Troubleshooting
Problem
The LogJam Attack on Diffie-Hellman ciphers (CVE-2015-4000) affects some configurations of IBM Security Key lifecycle Manager
Symptom
Potential Risk
Resolving The Problem
Remediation/Fixes
The fix are in following fixpacks,
Product | VRMF | APAR | Remediation/First Fix |
TKLM | 1.0 | IV74817 | 1.0.0-TIV-TKLM-FP0008 |
TKLM | 2.0 | IV74818 | 2.0.0-ISS-TKLM-FP0010 |
TKLM | 2.0.1 | IV74819 | 2.0.1-ISS-TKLM-FP0008 |
SKLM | 2.5 | IV74820 | 2.5.0-ISS-SKLM-FP0006 |
Workarounds and Mitigations
There are multiple cases:
Case-1: TKLM/SKLM config file is having TransportListener.ssl.ciphersuites property with DH/DHE ciphers
Workaround: Remove DH/DHE ciphers and set only non-DH ciphers in this property. User can use ciphers like;
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
Case-2: TKLM/SKLM config file is not having TransportListener.ssl.ciphersuites property not specified or its specified with value JSSE_ALL.
Workaround: Specify this property with non-DH ciphers as mentioned in workaround of Case-1 above or create a custom Cipher suite group with no DH/DHE ciphers by logging into Websphere Application server. User can create custom cipher suites in WAS console UI from SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings
Case-3: TKLM/SKLM config file is having TransportListener.ssl.ciphersuites property with value not having any DH/DHE ciphers mentioned.
Workaround: User is safe from this vulnerability and nothing needs to be done.
Name of TKLM/SKLM config file for TKLM v1.x to v2.0.x is TKLMgrConfig.properties and for SKLM v2.5.x it is SKLMConfig.properties
You should verify applying this configuration change does not cause any compatibility issues. Not disabling the DH/DHE cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the DH/DHE cipher and take appropriate mitigation and remediation actions.
Solution : Take necessary action as mentioned in security bulletin https://www-304.ibm.com/support/docview.wss?uid=swg21960935
NOTE: TKLM v1.x and v2.0.x are End of Support.
[{"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Distributed","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"1.0;2.0;2.0.1;2.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21960261