IBM Support

How can I enable Elliptical Curve Cryptography (ECC) ciphers in Websphere Application Server 8.5?

Question & Answer


Question

How can I enable Elliptical Curve Cryptography (ECC) ciphers in Websphere Application Server 8.5?

I cannot see or select the ECDHE ciphers from the Admin Console, under Security > SSL certificate and key management > SSL configurations > "your SSL configuration" > Quality of protection (QoP) settings.

Cause

The peer will close the connection if it finds a cipher that it does not understand, so EC ciphers were removed (that time) from WAS.

Answer

In versions 8.5.0.1 or later, the property, com.ibm.websphere.ssl.include.ECCiphers, is used to include the ECC ciphers. It specifies whether WebSphere Application Server includes Elliptical Curve Cryptography (ECC) ciphers in the cipher suites.

When this property is not set or is set to false, the application server does not include ECC ciphers. Set the property to true to include ECC ciphers in the list of default cipher suites. If SP800-131a or Suite B is enabled then ECC ciphers are always included.

If you want to enable them please see the following steps.

com.ibm.websphere.ssl.include.ECCiphers = true

Example steps









Deployment Manager

 1. In the Administration Console, select System Administration
 2. Select Deployment Manager in the Server Infrastructure section
 3. Expand Java and Process Management and select Process Definition.
 4. Under the Additional Properties section, click Java Virtual Machine.
 5. Scroll down and locate the textbox for Generic JVM arguments.
 6. Click on custom properties
 7. Click new name: com.ibm.websphere.ssl.include.ECCiphers vlaue : true
 8. Click ok and save then restart the DMGR.

If running a Network Deployment installation, please also enable for the nodeagent and application server under Generic JVM arguments.

image-20191025141431-1

image-20191028083825-2

image-20191025140818-3

IBM Setting generic JVM arguments in WebSphere Application Server - United States http://www-01.ibm.com/support/docview.wss

Details of this com.ibm.websphere.ssl.include.ECCiphers check the following KnowlegdeCenter link

Security custom properties:

https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_seccustomprop.html

If you want to add EC ciphers, then you must customize the cipher list under CelldefaultSSLsetting or NodedefaultSSLsetting. Depending on your environment setup. Please see the given below YouTube video.

https://youtu.be/dheizcFimX0

Another Solution:

IBM Recommends to upgrade Latest WAS 8.5.5.16 fix pack. ECC ciphers will be enabled by default.

Note: you don't need to perform above steps If you upgrade your environment to latest fix pack 8.5.5.16

https://www.ibm.com/support/pages/latest-fix-packs-websphere-application-server

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.0;8.5.5;9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 October 2019

UID

ibm11098909

Page Feedback