WebSphere Application Server & Liberty

Customize cipher suites on Traditional WebSphere and Liberty profile

By Alaine DeMyers posted Wed August 18, 2021 02:54 PM

  

Customizing cipher suites on the Traditional WebSphere and Liberty profile

  

Cipher suites are an important part of TLS/SSL connections.  The provide the connections key exchange algorithm, bulk encryption algorithm, and message authentication algorithms.  There are lots of ciphers suites available.  In the Traditional WebSphere and Liberty profiles many ciphers are enabled by default.  This configuration gives users, a wide set of ciphers to ensure a connection by default.  For various reason users may want to narrow the scope of ciphers enabled, could be they want to enable a small known set of ciphers or what satisfy the outcome of a scanner being run on the server.   Cipher suites list can be customized on both Traditional WebSphere and Liberty profiles.

 

Customizing cipher suites

 

Customizing cipher suites on Traditional WebSphere

 

 

 On the Administrative Console ciphers suites can be selected to form a custom list on the SSL Configuration Quality of protection panel.

 

To customize go to:

 

  1. Security -> SSL certificate and key management -> SSL Configurations

 

  1. From the collection list of SSL Configuration select the SSL configuration to customize

 

  1. Select Quality of protection (QoP) settings

 

  1. In the box labeled Cipher suite group select Custom, then click Update select ciphers

 

  1. Choose the desired ciphers making sure they show up in the Selected Ciphers

 

  1. Appy/Save the changes.

 

 

On Traditional WebSphere the ciphers can be enabled from the wsadmin command line for from a python script using the modifySSLConfig task.  Eg:

 

AdminTask.modifySSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):Node01Cell:(node):Node01

-securityLevel CUSTOM -enabledCiphers " SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 ]')

 

 

Note: With the IBM JDK the “SSL_ “  at the beginning of the cipher suite name is interchangeable with “TLS_”

 

If dynamic SSL updating is enabled, then there is no need to restart the server.   If it is not enabled, then the server must be restated for the changes to take effect.

 

Once the changes are applied and saved the SSL configuration on the security.xml file will contain an enabledCiphersattribute with the custom cipher suites listed in it.

 

<repertoire xmi:id="SSLConfig_Node01_1" alias="NodeDefaultSSLSettings" managementScope="ManagementScope_Node01_1">
    <setting xmi:id="SecureSocketLayer_Node01_1" clientAuthentication="false" securityLevel="CUSTOM" enabledCiphers="SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384"jsseProvider="IBMJSSE2" sslProtocol="SSL_TLSv2" keyStore="KeyStore_Node01_1" trustStore="KeyStore_Node01_2" trustManager="TrustManager_Node01_2" keyManager="KeyManager_Node01_1"/>
  </repertoire>

 

 

The configuration information on the enabledCiphers attribute can be retrieved using wsadmin or a python script using the getSSLConfig task:

 

AdminTask.getSSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):Node01Cell:(node):Node01-returnAttributes enabledCiphers ]')
u'[[enabledCiphers [SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384]] ]'

 

Customizing cipher suites on Liberty

 

Configuration on the Liberty profile is more manual.  To find the supported list of ciphers suites look to the JVM’s documentation.  

 

IBM JDK:   https://www.ibm.com/docs/en/sdk-java-technology/8?topic=suites-cipher

Oracle JDK: https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names

 

 

A custom list is added to the Liberty profile by adding the enabledCiphers attribute with a space separated list of ciphers to the to the ssl element server.xml file.  Eg

 

          <ssl id="DefaultSSLSettings" keyStoreRef="DefaultKeyStore"trustStoreRef="DefaultTrustStore"

          sslProtocol="TLSv1.2" securityLevel="CUSTOM"enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"/>

 

In the Liberty profile the configuration change should be picked up automatically.

 

 

 

Setting the Cipher suite order

 

 

In the typically SSL/TLS handshake the client side of the connection cipher suite list will take precedence.   This means the connection start with the client-side cipher suite list then looks to the server-side cipher suites list to find the first match.   This means the connection may be made using a cipher suite the is not the server-side preferred.  

 

 

 Setting the Server cipher suite order on traditional WebSphere

 

 

On traditional WebSphere the client-side preference is enabled by default.   In WAS 9.0.5.7 a custom property was added to enable server-side cipher suite order called com.ibm.websphere.ssl.enforceCipherOrder.  The custom property will enable it for all

 

To enable on Administrative Console go to:

 

  1. Security -> Global Security -> Custom propreties

 

  1. Click new

 

  1. Add ibm.websphere.ssl.enforceCipherOrder to the name box

 

  1. Add true to the value box

 

  1. Apply/Save

 

The server will need to be restarted for the changes to take effect.

 

Note: his custom property is currently supported on WAS90 only. For WAS855 support, please create an idea here and vote on it.

https://cloud-platform.ideas.ibm.com/?page=3&sort=popular

 

 

 

Setting server-side cipher suite order on Liberty

 

To enable server-side cipher suite order on Liberty the enforceCipherOrder attribute set to true will need to be added to the ssl element for each SSL configuration needing the feature.

 

 

 

     <ssl id="DefaultSSLSettings" keyStoreRef="DefaultKeyStore"trustStoreRef="DefaultTrustStore"

          sslProtocol="TLSv1.2" securityLevel="CUSTOM" enforceCipherOrder="true"enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" />

The configuration update should cause the SSL configuration to get reloaded with the eforceCipherOrder setting enabled on the inbound ports.

 

 

Disabling cipher suites

  

Sometimes there is a need to completely disable ciphers suites on the JVM.   Cipher suites can be disabled using the java Security property jdk.tls.disabledAlgorithms in the java.security file.  Add the cipher suites that need to be disabled to the jdk.tls.disabledAlgorithms list.  For example, to disable TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA356 add it to the end of the jdk.tls.disabledAlgorithms list.

 

 

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \

    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA356   

Disabling ciphers on Traditional WebSphere

 

 On traditional WebSphere the jdk.tls.disabledAlgorithms java Security property is set programmatically.   By default, it is programmatically set to SSLv3, RC4, DH keySize < 768, MD5withRSA.   The value can be customized by setting the WebSphere security property com.ibm.websphere.tls.disabledAlgorithms. 

 

To customize on the Administrative Console go to:

 

  1. Security -> Global Security -> Custom propreties

 

  1. Click new

 

  1. Add ibm.websphere.tls.disabledAlgorithms to the name box

 

  1. Add SSLv3, RC4, DH keySize < 768, MD5withRSA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA356 to the value box

 

  1. Apply/Save

 

 

If it is desired to just edit the java.security file and have WebSphere not programmatically set the jdk.tls.disabledAlgorithms list then com.ibm.websphere.tls.disabledAlgorithms can be set to none in the Administrative console.

 

 

Examples of wsadmin commands to create custom cipher suites

 

  1. To enable all cipher except SSL_RSA ciphers

AdminTask.modifySSLConfig('[-alias nodeDefaultSSLSettings - -scopeName (cell):Node01Cell:(node):Node01

-securityLevel CUSTOM -enabledCiphers "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDH_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256" ]')

 

 

  1. Example of a modifySSLConfig that enables all ECDHE and SSL_RSA cipher suites:

AdminTask.modifySSLConfig('[-alias defaultSSLSettings -scopeName (cell):Node01Cell:(node):Node01

 -securityLevel CUSTOM -enabledCiphers "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDH_RSA_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256" ]')

 


#Featured-area-2
#Featured-area-2-home
#WebSphere
#WebSphereLiberty
#Featured-area-2
#Featured-area-2
#Featured-area-2-home
0 comments
275 views

Permalink