Body

Guide to disable weak, medium, null ciphers on SBI secure HTTP interfaces

and Tool to identify available ciphers on IBM SBI

Of late, security is hot topic across software products and manufacturers are taking the utmost care to protect the products from security vulnerabilities. This applies to IBM Sterling B2B Integrator (SBI) as well.

Often security scan tools report usage of less-secure ciphers in web application archives (war) deployed on SBI NoAppServer (i.e., jetty @ baseport) accessible over https and baseport+1. To name few of these interfaces -

dashboard - https://host:<port+1>/dashboard

filegateway - https://host:<port+1>/filegateway

mailbox - https://host:<port+1>/mailbox

Note - Wherever "SBI secure HTTP interfaces" referred in this article, it is limited to wars deployed on jetty @ baseport+1.

SBI offers configuration options to suppress usage of weak, medium and null ciphers on these secure HTTP interfaces. In this article, I will provide the instructions in order to keep SBI secure HTTP interfaces safe from using less-secure ciphers. There will be a different article on how to do it for wars deployed on SBI HTTP server adapter.

Let us understand more about ciphers and criteria to decide cipher strength before jumping onto core topic.

As defined by OpenSSL org, following are some of the cipher strengths and their meanings.

• HIGH - "high'' encryption cipher suites currently means those with key lengths of 128 bits or more.
• MEDIUM - "medium'' encryption cipher suites currently some of those using 128 bit encryption.
• LOW - "low" encryption cipher suites currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites.
• eNULL or NULL - These type of ciphers offering no encryption. Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.

1.NULL Ciphers in SBI secure HTTP interfaces:

1.1

SBI secure HTTP interfaces don't support the use of NULL ciphers by default. The following ciphers are considered null ciphers (TLS_RSA_WITH_NULL_MD5, TLS_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA) in default configuration. In case your security scan report highlights use of other null ciphers in your SBI server, it is possible that your OS/JDK and internal library combination are adding/providing these, follow the steps outlined below to suppress them too.

Sample Security Scan report, which listed NULL ciphers, against SBI.

##Documentation for allowNullCiphers & NullCiphers properties that are used to suppress NULL ciphers##

security.allowNullCiphers - Boolean property that takes either true or false and instructs SBI whether to use NULL ciphers. Default is false.

security.NullCiphers - comma separated list of NULL ciphers. These are the ONLY ciphers excluded from use by SBI server secure HTTP interfaces. This list is used ONLY when security.allowNullCiphers is set to false (is default setting anyways)

1. Stop SBI server
2. Edit <sbi_install>/properties/customer_overrides.properties to add following e.g.,

security.allowNullCiphers=false

security.NullCiphers=TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA,

SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA

3. Start SBI to pick these configuration changes

Note that TLS_ECDHE_RSA_WITH_NULL_SHA is actual cipher name for ECDHE-RSA-NULL-SHA openSSL cipher format

1.2 FIPS mode

If FIPSMode=true in sandbox.cfg and NIST.800-131a=off in security.properties, SBI still runs on FIPS mode. Configuration from 1.1 works in same in FTP mode too. SBI secure HTTP interfaces imposes additional filter to choose ciphers with encryption algorithms 3DES or AES and signing algorithms SHA or SHA#.

1.3 NIST mode

If NIST.800-131a=strict in security.properties, SBI works in NIST mode. There are no NULL ciphers exist since SSL communication happens over "TLS1.2-ONLY" protocol in this mode. In case, if there is a reference of NULL ciphers seen during communication, those can be excluded through same "security.NullCiphers" property.

Note - NIST mode is introduced in SBI fixpack 5020402. NIST meaning "National Institute of Standards and Technology". NIST mode is stricter than FIPS.

2.non-NULL Ciphers in SBI secure HTTP interfaces:

Next, let us consider other lower strength ciphers. The following steps will explain a way to suppress the use of weak and medium cipher suites by SBI secure HTTP interfaces. Currently, SBI secure HTTP interfaces has no restriction on cipher usage in default configuration. That said, SBI use all available ciphers on the platform/JDK SBI is running on.

Sample Security Scan report, which listed medium strength ciphers, against SBI.

##Doc for dashboardCipherSuite property##

security.dashboardCipherSuite - string property that takes one of "strong", "weak" or "all". Each represents the corresponding cipher suites defined by one of other property "StrongCipherSuite", "WeakCipherSuite" and "AllCipherSuite". By default this property is not set which means no restriction on ciphers used by SBI secure HTTP interfaces.



##Doc for StrongCipherSuite, WeakCipherSuite, AllCipherSuite properties##

security.StrongCipherSuite - ONLY ciphers that SBI server secure HTTP interfaces use.

1. Stop SBI server
2. Edit <sbi_install>/properties/customer_overrides.properties to add following e.g.,

security.dashboardCipherSuite=strong

security.StrongCipherSuite=<list of comma separated strong ciphers. Do not add EDH-RSA-DES-CBC-SHA and DES-CBC-SHA to this list>

3. Start SBI to pick these configuration changes

Note - NIST implementation in SBI 5.2.4.2 had brought in significant changes in product as far as cipher suite configuration and usage. There will be another article that covers 5.2.4.2 fixpack. Section#2 is limited to pre-5.2.4.2 fixpacks.

Note the difference between 1 and 2. NullCiphers holds exclusion list and StrongCipherSuite/ WeakCipherSuite/AllCipherSuite lists hold inclusion list.

Resources

A few resources that explain ciphers in depth are given below. Cipher names with corresponding openSSL names are listed in there. It helps user to identify exact cipher name by using openSSL format thrown from security scan tool (or by some other).

https://www.openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_

https://www.openssl.org/docs/apps/ciphers.html#TLS_v1_0_cipher_suites_

https://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp

Sample Java Tool

For somebody with strong knowledge of ciphers and their strengths, I have a simple java tool that lists the available ciphers on particular SBI/platform/JDK combination and is the list used by SBI server interfaces. Tool can be tweaked to use any SSL/TLS version and/or sslprovider as needed. This should be executed by JDK of SBI install, since this JDK has got provider specific ssl libraries already bundled with it.

When the list is ready, it is time to configure properties explained in above sections.

Here is the example run of this tool. The tool was run on the JDK that is used for an SBI installation. Hence all of the SBI secure HTTP interfaces (over https mode) would use all these ciphers, by default. Taking a close look at this list… It includes Null cipher (TLS_RSA_WITH_NULL_MD5, TLS_RSA_WITH_NULL_SHA) and some medium strength ciphers. By following instructions from 1.1 and 2, these ciphers can be eliminated.