TLS Ciphers

, ,
1

Hello, I need to update the list of ciphers webMethods Integration Server will use. Is this a patch I apply or is it a new configuration I need to set?

Below is the list of ciphers accepted by the service we are calling.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Here is the IS server build information…
Product webMethods Integration Server
Version 9.10.0.0
Updates None
Build Number 106
SSL Strong (128-bit)

Thanks in advance for the help…

2

To install JSEE

SoftwareAG\jvm\jvm\jre\lib\security

  1. Download the JCE Unlimited Strength Jurisdiction Policy Files
  2. Then install under the webMethods JVM directory: SoftwareAG\jvm\jvm\jre\lib\security

Checked the local_policy.jar and US_export_policy.jar under SoftwareAG\jvm\jvm\jre\lib\security folder. Found that their local_policy is using limited crypto strength.

During IS start below message logged.

[ISS.0025.0050W] The JCE Unlimited Strength Jurisdiction Policy File was not found. Please install it.

[ISS.0025.0049I] The JCE Unlimited Strength Jurisdiction Policy File was found

IS> extended settings

watt.net.ssl.client.useJSSE=true
watt.net.jsse.client.enabledCipherSuiteList=default
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2,SSLv3,SSLv2Hello
watt.net.jsse.server.enabledCipherSuiteList=default
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2,SSLv3,SSLv2Hello

If you set “0006 Server SSL Interface to Trace” (IS Admin > Settings > Logging> Server), the enabled cipher list for a JSSE port will be printed out to the server.log when the port is enabled (including during IS startup).

You can then restrict the cipher list if desired by setting

watt.net.jsse.server.enabledCipherSuiteList=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

This will be logged when the port is renabled/disabled (no IS restart required)

3

Hi,

I would advise to remove the SSLv3 and the SSLv2Hello from the allowed protocols list as they are considered unsecure and deprecated.

Regards,
Holger