IBM Support

Disable RC4 for DataPower WebSphere Java Message Service (JMS)

Flashes (Alerts)


Abstract

With the recent attention to RC4 “Bar Mitzvah” Attack for SSL/TLS, IBM recommends to disable RC4 in DataPower WebSphere Java Message Service (JMS)

Content

Disable RC4 ciphers in DataPower configuration referring to the steps below.

First make sure to Quiesce all domains and services to stop traffic to the appliance. System quiesce and unquiesce commands can be invoked by navigating to Administration --> Main --> System Control.

Next, for WebSphere Java Message Service (JMS) configuration, in DataPower Control Panel, navigate to "Configure WebSphere JMS" page. Under the "SSL" tab, navigate to the referenced Crypto Profile, and select SSL Option "Disable SSL version 3". Then navigate back to the "SSL" tab of "Configure WebSphere JMS" page , configure the parameter "WebSphere JMS SSL Cipher Specification" to use one of the cipher specifications listed below. The selected specification replaces the cipher suite that is assigned as part of the SSL Proxy Profile configuration.

For DataPower versions 6.0.1 and later:

TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

For DataPower versions prior to 6.0.1:

TLS_RSA_WITH_3DES_EDE_CBC_SHA

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.0.0;6.0.0;6.0.1;7.0.0;7.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

More support for:
IBM DataPower Gateway

Software version:
5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.1

Operating system(s):
Firmware

Document number:
261207

Modified date:
25 September 2022

UID

swg21717540

Manage My Notification Subscriptions