IBM Support

Use Preferred Cipher Suites on IBM WebSphere DataPower SOA Appliances

Technote (FAQ)


Can the DataPower SSL server, which is defined with a reverse SSL Proxy Profile, be modified to use a preferred cipher suite?


By default, the DataPower SSL server uses the preferred cipher list that is sent by the remote SSL client.


In order for the DataPower SSL server to use its own preferred cipher list, use the following steps to define a preferred cipher suite (This can only be done using the DataPower command line interface):

  1. Remove the @STRENGTH syntax from the ciphers list in the Crypto Profile
  2. Add the preferred cipher to the beginning of the ciphers list. For example to make RC4-SHA the preferred cipher, the cipher string should look as follows:
  3. Add the option-string SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000) to the Crypto Profile to override the SSL client's cipher preference.

Note, this will need to be calculated along with your other crypto options as notated below:
default-setting 0x00000FFF (default)
Disable-SSLv2 0x01000000 (default)
Disable-SSLv3 0x02000000 (default)
Disable-TLSv1 0x04000000
Enable-Legacy-Renegotiation 0x00040000
Enable-Compression 0x00020000
Disable-TLSv1d1 0x10000000
Disable-TLSv1d2 0x08000000

So for a crypto profile with default-setting enabled (0x00000FFF), SSLv2 disabled (0x01000000), SSLv3 disabled (0x02000000) and adding the SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000), the resulting value is: 0x03400FFF

For Example:

Make RC4-SHA and RC4-MD5 the preferred ciphers for the DataPower SSL server, override the client's preferred ciphers, and use the default options with the following steps:

  1. Access the DataPower appliance command line interface.
  2. Switch to the appropriate service domain by using the switch domain command.

Enter the following commands to modify the crypto profile:

show crypto //display your Crypto Profile details
profile <your crypto profile name>
ciphers RC4-SHA:RC4-MD5:HIGH:MEDIUM:!aNULL:!eNull
option-string 0x03400FFF
show crypto //confirm the changes
write mem

Further information regarding option-strings can be found in the WebSphere DataPower InfoCenter:

IBM WebSphere DataPower Version 5.0 Information Center

Document information

More support for: IBM DataPower Gateways

Software version: 6.0.0, 6.0.1, 7.0.0, 7.1, 7.2, 7.5

Operating system(s): Firmware

Reference #: 1627191

Modified date: 09 May 2016