IBM Support

WebSphere Application Server and earlier, and earlier not accessible when FIPS is enabled on Java



With java and a FIPS enabled WebSphere, the server is not accessible with SSL.
Note: this only applies to WebSphere Application Server and earlier, and and earlier. The issue is resolved in WebSphere Application Server and by APAR PH34651.


This is a known issue with the JDK. To work around it in WebSphere, disable the RSAPSS and RSASSA-PSS algorithms by adding them to the list of for the server.

Resolving The Problem

Avoid Trouble: If you have customized the property so that it is set with a value of "none", then instead of the following steps, the only change needed is to append RSAPSS, RSASSA-PSS to the comma-separated list value of the jdk.tls.disabledAlgorithms property in the JAVA_HOME/jre/lib/security/ file.
  1. There's a good chance that the WebSphere Administrative Console will not be accessible due to this issue. To access the Administrative Console, first disable security by following the steps in this document.

    By default, WebSphere Application Server maintains an up-to-date list of algorithms which are disabled due to known vulnerabilities. To determine the current value of this list, check the SystemOut.log from the server right after startup for a message like the following example:

    SSLConfigMana I   CWPKI0051I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL].  The WebSphere Application server is setting the java security property jdk.tls.disabledAlgorithms to [SSLv3, RC4, DH keySize < 768, MD5withRSA].

    Note that the list may be different depending on the WebSphere Application Server fixpack level, the contents of the file, and the value of the property.
  2. Once you have the current value of the list from the CWPKI0051I message, navigate to the Security > Global Security > Custom Properties section of the WebSphere Administrative Console.
  3. If there is already a property defined with the name click on it, and add RSAPSS, RSASSA-PSS to the comma-separated list in the value field.
    -- OR --
    If the property is not defined, then click New... and create a property named with a value equal to the comma-separated list from the CWPKI0051I message, with RSAPSS, RSASSA-PSS appended to the comma-separated list. For example, using the CWPKI0051I documented in step (1), the new comma-separated list would be SSLv3, RC4, DH keySize < 768, MD5withRSA, RSAPSS, RSASSA-PSS.
  4. Click OK, Save the change. Re-enable security from the Security > Global Security panel, then Click OK and Save again. Synchronize any nodes if running in a Network Deployment environment, and then restart the environment for the changes to take effect.

Document Location


[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd8hAAC","label":"Security->SSL->SSL - Cipher"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
01 September 2021