Question & Answer
Question
How to customize the specific ciphers for the TFIM SSL/TLS connections?
Cause
Some of the federation configuration requires partner integration which requires specific ciphers and protocol settings on TFIM for secure communication.
Answer
You can follow below steps as reference and verify if this helps to fix the issue.
(1) Verify the Websphere application server (WAS) version and bundled Java version in WAS directory
(2) Make sure that you have applied necessary fixpack for WAS and Java to support specific protocol and ciphers. Follow WAS & Java fixpack README guides for more details.
(3) Verify Quality of protection (QoP) settings for the SSL configuration
Logon to WAS administration console
Click Security > SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations > {Inbound | Outbound} > ssl_configuration. Under Related items, click SSL configurations > . Click on {SSL_configuration_name }. Under Additional Properties, click Quality of protection (QoP) settings.
Update the Protocol as per the requirement.
(4) Configure specific cipher settings
In the Administration Console select Servers
Expand Server Type and select WebSphere application servers
Click on the name of your server
Expand Java and Process Management and select Process Definition.
Under the Additional Properties section, click Java Virtual Machine.
Scroll down and locate the textbox for Generic JVM arguments.
Following is Example
-Dhttps.cipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA
Click on apply save the changes
Restart the WAS service.
Another way is to configure specific cipher is as following:
Under the Additional Properties section, click Java Virtual Machine.
Click custom properties
Click new
Name: https.cipherSuites
Value: SSL_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA
Click on apply save the changes
Restart the WAS service.
Refer "Related Information" section which provides product documentation for WAS and Java supported protocol and cipher information.
(5) Verify now if TFIM application uses the configured protocol and ciphers for secure communication
**Note: Take necessary backup of WAS security & TFIM configuration before making above changes and attempt this configuration first in test environment to make sure these changes does not affect other functionality of WAS and TFIM.
Related Information
[{"Product":{"code":"SSZSXU","label":"Tivoli Federated Identity Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"SSO","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22006086