How to Restrict Key Size Larger that 128 bit on Weblogic Server.

To restrict keysize larger than 128 bit we need to select only those cipher suites in the configuration which use 128 bit key.

Sample config:-

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>

List of Ciphersuites Supported by Weblogic Server are:-

Cipher Suite Symmetric Key Strength
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
TLS_RSA_WITH_NULL_SHA 0
TLS_RSA_WITH_NULL_MD5 0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256

In the past I have seen that AES_256 does not work until we download the unlimited jurisdiction jars from SUN.

Download JCE_policy_1.5_0.zip
Place it in /JRE/lib/Security/
Also Replace localpolicy.jar & US_Export_Policy.jar

This helps in getting rid of Cipher Suite not initialized errors.

Reference:-

1) http://download.oracle.com/docs/cd/E11035_01/wls100/secintro/concepts.html#wp1123076

Latest Comments

  1. Akshay.koul@oracle.com_Java_Weblogic February 17, 2010
  2. Faisal Khan February 17, 2010
  3. Akshay.koul@oracle.com_Java_Weblogic February 23, 2010

Leave a Reply