Disabling weak ciphers

SSL uses ciphers for encryption. Some supported ciphers are weaker than others. To resolve this issue, you can use the security.properties file to disable weak ciphers. The SEC_FILE parameter in the model9-stdenv.sh file points to this file by default.

Performance considerations for non‑hardware‑accelerated cipher suites

If you are using a custom security.properties file instead of the default one, the cipher configuration that you have defined in your file might affect performance. BMC AMI Cloud disables several weak or deprecated cipher families by default.

If your custom file removes AES‑based cipher suites or enables the non‑hardware‑accelerated cipher suites ChaCha20 and ChaCha20‑Poly1305, TLS handshakes and data transfer operations might experience considerable increase in CPU usage.

To maintain performance, make sure that your configuration doesn't disable AES‑based cipher suites and that you have added ChaCha20 and ChaCha20‑Poly1305 to the disabled list.

To disable a cipher

To disable ciphers other than those provided in security.properties, follow these steps:

1. Copy the security.properties file into your own custom security file under the CONF directory.
2. Modify your security file. The security.properties file specifies the value of the Java jdk.tls.disabledAlgorithms environmental property. For more information about the syntax of this property, see the installationDirectory/conf/security/java.security file.
3. Specify the new file in the SEC_FILE parameter in model9-stdenv.sh.