Use Preferred Cipher Suites on IBM WebSphere DataPower SOA Appliances

Technote (FAQ)


Question

Can the DataPower SSL server, which is defined with a reverse SSL Proxy Profile, be modified to use a preferred cipher suite?

Cause

By default, the DataPower SSL server uses the preferred cipher list that is sent by the remote SSL client.

Answer

In order for the DataPower SSL server to use its own preferred cipher list, use the following steps to define a preferred cipher suite (This can only be done using the DataPower command line interface):


  1. Remove the @STRENGTH syntax from the ciphers list in the Crypto Profile
  2. Add the preferred cipher to the beginning of the ciphers list. For example to make RC4-SHA the preferred cipher, the cipher string should look as follows:
    RC4-SHA:HIGH:MEDIUM:!aNULL:!eNull
  3. Add the option-string SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000) to the Crypto Profile to override the SSL client's cipher preference.

    When used in combination with the Default option (0x000FFFFF) and the Disable SSLv2 option (0x01000000), the resulting value is 0x01400FFF.


For Example:


Make RC4-SHA and RC4-MD5 the preferred ciphers for the DataPower SSL server, override the client's preferred ciphers, and use the default options with the following steps:

  1. Access the DataPower appliance command line interface.
  2. Switch to the appropriate service domain by using the switch domain command.

Enter the following commands to modify the crypto profile:

co
crypto
show crypto //display your Crypto Profile details
profile <your crypto profile name>
ciphers RC4-SHA:RC4-MD5:HIGH:MEDIUM:!aNULL:!eNull
option-string 0x01400FFF
exit
show crypto //confirm the changes
exit
write mem

Further information regarding option-strings can be found in the WebSphere DataPower InfoCenter:

IBM WebSphere DataPower Version 5.0 Information Center
http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere DataPower SOA Appliances
General

Software version:

3.8.2, 4.0.1, 4.0.2, 5.0.0

Operating system(s):

Firmware

Reference #:

1627191

Modified date:

2013-04-19

Translate my page

Machine Translation

Content navigation