Configuring cipher suites

Administrators can restrict the number of allowed cipher suites that are used by IBM® Security Identity Manager.

About this task

A cipher suite is a combination of algorithms that can be used for authentication, data encryption, key exchange, and message authentication for a secure network connection.

You must only perform configuration tasks on a primary node.

The mandatory cipher suite SSL_RSA_WITH_AES_128_CBC_SHA is enabled by default (cannot be disabled) which is used for internal communication between WebSphere Application Server components.

All the ciphers are arranged in order of their strength.

The following cipher suites for IBM Security Identity Manager are allowed:

Table 1. Cipher suites
Protocol version	Cipher suites
TLS/TLSv1/TLSv1.1/TLSv1.2	SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLSv1.2 only	SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256

Procedure

From the top-level menu of the Appliance Dashboard, click Configure > Manage Server Settings > Cipher Suites Configuration.

Click Reconfigure.

Button	Options
Reconfigure	Cipher List of ciphers. Protocol Version Specifies the protocol for the cipher suites that are available. Remarks Status of the ciphers which are enabled or disabled. By default, all the ciphers are enabled. You can enable or disable multiple ciphers by selecting or clearing the check box.

Select the cipher suites that you want to enable or disable.

Note: You cannot disable all the ciphers.
Click Save Configuration to complete this task.

What to do next

Restart the IBM Security Identity Manager Server.

For a clustered environment, synchronize a member node with the primary node. See Synchronizing a member node with a primary node.