to be removed.
WebSphere Application Server tends to use the full IANA name of the cipher suite, for instance, TLS_RSA_WITH_AES_128_CBC_SHA
It is important to make sure that you have the exact name; TLS_RSA_WITH_AES_128_CBC_SHA is not the same as TLS_DH_RSA_WITH_AES_128_CBC_SHA.
There are some sites like https://ciphersuite.info/ that can help translate names of cipher suites from different formats.
There is also a list of cipher suites described in the Java 8 documentation.
There is also a list of cipher suites described in the Java 8 documentation.
Steps for WebSphere Application Server (ND or Traditional)
- Log in to the WebSphere Administrative Console
- Go to Security > SSL Certificate and key management > SSL configurations
- Select NodeDefaultSSLSettings
- Under Additional Properties, click Quality of protection (QoP) settings.
- Scroll to the Cipher Suites section
- Select any cipher suites that are no longer wanted, and click "Remove"
- Older cipher suites might start with a prefix of SSL instead of TLS. These prefixes do not make a difference in identifying a cipher suite. SSL_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_128_CBC_SHA are the same.
After these changes, save, and restart WebSphere Application Server.
Steps for WebSphere Application Server Liberty
Because there is no console for Liberty, you can modify the 'disabledAlgorithms' Java property in java.security
These steps are described in a separate WebSphere Application Server technote:
How to set the disabledAlgorithms in WebSphere Application Server and WebSphere Liberty
How to set the disabledAlgorithms in WebSphere Application Server and WebSphere Liberty
Additional Information
In terms of security, it is important to keep updated WebSphere Application Server with current fix packs. It is also important to ensure that the Java SDK used by WebSphere Application Server is updated. These updates can also enable more secure cipher suite and algorithm settings.
IBM Information Server has technotes to help with updated WebSphere Application Server and its Java:
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m500000008hhhAAA","label":"WebSphere Application Server-\u003EWebSphere Configuration-\u003ESSL and Certificates"}],"ARM Case Number":"TS014866291","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 December 2023
UID
ibm17101160