Control Which Cipher Suites Are Enabled for the Security Server

If you are using SSL, you can specify which cipher suites or sets of ciphers can be used to provide the encryption algorithms for the SSL communication.

Many different algorithms exist for encrypting data and computing the message authentication code. Some provide the highest levels of security, but require a large amount of computation for encryption and decryption; others are less secure, but provide rapid encryption and decryption. The length of the key used for encryption affects the level of security -- the longer the key, the more secure the data. So that you can select the level of security that suits your needs, and at the same time enable communication with others who might have different security requirements, SSL defines cipher suites, or sets of ciphers. When an SSL connection is established, the client and server exchange information about which cipher suites they have in common. They then communicate using the common cipher suite that offers the highest level of security. If they do not have a cipher suite in common, then secure communication is not possible and no SSL connection may be established.

You specify the cipher suites for your system by providing values for the server.default.ciphersuites property in the lsservice.properties configuration file. Tools are available to report on available cipher suites and to enable trace logging on cipher suites.

Considerations:

  • This feature allows you to select the level of security that suits your needs, but this should be balanced with performance considerations. Cipher suites that provide higher security generally have a higher impact on performance.

  • If you specify a limited set of cipher suites, the risk is that no SSL connection can be established. This is because the SSL connection can only be established if the client and server can find a cipher suite in common.

  • The Security Server communicates with other components such as WebSphere. Just because a cipher suite is supported for use with the Security Server does not mean that the component connecting to the Security Server will support the same cipher suites and be able to communicate with the Security Server.