IBM Support

Disable SSLv3 in DataPower WebSphere Java Message Service (JMS) objects

Question & Answer


Question

How do I prevent DataPower from using SSLv3 when communicating with WebSphere Java Message Service (JMS) ?

Cause

Due to various vulnerabilities reported in SSLv3 protocol, it is highly recommended to disable SSLv3 across all configuration objects in DataPower.

Answer

  1. First make sure to Quiesce all domains and services to stop traffic to the appliance. System quiesce and unquiesce commands can be invoked by navigating to Administration --> Main --> System Control.

  2. There are two things you can do to prevent DataPower from communicating with WebSphere JMS using SSLv3.

    1. In WebSphere Application Server choose to use an SSL protocol setting that does not include SSLv3.

    2. In DataPower Control Panel, navigate to "Configure WebSphere JMS" page. Under the "SSL" tab, configure the parameter "WebSphere JMS SSL Cipher Specification" to use one of the cipher specifications listed below. The selected specification replaces the cipher suite that is assigned as part of the SSL Proxy Profile configuration.

      For DataPower versions 6.0.1 and later:

      TLS_RSA_WITH_3DES_EDE_CBC_SHA
      TLS_RSA_WITH_AES_128_CBC_SHA
      TLS_RSA_WITH_AES_256_CBC_SHA
      TLS_RSA_WITH_AES_128_CBC_SHA256
      TLS_RSA_WITH_AES_256_CBC_SHA256

      For DataPower versions prior to 6.0.1:

      TLS_RSA_WITH_3DES_EDE_CBC_SHA

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.0.0;6.0.0;6.0.1;7.0.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
08 June 2021

UID

swg21687482