Use Preferred Cipher Suites on IBM WebSphere DataPower SOA Appliances
Can the DataPower SSL server, which is defined with a reverse SSL Proxy Profile, be modified to use a preferred cipher suite?
By default, the DataPower SSL server uses the preferred cipher list that is sent by the remote SSL client.
In order for the DataPower SSL server to use its own preferred cipher list, use the following steps to define a preferred cipher suite (This can only be done using the DataPower command line interface):
- Remove the @STRENGTH syntax from the ciphers list in the Crypto Profile
- Add the preferred cipher to the beginning of the ciphers list. For example to make RC4-SHA the preferred cipher, the cipher string should look as follows:
- Add the option-string SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000) to the Crypto Profile to override the SSL client's cipher preference.
Note, this will need to be calculated along with your other crypto options as notated below:
So for a crypto profile with default-setting enabled (0x00000FFF), SSLv2 disabled (0x01000000), SSLv3 disabled (0x02000000) and adding the SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000), the resulting value is: 0x03400FFF
Make RC4-SHA and RC4-MD5 the preferred ciphers for the DataPower SSL server, override the client's preferred ciphers, and use the default options with the following steps:
- Access the DataPower appliance command line interface.
- Switch to the appropriate service domain by using the switch domain command.
Enter the following commands to modify the crypto profile:
show crypto //display your Crypto Profile details
profile <your crypto profile name>
show crypto //confirm the changes
Further information regarding option-strings can be found in the WebSphere DataPower InfoCenter:
IBM WebSphere DataPower Version 5.0 Information Center