Use Preferred Cipher Suites on IBM WebSphere DataPower SOA Appliances

Technote (FAQ)


Can the DataPower SSL server, which is defined with a reverse SSL Proxy Profile, be modified to use a preferred cipher suite?


By default, the DataPower SSL server uses the preferred cipher list that is sent by the remote SSL client.


In order for the DataPower SSL server to use its own preferred cipher list, use the following steps to define a preferred cipher suite (This can only be done using the DataPower command line interface):

  1. Remove the @STRENGTH syntax from the ciphers list in the Crypto Profile
  2. Add the preferred cipher to the beginning of the ciphers list. For example to make RC4-SHA the preferred cipher, the cipher string should look as follows:
  3. Add the option-string SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000) to the Crypto Profile to override the SSL client's cipher preference.

    When used in combination with the Default option (0x000FFFFF) and the Disable SSLv2 option (0x01000000), the resulting value is 0x01400FFF.

For Example:

Make RC4-SHA and RC4-MD5 the preferred ciphers for the DataPower SSL server, override the client's preferred ciphers, and use the default options with the following steps:

  1. Access the DataPower appliance command line interface.
  2. Switch to the appropriate service domain by using the switch domain command.

Enter the following commands to modify the crypto profile:

show crypto //display your Crypto Profile details
profile <your crypto profile name>
ciphers RC4-SHA:RC4-MD5:HIGH:MEDIUM:!aNULL:!eNull
option-string 0x01400FFF
show crypto //confirm the changes
write mem

Further information regarding option-strings can be found in the WebSphere DataPower InfoCenter:

IBM WebSphere DataPower Version 5.0 Information Center

Document information

More support for:

IBM DataPower Gateways

Software version:

3.8.2, 4.0.1, 4.0.2, 5.0.0

Operating system(s):


Reference #:


Modified date:


Translate my page

Content navigation