Default Routing Assertion Cipher Suite ,after upgrade, only a few cipher suites are enabled
search cancel

Default Routing Assertion Cipher Suite ,after upgrade, only a few cipher suites are enabled

book

Article ID: 376275

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

After upgrading  to V11.1.1.xxxxx from 11.0 ,some backends are failing because of missing (enabled) cipher suites.

In Version 11.0.0 all cipher suites were enabled on the routing assertion. On V11.1.1 only a few are enabled.

This is  causing  "handshake failures" to some backends, where deprecated cipher suites are used.

How can we enable by default all ciphers in the list again ?

Cause

The depreciated ciphers are disabled by default by design . see the following section in the release notes.

Deprecated Cipher Suites
As a result of the Java 17 update, several weak cipher suites have been deprecated. The following cipher suites will no longer be enabled by default in the Gateway's list.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/11-1/release-notes.html

 

Resolution

At the moment there is no option to set a custom default enabled cipher list for the routing assertion , every routing assertion which needs to use depreciated ciphers needs to be updated to use a custom cipher list.

We will add a feature to the next gateway release to allow a custom default cipher list so all routing assertions can be set to use the custom default list in one place.

If there is a urgent need for this feature please raise a support case to discuss possible solutions for Gateway 11.1.0 

Powered by Wolken Software