TLS Ciphers

Bob_Courtemanche · October 1, 2018, 4:57pm

Hello, I need to update the list of ciphers webMethods Integration Server will use. Is this a patch I apply or is it a new configuration I need to set?

Below is the list of ciphers accepted by the service we are calling.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Here is the IS server build information…
Product webMethods Integration Server
Version 9.10.0.0
Updates None
Build Number 106
SSL Strong (128-bit)

Thanks in advance for the help…

system · October 2, 2018, 8:32am

To install JSEE

SoftwareAG\jvm\jvm\jre\lib\security

Download the JCE Unlimited Strength Jurisdiction Policy Files
Then install under the webMethods JVM directory: SoftwareAG\jvm\jvm\jre\lib\security

Checked the local_policy.jar and US_export_policy.jar under SoftwareAG\jvm\jvm\jre\lib\security folder. Found that their local_policy is using limited crypto strength.

During IS start below message logged.

[ISS.0025.0050W] The JCE Unlimited Strength Jurisdiction Policy File was not found. Please install it.

[ISS.0025.0049I] The JCE Unlimited Strength Jurisdiction Policy File was found

IS> extended settings

watt.net.ssl.client.useJSSE=true
watt.net.jsse.client.enabledCipherSuiteList=default
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2,SSLv3,SSLv2Hello
watt.net.jsse.server.enabledCipherSuiteList=default
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2,SSLv3,SSLv2Hello

If you set “0006 Server SSL Interface to Trace” (IS Admin > Settings > Logging> Server), the enabled cipher list for a JSSE port will be printed out to the server.log when the port is enabled (including during IS startup).

You can then restrict the cipher list if desired by setting

watt.net.jsse.server.enabledCipherSuiteList=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

This will be logged when the port is renabled/disabled (no IS restart required)

Holger_von_Thomsen · October 8, 2018, 2:02pm

Hi,

I would advise to remove the SSLv3 and the SSLv2Hello from the allowed protocols list as they are considered unsecure and deprecated.

Regards,
Holger

Topic		Replies	Views
iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure webMethods , webMethods-General , Integration-Server-and-ESB	26	20690	April 2, 2021
RC4 cipher from wM webMethods , Integration-Server-and-ESB , webmethods-Protocol-and-Transport	13	2836	April 2, 2021
Weak SSL Ciphers Discovered webMethods , Integration-Server-and-ESB , webMethods-Archive	4	2231	September 3, 2021
webMethods TLS support from 9.7 webMethods , Integration-Server-and-ESB	10	11195	April 2, 2021
ssl handshake failure webMethods , Integration-Server-and-ESB	16	9737	April 2, 2021

TLS Ciphers

Checked the local_policy.jar and US_export_policy.jar under SoftwareAG\jvm\jvm\jre\lib\security folder. Found that their local_policy is using limited crypto strength.

[ISS.0025.0049I] The JCE Unlimited Strength Jurisdiction Policy File was found

Related topics