How To
Summary
It may be necessary to temporarily disable an SSL protocol or ciphers used by the Liberty server at the Java level.
For example:
- A workaround is provided to disable a protocol or cipher or other property in the java.security file which can't be performed in server.xml
- SSL protocols or ciphers can't be customized in server.xml since its read only
- An SSL protocol or cipher needs to be temporarily enabled until the caller to Liberty or remote server Liberty is calling can be corrected.
Steps
The following example shows how to disable the TLSv1.2 protocol.
This example can be extended to enable or disable other SSL protocols and ciphers and also adjust keysizes.
1. Locate the JAVA_HOME/lib/security/java.security file, and copy the line jdk.tls.disabledAlgorithms from the JVM's java.security file to a newly created java.security file located in the same directory as your server.xml
This example can be extended to enable or disable other SSL protocols and ciphers and also adjust keysizes.
1. Locate the JAVA_HOME/lib/security/java.security file, and copy the line jdk.tls.disabledAlgorithms from the JVM's java.security file to a newly created java.security file located in the same directory as your server.xml
2. Add TLSv1.2 to the jdk.tls.disabledAlgorithms value in the newly created java.security file.
For example, the original string copied from the JAVA_HOME/lib/security/java.security file might look like the following:
---
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
---
The new java.security file located in the same directory as the server.xml with modified string looks like the following:
---
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, TLSv1.2, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
----
3. In the same directory as your server.xml, create a file called jvm.options containing the location of the new java.security file that uses the java.security.properties custom property and value:
---
-Djava.security.properties=${server.config.dir}/java.security
---
4. Restart the Liberty server to pick up the changes.
Although it is possible to edit the JAVA_HOME/lib/security/java.security file, the JVM is usually installed in a file system that is read only, and the file will get overwritten when new Java maintenance is installed. By using the custom property java.security.properties, the server can append new changes to the existing java.security file shipped by the JVM, and changes will remain when Java maintenance is applied.
Note that a single "=" sign used by java.security.properties indicates the changes in this file will append to the JVM's java.security file. So the changes in the newly created java.security will take effect over the settings in the JAVA_HOME/lib/security/java.security file.
Avoid using a double "==" sign after java.security.properties as this will override all settings the JAVA_HOME/lib/security/java.security file with the new java.security file that was created.
This process should be repeated when applying new Java maintenance to ensure the latest updates to JAVA_HOME/lib/security/java.security file are copied over to the new java.security file.
This ensures that any new algorithms that are disabled with Java maintenance are included in the customized java.security file.
Additional Information
Disabled and restricted cryptographic algorithms
Document Location
Worldwide
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m50000000CdFjAAK","label":"Security-\u003ESSL-\u003ESSL - Protocol"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"ARM Category":[{"code":"a8m50000000CdFjAAK","label":"Security-\u003ESSL-\u003ESSL - Protocol"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
17 November 2023
UID
ibm16462659