IBM Support

WebSphere Application Server 9.0.5.6 and earlier, 8.5.5.19 and earlier not accessible when FIPS is enabled on Java 8.0.6.25

Troubleshooting


Problem

With java 8.0.6.25 and a FIPS enabled WebSphere, the server is not accessible with SSL.
Note: this only applies to WebSphere Application Server 9.0.5.6 and earlier, and 8.5.5.19 and earlier. The issue is resolved in WebSphere Application Server 9.0.5.7 and 8.5.5.20 by APAR PH34651.

Cause

This is a known issue with the 8.0.6.25 JDK. To work around it in WebSphere, disable the RSAPSS and RSASSA-PSS algorithms by adding them to the list of com.ibm.websphere.tls.disabledAlgorithms for the server.

Resolving The Problem

Avoid Trouble: If you have customized the com.ibm.websphere.tls.disabledAlgorithms property so that it is set with a value of "none", then instead of the following steps, the only change needed is to append RSAPSS, RSASSA-PSS to the comma-separated list value of the jdk.tls.disabledAlgorithms property in the JAVA_HOME/jre/lib/security/java.security file.
  1. There's a good chance that the WebSphere Administrative Console will not be accessible due to this issue. To access the Administrative Console, first disable security by following the steps in this document.

    By default, WebSphere Application Server maintains an up-to-date list of algorithms which are disabled due to known vulnerabilities. To determine the current value of this list, check the SystemOut.log from the server right after startup for a message like the following example:

    SSLConfigMana I   CWPKI0051I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL].  The WebSphere Application server is setting the java security property jdk.tls.disabledAlgorithms to [SSLv3, RC4, DH keySize < 768, MD5withRSA].

    Note that the list may be different depending on the WebSphere Application Server fixpack level, the contents of the java.security file, and the value of the com.ibm.websphere.tls.disabledAlgorithms property.
     
  2. Once you have the current value of the list from the CWPKI0051I message, navigate to the Security > Global Security > Custom Properties section of the WebSphere Administrative Console.
     
  3. If there is already a property defined with the name com.ibm.websphere.tls.disabledAlgorithms click on it, and add RSAPSS, RSASSA-PSS to the comma-separated list in the value field.
    -- OR --
    If the property is not defined, then click New... and create a property named com.ibm.websphere.tls.disabledAlgorithms with a value equal to the comma-separated list from the CWPKI0051I message, with RSAPSS, RSASSA-PSS appended to the comma-separated list. For example, using the CWPKI0051I documented in step (1), the new comma-separated list would be SSLv3, RC4, DH keySize < 768, MD5withRSA, RSAPSS, RSASSA-PSS.
     
  4. Click OK, Save the change. Re-enable security from the Security > Global Security panel, then Click OK and Save again. Synchronize any nodes if running in a Network Deployment environment, and then restart the environment for the changes to take effect.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd8hAAC","label":"Security->SSL->SSL - Cipher"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
01 September 2021

UID

ibm16422887