How to enable strong cipher suites in Websphere 8.0?

Question

SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is listed as top priority in the Cryptography Providers list:

To my humble knowledge,

1. ECDHE RSA (Elliptic-curve Diffie–Hellman) and RSA are a combination of asynchronous algorithms for exchanging a shared secret (symmetric key)
2. AES 256 is a synchronous algorithm called also bulked encryption algorithm for exchanging payload.
3. GCM is Galois/Counter Mode used in symmetric key cryptographic block ciphers with a much better performance than the older Cipher Block Chaining (CBC) mode.
4. SHA384 is a MAC algorithm (Message Authentication Code) used instead of MD5 as a hash algorithm addressing data integrity.

In Websphere console, you can define your own custom SSL configuration. This SSL configuration just encapsulates protocol and cipher suites in an order of your preference.
Navigation:
Security > SSL certificate and key management > SSL configurations > MyCustomSSLConfig > Quality of protection (QoP) settings

I just know when I want to use this cipher suite I have to install JCE Unlimited Strength Jurisdiction Policy Files and moreover, this cipher suite works only for TLSv1.2 protocol.

Referring to this sentence in this resource:'The second list shows the cipher suites that are supported by the IBMJSSE provider, but disabled by default.'

Could you please tell me what should I do to do enable the 2nd list present in the resource where SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is present?

Thank you

Answer 1

You just need to set com.ibm.websphere.ssl.include.ECCiphers = true

in 2 different locations:

1. Application servers > server1 > Server Infrastructure-> Java and Process Management-> Process definition > Java Virtual Machine > Custom properties

2. System Administration > Deployment manager > Java and Process Management-> Process definition > Java Virtual Machine > Custom properties

Do not forget to restart Dmgr, Nodeagent and application server! It perfectly works!