Transport layer security and secure sockets layer

WebSphere® eXtreme Scale supports both TCP/IP and Transport Layer Security/Secure Sockets Layer (TLS/SSL) for secure communication between clients and servers.

TLS and SSL encryption for clients and servers

TLS/SSL is sometimes enabled in one direction. For example, the server public certificate is imported in the client truststore, but the client public certificate is not imported into the server truststore. However, WebSphere eXtreme Scale extensively uses data grid agents. A characteristic of a data grid agent, when ORB transport is used, is that when the server sends responses back to the client, it creates a new connection. The eXtreme Scale server then acts as a client. Therefore, you must import the client public certificate into the server truststore.

[Version 8.6.0.2 and later]When an XIO server sends responses, a new connection is not created. Instead, XIO reuses existing connections from the client-to-server direction.

Transport layer security for the Oracle JDK

Use the Oracle JRE for SSL with the following limitations.
  • [Version 8.6.0.5 and later]FIPS 140-2 and SP800-131a are not supported for eXtreme Scale when the Oracle JRE is used.
  • When you use the ORB transport, the eXtreme Scale client can run SSL or TLS using the Oracle JRE. When you use the Oracle JRE, specify the Sun JSSE provider (instead of the IBMJSSE2 provider) in the contextProvider property of the eXtreme Scale client properties file (for clients) or the eXtreme Scale server properties file (for servers).
  • [Version 8.6 and later]When you use XIO, the eXtreme Scale client can run on the Oracle JRE when you specify SSL or TLS. The client properties file must specify a contextProvider of the Sun JSSE. You cannot run the eXtreme Scale server in XIO mode with the Sun JRE, if SSL or TLS is used by the server.
[Version 8.6.0.5 and later]

Transport layer security for NIST SP800-131a support

The National Institute of Standards and Technology (NIST) Special Publication 800-131a has defined minimum standards for TLS cryptography, which strengthen data encryption using cryptographic keys. You can enable SP800-131a support in either transition mode or strict mode.

Through the transition period, you can run in a mixed environment of settings that are not supported by the standard, along with those settings that are supported. The NIST SP800-131a standard requires that users be configured for strict enforcement of the standard by a specific timeframe.

Strict enforcement of NIST SP800-131a support in WebSphere eXtreme Scale includes the following requirements:
  • Certificates must have a minimum length of 2048.
  • Elliptical Curve (EC) certificates require a minimum size of 244-bit curves.
  • Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512.
  • The following signature algorithms are valid:
    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA

[Version 8.6.0.5 and later]The Java runtime for WebSphere eXtreme Scale supports SP800-131a. However, client browsers must support the minimum TLS version. All major browsers support TLS 1.0. However, see for the minimum support levels for versions 1.1 and 1.2. The browser used to access the administrative console or an application must use a protocol that is compatible with the server. If the server is running in a transition mode, the browser must be set to use the protocol that matches the server. The SP800-131 standard requires that the SSL connection use the TLS 1.2 protocol, so the browser must support TLS 1.2 and use it to access the administrative console.