IBM Support

Resolving JazzSM DASH Vulnerability by Plugin 83875 SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

How To


Summary

The vulnerability by plugin 83875 SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) is an attack in SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.

The Logjam attacks through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.

This vulnerability is inherited by JazzSM DASH from WebSphere Application Server.

The Logjam vulnerability does not occur on WebSphere Application Server from 8.5.5.12 or later. WebSphere Application Server is vulnerable to Logjam if lower than 8.5.5.12 per APAR:
http://www-01.ibm.com/support/docview.wss?uid=swg1PI68115

Objective

This technote provides the steps of the workaround for JazzSM DASH that are installed with lower versions of WebSphere Application Server 8.5.5.12. The workaround is to manually remove these weak ciphers.

Steps

Here are the steps to manually remove these weak ciphers.
(1) Login to DASH and click on Websphere Administrative Console > Launch Websphere Administrative Console > Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings - check the settings under Cipher suite groups
(2) Go to "Quality of protection (QoP) settings" panel
On the panel, select "Strong" in "Cipher suite settings" and press "Update selected ciphers" so that in "Cipher suites" section, you will see strong ciphers in "Selected ciphers" (Right hand side) "
Examine the list of "Selected ciphers" one by one to make sure none of the ciphers contain string:
      _3DES_
     or
     TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
      TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
(3) In the case, you find a cipher that contains the string above, select and press "Remove" button to remove it from Selected ciphers.
(4) Click "Apply" or "OK" and save the ciphers then restart server.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEKCU","label":"Jazz for Service Management"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.1.3.0, 1.1.3.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
22 November 2019

UID

ibm11111059

Page Feedback