2

SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is listed as top priority in the Cryptography Providers list:

To my humble knowledge,

  1. ECDHE RSA (Elliptic-curve Diffie–Hellman) and RSA are a combination of asynchronous algorithms for exchanging a shared secret (symmetric key)
  2. AES 256 is a synchronous algorithm called also bulked encryption algorithm for exchanging payload.
  3. GCM is Galois/Counter Mode used in symmetric key cryptographic block ciphers with a much better performance than the older Cipher Block Chaining (CBC) mode.
  4. SHA384 is a MAC algorithm (Message Authentication Code) used instead of MD5 as a hash algorithm addressing data integrity.

In Websphere console, you can define your own custom SSL configuration. This SSL configuration just encapsulates protocol and cipher suites in an order of your preference.
Navigation:
Security > SSL certificate and key management > SSL configurations > MyCustomSSLConfig > Quality of protection (QoP) settings

I just know when I want to use this cipher suite I have to install JCE Unlimited Strength Jurisdiction Policy Files and moreover, this cipher suite works only for TLSv1.2 protocol.

Referring to this sentence in this resource:'The second list shows the cipher suites that are supported by the IBMJSSE provider, but disabled by default.'

Could you please tell me what should I do to do enable the 2nd list present in the resource where SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is present?

Thank you

Michael K
  • 111
  • 2
  • 8
  • The first resource you listed doesn't imply you can't use the suite you mentioned, it simply means you need at least fixpack 6 installed on WAS 8. – F Rowe Dec 23 '17 at 13:01
  • thank you, I can simplify my question. – Michael K Dec 23 '17 at 15:02
  • 1
    If you have the appropriate level of WAS 8 and the unlimited strength policy file you will be able to add SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA394 to a custom cipher list. If you want it to show up along with the STRONG/HIGH cipher list you will have to enable a custom property called com.ibm.websphere.ssl.include.ECCiphers. Information can be found here https://developer.ibm.com/answers/questions/303331/how-can-i-enable-elliptical-curve-cryptography-ecc.html – Alaine Dec 29 '17 at 20:23
  • Thank you very much indeed. This was very helpful! – Michael K Jan 02 '18 at 09:51

1 Answers1

1

You just need to set com.ibm.websphere.ssl.include.ECCiphers = true

in 2 different locations:

  1. Application servers > server1 > Server Infrastructure-> Java and Process Management-> Process definition > Java Virtual Machine > Custom properties

  2. System Administration > Deployment manager > Java and Process Management-> Process definition > Java Virtual Machine > Custom properties

Do not forget to restart Dmgr, Nodeagent and application server! It perfectly works!

Michael K
  • 111
  • 2
  • 8