PK40407: WEBSPHERE MAY SUBTITUTE ITS OWN LIST OF CIPHER SUITES THAT OVERRIDE THE LIST SPECIFIED IN THE ADMININSTRATIVE CONSOLE. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description WebSphere substitutes its own list of cipher suites in certain cases and this overrides the expected set of cipher suites that are listed in the administrative console. This apar will address this issue.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V6.0.1 for z/OS * **************************************************************** * PROBLEM DESCRIPTION: For WebSphere Application Server for * * z/OS, when an SSL connection is to be * * established between two applications * * that use client certificate for * * authentication, the cipher selected * * corresponds to the lowest common * * cipher that does not provide * * encryption support of the cipher suites * * selected for each SSL configuration. * * The highest cipher in common from * * both cipher suites is expected to be * * used instead of a cipher with NULL * * encryption. * **************************************************************** * RECOMMENDATION: * **************************************************************** For WebSphere Application Server for z/OS applications that establish SSL connections using a JSSE provider, the cipher selected in the handshake process is a cipher which provides no encryption instead of a cipher with a stronger encryption in common to both cipher suites. This happens when the servers reside in the same sysplex. Examples of ciphers with no encryption are SSL_RSA_WITH_NULL_MD5 and SSL_RSA_WITH_NULL_SHA.Problem conclusion The code was modified to provide the capability to disable the optimization provided by ciphers with no encryption used when SSL connections are established in the same sysplex. The property to disable the sysplex single hop optimization is, security_disable_sysplex_encryption_optimization. APAR PK40407 requires changes to WebSphere Application Server for z/OS V6.0.1 documentation. NOTE: Periodically, we refresh the documentation on our Web site, so the changes might have been made before you read this text. To access the latest on-line documentation, go to the product library page at: http://www.ibm.com/software/webservers/appserv/was/library/ The V6.0.x WebSphere Application Server for z/OS Information Center article "Security tuning tips" will be updated to include the following descriptions of the new custom property: Setting the custom property, security_disable_sysplex_encryption_optimization disables the optimization that is used for communicating applications that use SSL and reside in the same sysplex. Setting this custom property allows the handshake process between a client using a JSSE provider and a server that uses system SSL to select a cipher that provides the strongest encryption. When the optimization is enabled, the cipher selected is one that is common between the cipher suites and is one which does not provide encryption. Examples of such ciphers are SSL_RSA_WITH_NULL_MD5 and SSL_RSA_WITH_NULL_SHA. Note: You set this custom property by using the Administrative Console Environment > WebSphere Variables panel. APAR PK40407 is currently targeted for inclusion in Service Level (Fix Pack) 6.0.2.23 of WebSphere Application Server V6.0.1 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PK40353 APAR is sysrouted TO one or more of the following: Modules/Macros Publications Referenced
|
Document Information |
Current web document: swg1PK40407.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 601
Software edition:
Reference #: PK40407
IBM Group: Software Group
Modified date: Nov 2, 2007
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.