Configuring TLS protocols and cipher suites
You can configure the Operational Decision Manager applications to comply with the Suite B security standard.
The US National Security Agency (NSA) promulgated a cryptographic interoperability
standard called Suite B. To comply with Suite B, you must consider the following requirements when
you configure the Operational Decision Manager applications:
- Only TLS 1.3 must be used for the TLS protocol.
- AES Galois Counter Mode (GCM) cipher suites must be used before any cipher block chaining (CBC) cipher suite is used.
- The Elliptic-curve Diffie–Hellman ephemeral (ECDHE) key must be used rather than the
Diffie–Hellman (DH) key exchange method.
ECDHE must be used so that the downgraded export ciphers with the DH key exchange can be avoided.
Remember: TLS 1.3 can be required for some other business applications.
For more information about Suite B, see Suite B Profile for Transport Layer Security (TLS).
For more information about how to configure the Liberty profile, see Configuring the WebSphere® Application Server Liberty profile to use the Suite B security standard in the WebSphere Liberty product documentation.
You can remediate the following well-known attacks by applying the configurations for TSL 1.2 and
cipher suites that are described earlier:
- Lucky Thirteen attack: For more information, see CVE-2013-0169 Detail at National Vulnerability Database (NVD).
- Logjam attack: For more information, see CVE-2015-4000 Detail at NVD.