Is SHA-2 Supported in WebSphere Application Server Version v6.0/6.1?

• SHA-2 is not supported in WebSphere Application Server v6.0.
• SHA-256 is supported in WebSphere Application Server v6.1.0.47 using Java SDK 1.5 SR16. If you want to generate a certificate, you can use the keytool utility. Example:
   

  Example: keytool -keystore key.jks -storepass test123 -alias jetty2 -genkey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA

 

Does the IBM JCE support Diffie-Hellman (DH) key sizes greater than 2048-bits?

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 2048

However, this will result in DH keys not being supported at all as the IBM JCE only supports smaller or equal than 2048 DH keys.

See the following Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)

Further information on the jdk.tls.disabledAlgorithms system property can be found in this document in the IBM Documentation


How to customize cryptographic algorithm and cipher suites that your JDK will tolerate?
To customize the cryptographic algorithm and cipher suites your JDK will accept, you need to consider both JDK properties that exist in the java.security file and WebSphere custom properties and their defaults. 

Note: This setting is at the JDK level and separate from cipher specifications configured in WebSphere SSL Repertoires. These JDK settings will take precedence over WebSphere SSL Repertoire settings.

These are the JDK properties. See your JDK documentation for further details: 

jdk.tls.disabledAlgorithms jdk.certpath.disabledAlgorithms

For users of WebSphere Application Server 7.0.0.41, 8.0.0.13, 8.5.5.10, 9.0.0.0 and above
APAR PI54960 introduced a set of custom properties that will override the previously mentioned JDK properties. These properties are cell-wide settings. If your desire is to affect only individual servers within the cell, you will then need to use JDK java.security capabilities.

com.ibm.websphere.tls.disabledAlgorithms  com.ibm.websphere.certpath.disabledAlgorithms

Note: During the JVM initialization, the JDK properties are read and used. As WebSphere starts the above WebSphere Application Server custom properties will override the JDK properties. If the user prefers not to override the JDK properties then he will need to set the values of these properties to "none".

 

How do I enable SSLv3 on fix pack 7.0.0.41, 8.0.0.13, and 8.5.5.10 and above?

In order to enable SSLv3 on the above fix packs, you need to follow these steps depending on the JDK you are using:

• For JDK 1.6 and 1.7 users:

  com.ibm.websphere.tls.disabledAlgorithms=none com.ibm.websphere.certpath.disabledAlgorithms=none

  -Dcom.ibm.jsse2.disableSSLv3=false

  1. Add the following custom properties:
  2. Enable the following SDK property

• For JDK 1.8 users:
  By default at the latest JDK 1.8 maintenance level the below properties are set to the following values:

  jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize <768, MD5withRSA

  
  Which is why setting the properties to the same value as in the earlier JDK's, won't work. Instead, you will need to set those properties to something like:

  com.ibm.websphere.tls.disabledAlgorithms=RC4, DH keySize <768 com.ibm.websphere.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

  
  Note: A video showing this step-by-step process is available in the Video Tutorials tab above.

 

Avoid Trouble: As a result of the introduction of PI68115 starting on WebSphere Application Server 7.0.0.43, 8.0.0.13, 8.5.5.11, 9.0.0.2 the 3des ciphers have been removed from the default cipher list. Sometimes, these ciphers may be needed in order to re-enable SSLv3 on the system. If that's the case, review the following RFC documentation since it will provide you the list of ciphers that you will need to re-enable. Click here A video showing how to manually add ciphers on WebSphere Application Server traditional can be found in the Video Tutorials tab above.

 

How to replace WebSphere default certificate from SHA1 certificates to SHA256 Certificates and also Keysize from 1024 to 2048?

During the installation of WebSphere Application Server v7.0, WebSphere creates a default keystore and root CA that has a default 1024-bit key size. With this approach, you upgrade the root CA key size to a 2048-bit root certificate which will increase your security level against potential vulnerabilities.   NOTE: This information assumes that you are using a Default SSL configuration and Default SSL keystores. The following steps will not be applicable if you are using any CA certificate or self-signed certificate What is the default keystore and truststore? The default keystore file (key.p12) and the default truststore files (trust.p12) are automatically created by WebSphere Application Server during the profile creation stage. In addition to that a default, chained certificate is also created in the key.p12 file. The root signer, or public key, of the chained certificate is extracted from the key.p12 file and added to the trust.p12 Make sure you are using WebSphere Application Server fix pack 7.0.0.23 or above or WebSphere Application Server v8.0, v8.5, v8.5.5, v9.0. The following steps applicable only on WebSphere Application Server fix pack 7.0.0.23 and above See the following steps: $AdminTask convertCertForSecurityStandard {-fipsLevel FIPS140-2 -signatureAlgorithm SHA256withRSA -keySize 2048 } $AdminConfig save Run backupConfig on the Deployment Manager. Example: C:\WebSphereInstallationPath\profiles\Dmgr01\bin>backupconfig -nostop This tells the backupConfig command not to stop the servers before backing up the configuration Then run the wsadmin command C:\WebSphereInstallationPath\profiles\Dmgr01\bin>wsadmin Then run the following AdminTask command in order to update key size and algorithm The following command saves the above configuration changes. The above Command will update and replace all default certificate that comes in WebSphere Application Server traditional with a new 2048-bit key size for example files key.p12 for cell and node, trust.p12, root-key.p12, etc Example Paths \WebSphereInstallationPath\profiles\ND-DMGR-Profile\config\cells\cellName\key.p12 \WebSphereInstallationPath\profiles\ND-DMGR-Profile\config\cells\cellName\trust.p12 \WebSphereInstallationPath\profiles\ND-DMGR-Profile\config\cells\cellName\nodes\CellManaager(dmgr)\root-key.p12 Alternatively: You can also use the admin console to convert the default certificates. Follow these steps: Open the Admin Console, then click Security>SSL certificates and key management>Manage FIPS On the right side under Related Items select Convert certificates Change Algorithm to Strict SHA256withRSA and under New certificate key size select 2048 then select Apply and click Save. See the screen capture below: To Verify the Changes Open the Admin Console and check the default certificate SSL certificate and key management > Keystores and certificates > celldefaultkeystore/Nodedefaultkeystore > personal certificate > click default You will see key size changed from 1024 to 2048 and also algorithm from SHA1withRSA to SHA256withRSA Make sure sync the nodes with dmgr. From the Admin Console expand System Administration and then click Nodes Select the notes that you want to synchronize (most likely all of them). Click Full synchronize Restart the complete WebSphere Application Server cell, such as the dmgr, all the node agents and application servers.   Note: If the node agent is still out of sync after the restart, then perform a manual sync. For that, you will need to run the following command syncNode.bat -username <YourConsoleAdminUser> -password <ConsoleUserPassword> You also need to manually copy the truststore to each of the /etc directories. This is required for Client operations such as stopdmgr, wsadmin syncnode, serverstatus commands, etc. For this, follow these steps: Back up the key.p12 and trust.p12 found in the profile_root\Dmgr\etc and each of the profile_root\Nodes\etc with in the cell. Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 and key.p12 (example path: \WebSphere_Installation\profiles\ND-DMGR-Profile\config\cells\cellName\trust.p12) (example path: \WebSphere_Installation\profiles\ND-DMGR-Profile\config\cells\cellName\key.p12) For Users who have a configuration that makes SSL connections between a plugin and WebSphere Application Server You also have to propagate the plugin-keykdb from WebSphere Admin Console or you have to add new WebSphere root certificate under signer certificate of plugin-key.kdb because the above change will update the WebSphere root CA certificate with new serial number. Attention: If you are converting a certificate to be signed with a new signature algorithm and there are keystores called "CMSKeyStore" in the configuration this error may be encountered: A signer certificate with alias: CN=localhost, OU=Root Certificate, OU=localhostCell01, OU=localhostCellManager01, O=IBM, C=US already exists but it contains a different public key This happens due to the provider being unable to write out the supporting chain of the new certificate. To work around this, users should discard the changes then go to the "CMSKeyStore" keystore and under that signer certificate remove the certificate with the alias in the message above. Once the certificate is removed the user can attempt to convert the certificates again. Reference: See more PI48460: FAILURE TO CONVERT CERTIFICATES WHEN CMS KEYSTORE IS PRESENT A video showing this step-by-step process is available in the Video Tutorials tab above.

 

How can I configure WebSphere Application Server traditional to use multiple SSL protocols TLSv1.1, TLSv1.2 and disable TLSv1.0?

The property jdk.tls.disabledAlgorithms now supports the disabling of cipher suites by naming the cryptographic algorithm to be disabled. The default value for this property is   jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 Learn more: Service Refresh 16 Release Notes System Requirements Because SSLv3 is enabled by default in WebSphere traditional, you will need to apply the latest IBM Java SDK shipped with WebSphere Application Server Fix pack 8.5.5.4 or later in order to disable this protocol. For Example if you have WebSphere 8.5.5.7 then SSLv3 is disabled in WebSphere Application Server. So that WebSphere will allow only TLSv1.0, TLSv1.1 and TLSv1.2 Note: If you are using before 8.5.5.3 and below version 8.5.x.x then you need to apply the following fix IBM Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566) - United States For V8.5.0.0 through 8.5.5.3 Full Profile and Liberty Profile Installation Manager install: Apply interim fix PI28435: Will upgrade you to IBM Java SDK Version 7R1 Service Refresh 1 Fix Pack 1 (optional) + APAR IV66110 for change to disable SSLv3 by default Apply interim fix PI28436: Will upgrade you to IBM Java SDK Version 7 Service Refresh 7 Fix Pack 1 (optional) + APAR IV66110 for change to disable SSLv3 by default Apply interim fix PI28437: Will upgrade you to IBM Java SDK Version 6R1 Service Refresh 8 Fix Pack 1 (required) + APAR IV66110 for change to disable SSLv3 by default --OR-- Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 8.5.5.4 or later. Start by backing up your current configuration. For this you will need to run the backupConfig command. For more information on this command, see the documentation for the https://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/rxml_backupconfig.html">backupConfig command in the IBM Documentation. Configure WebSphere SSL configuration (CelldefaultSSLSettings) to use SSL_TLSv2 Log in to the WebSphere Application Server Integrated Solutions Console. Click Security > SSL certificate and key management, and under Related Items, click SSL configurations. You can view and select any of the SSL configurations that are configured at this scope Click CelldefaultSSLSettings (example) Click the default SSL settings link to open it and, under Additional Properties, click Quality of protection (QoP) settings. QoP settings define the strength of the SSL encryption, the integrity of the signer, and the authenticity of the certificate. Select a protocol for the SSL handshake SSL_TLSv2 Click OK, then click Save From the Admin Console, click System Administration >> Nodes >> Full Synchronize Go to WAS_Profile_Dir/properties and open the ssl.client.props file for editing Search for com.ibm.ssl.protocol and change the property to SSL_TLSv2 You can perform same steps for other SSLconfig such as NodedefaultSSLsetting..etc To disable TLSv.1.0 in order to allow only TLSv1.1 and TLSv1.2, follow these steps: You will need to modify the java.security file. This file is found in the following path depending on your WebSphere Java Path: C:\WebSphere_Installation\java_yourVersion\jre\lib\security or C:\WebSphere_Installation\java\jre\lib\security Note: Before starting these steps make sure to back up your java.security file. jdk.tls.disabledAlgorithms=TLSv1 Add the following line at the end of java.security and this property will disable TLSV1.0 Restart the dmgr In order to verify that these steps were completed successfully, follow these steps: Set TLS v1.2 or TLSV1.1 for Internet Explorer Note: If you plan to use Internet Explorer only to connect to SiteProtector using strict encryption and not to connect to other sites, then clear the following check boxes: Use SSL 2.0 Use SSL 3.0 Use TLS 1.0 Use TLS 1.1 Open Internet Explorer. Select Tools > Internet Options. Select the Advanced tab. Scroll to the Security section. Check the Use TLS 1.2 checkbox to use strict encryption. Click OK. Test with TLSv1.0 only on IE and attempt to access the Admin console. You will be unable to access the console. Tested with TLSV1.1 only on IE and attempt to access the Admin console. You will be able to access the console. Tested with TLSv1.2 only on IE and attempt to access the Admin console. You will be able to access the console.

 

How do I change default password for all keystores and truststore within WebSphere Application Server?

Attention: Before following the below steps, make sure to back up your WebSphere configuration using the backupConfig commands.

The following example creates a file called myBackup.zip and does not stop any servers before beginning the backup process.  cd {WebSphere_Installation}\profile\{profile_name}\bin ( dmgr or standlaone) On Unix Platforms: backupConfig.sh myBackup.zip -nostop On Windows Platform backupConfig.bat myBackup.zip -nostop

To change the default password for all keystores and truststores within your WebSphere Application Server you will need to use the changeMultipleKeyStorePasswords method. This command updates the passwords for each keystores in the configuration that has a specific password. 

Run the wsadmin command as follows:

wsadmin.sh -lang jython -user adminUser -password adminPassword

The changeMultipleKeyStorePasswords method of the AdminTask object will change the passwords of all keystores and truststores with a single command. At the prompt, give the following command:

wsadmin> AdminTask.changeMultipleKeyStorePasswords ['(-keyStorePassword yourCurrentPassword -newKeyStorePassword yourNEWPassword -newKeyStorePasswordVerify yourNEWPassword]')

For more detail, see the following IBM Documentation KeyStoreCommands command group for the AdminTask object

Sample Command output

C:\WebSpherev7.0\profiles\Dmgr01\bin>wsadmin -lang jython  WASX7209I: Connected to process "dmgr" on node RAMCellManager02 using SOAP connector; The type of process is: DeploymentManager WASX7031I: For help, enter: "print Help.help()"  wsadmin> wsadmin>  wsadmin>AdminTask.changeMultipleKeyStorePasswords('[-keyStorePassword WebAS -newKeyStorePassword my@password -newKeyStorePasswordVerify my@password]')  'CellDefaultKeyStore\r\n CellDefaultTrustStore\r\n CellLTPAKeys\r\n DmgrDefaultRootStore\r\n DmgrDefaultDeletedStore\r\n DmgrDefaultSignersStore\r\n NodeDefaultKeyStore\r\n NodeDefaultTrustStore\r\n CellRSATokenKeyStore\r\n CellRSATokenTrustStore\r\n DmgrRSATokenRootStore\r\n CMSKeyStore'  wsadmin>

 

How do I configure (step by step) Dynamic Outbound Endpoint SSL to use TLS 1.2?

Follow this three steps process to configure Dynamic Outbound Endpoint SSL to use TLS 1.2.

Step 1: Backing up WebSphere Application Server Config 

The following example creates a file called myBackup.zip and does not stop any servers before beginning the backup process:

cd {WebSphere_Installation}\profile\{profile_name}\bin ( dmgr or standlaone) On Unix Platforms: backupConfig.sh myBackup.zip -nostop On Windows Platform backupConfig.bat myBackup.zip -nostop

For more information on how to use the backupConfig  command visit the IBM Docs Article

For more information on how to use the restoreConfig command visit the IBM Docs Article

Or watch the video: How do I run the backupConfig and restoreConfig scripts in WebSphere Application Server? - YouTube

Note: By default the backupConfig command, will stop the deployment manager, in order to avoid this, use option -nostop. The command will zip the config dir on dmgr profile.

The following steps will use the keystore and truststore that are automatically generated by WebSphere Application Server.

Step 2: Create a MYNEWSSLconfig Secure Sockets Layer configuration with TLSv1.2

For more information visit the following IBM Docs Article: Creating a Secure Sockets Layer configuration

Follow these steps to create a new SSL Config Secure Socket Layer with TLSv1.2

1. Create New SSL config
2. Select a truststore name from the drop-down list is CelldefaultTruststore
   1. From the WebSphere administrative console click Security > SSL certificate and key management > Manage endpoint security configurations.
   2. Select an SSL configuration link on either the Inbound or Outbound tree, depending on the process you are configuring.
   3. Click SSL configurations under Related Items.
   4. You can view and select any of the SSL configurations that are configured at this scope. You can also view and select these configurations at every scope that is lower on the topology.
   5. Click New to display the SSL configuration panel. (MYNEWSSLconfig) You cannot select links under Additional Properties until you type a configuration name 
   6. Select a keystore name from the drop-down list. A keystore contains the personal certificates that represent a signer identity and the private key that WebSphere Application Server uses to encrypt and sign data.
   7. If you change the keystore name, click Get certificate aliases to refresh the list of certificates from which you can choose a default alias. WebSphere Application Server uses a server alias for inbound connections and a client alias for outbound connections.
   8. Select a keystore name from the drop-down list is NodeDefaultkeystore or YourOwnKeystore
      • Note: You can create and use your own keystore instead of NodeDefaultkeystore but make sure use common truststore which is CelldefaultTruststore also make sure certificate between yourownkeystore and celldefaulttruststore is exchanged.
   9. Click Get certificate aliases to refresh the list of certificates from which you can choose a certificate alias for your application needs.
   10. Click Apply save the changes and sync the nodes
3. Now configure this new SSL configuration (MYNEWSSLconfig) with protocol TLSv1.2
4. SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties.
5. From the WebSphere administrative console, navigate to  SSL certificate and key management > SSL configurations > MYNEWSSLconfig > Quality of protection (QoP) settings
6. On the Quality of protection (QoP) settings panel, select TLSv1.2 from the pull-down list in the box named Protocol.
7. Change the protocol to TLSV1.2
8. Click Apply, then Save.
9. Sync the node with dmgr

Step 3: Create a Dynamic outbound endpoint to use new SSL configuration (MYNEWSSLconfig)

Associating a Secure Sockets Layer configuration dynamically with an outbound protocol and remote secure endpoint

https://www.ibm.com/docs/en/was/8.5.5?topic=csc-associating-ssl-configuration-dynamically-outbound-protocol-remote-secure-endpoint

1. From the administrative console page, click Security > SSL certificate and key management> click Dynamic outbound endpoint SSL configurations.
2. Click NEW
3. Name: MyOutboundSSL (example) 
4. Type the connection information that you want to associate with the configuration that is displayed in the SSL configuration drop-down list.
5. Under Add connection information given your remote server hostname and port, example:
   *,remote_host_address,remote_server_ssl_port
6. Click Add and Select an SSL configuration from the list.
7. Choose MYNEWSSLconfig
8. Click Get certificate aliases to refresh the certificate aliases that are contained in the associated keystore.
9. Choose a certificate alias from the list.
10. Click OK and Save. 
11. Sync the node with dmgr.
12. Restart the application server only. 

 

Does WebSphere traditional support the use of Sun's JSSE or JCE provider in customer applications?

Yes, WebSphere traditional does support the use of Sun's JSSE or JCE provider in customer applications. For more information, review the following technote: Support For Sun's JSSE or JCE Provider In WebSphere Application Server.

 

IBM WebSphere Application Server traditional does not send the full chain to clients

See the technote WebSphere Application Server does not send the full chain to clients

 

How do I install the unrestricted policy files in WebSphere Application Server from the IBM Site?

A video showing this step-by-step process is available in the Video Tutorials tab above.

 

How do I use the keytool command to verify the certificate chain for WebSphere Application Server?

A video showing this step-by-step process is available in the Video Tutorials tab above.

 

How to transform PEM and PFX keystore in Public Key Cryptography Standard #12 (PKCS12) keystore - United States

The following technote, explains how can you transform PEM and PFX keystores in PKCS12 keystores: How to transform PEM and PFX keystore in Public Key Cryptography Standard #12 (PKCS12) keystore

 

How to re-create the root CA for WebSphere Application Server 7.0 on the deployment manager before creating member nodes

The following technote explains how can you re-create the root CA for WebSphere Application Server 7.0 on the deployment manager before creating member nodes: Re-creating the root CA for WebSphere Application Server 7.0 on the deployment manager before creating member nodes

 

How to set up SSL from a client to a web server and plugin to WebSphere Application Server?

The following slides go over the necessary steps needed to set up SSL from a client to a web server and plugin to WebSphere Application Server: Setting Up SSL From Client to Web Server and Plugin to WAS