Disabling vulnerable cipher suites for security

A cipher suite is a set of algorithms that help secure a network connection. There are various cipher suites and you use the one that best suits your business needs and cluster environment. However, if a certain cipher suite has been identified as having potential security weaknesses, you can disable the vulnerable cipher suite and use safer ones.

About this task

For example, IBM® Spectrum Conductor installs with IBM JRE, which contains a known Logjam security attack (identified as the CVE-2015-4000 vulnerability), that exposes a potential weakness with DHE cipher suites. In this case, disable DHE cipher suites and use ECDHE suites instead, as ECDHE cipher suites are not affected by the Logjam vulnerability.

For more details about IBM JRE addressing CVE-2015-4000, see https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/disable_dh768.html

Use the following guidelines to disable cipher suites from use with IBM Spectrum Conductor.

Procedure

  1. Edit the $EGO_TOP/jre/JRE_version/linux-x86_64/lib/security/java.security to the jdk.tls.disabledAlgorithms parameter to disable the vulnerable cipher suites.
    For example, in the Logjam security vulnerability case, to disable DHE cipher suites, specify:
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \
        EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DHE
    Some cipher suite names begin with TLS when defined by Oracle but SSL in the IBM SDK. This difference is due to some cipher names being defined before the finalization of the first TLS specification (see https://www.ibm.com/docs/en/sdk-java-technology/8?topic=suites-cipher for details). Therefore, to disable cipher suites that begin with TLS, change the TLS string to SSL when specifying those cipher suites in the jdk.tls.disabledAlgorithms parameter. For example, to disable TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, and TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suites, specify:
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \
            EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC, \
            SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, \
            SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384
  2. Save the changes to the $EGO_TOP/jre/JRE_version/linux-x86_64/lib/security/java.security file.
  3. Restart your instance group services for the changes to take effect.