Great question—let’s break down what’s happening here and how to resolve it:

First, a quick clarification: In WebSphere 8.5, many cipher suites that support TLS protocols still use the SSL_ prefix (like SSL_RSA_AES_256_CBC_SHA). This doesn’t mean they only work with old SSL protocols—most of these are fully compatible with TLS 1.0, 1.1, and 1.2. But if you specifically want to see TLS_ prefixed suites, here’s what you need to do:

1. Verify Your IBM JDK Version #

WebSphere 8.5 relies on IBM’s JDK, and older versions may not include TLS_ prefixed cipher suites. To check:

• Navigate to System administration > Node agents > [Your Node] > Java and Process Management > Process definition > Java Virtual Machine
• Confirm you’re running IBM SDK 7.0 SR5+ or 8.0 (these versions add support for TLS 1.2 and include TLS_ prefixed suites). If you’re on an older SDK, you’ll need to upgrade it first.

2. Reset and Refresh Cipher Suites #

Sometimes the cipher suite list doesn’t refresh properly after changing the protocol. Try this:

• Go back to SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings
• Ensure the protocol is set to TLS (note: some WebSphere versions offer granular options like TLSv1.2—choose the one that matches your security requirements)
• Click Reset ciphers to clear the current selected list
• Re-select your desired TLS protocol, then click Update selected ciphers again. This forces the console to reload the full list of cipher suites compatible with the selected protocol.

3. Create a Custom Cipher Suite Group #

If the default suite group doesn’t include TLS_ prefixed options, create a custom one:

• Go to SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Cipher suite groups
• Click New, enter a name like TLS_Only_Cipher_Suites, then click Next
• In the "Available ciphers" pane, look for suites starting with TLS_ (they should appear if your JDK is up-to-date)
• Add the desired TLS_ suites to the "Selected ciphers" list, then save the group
• Return to the QoP settings for NodeDefaultSSLSettings, select your new custom suite group, and click Update selected ciphers

4. Synchronize Nodes and Restart Servers #

After making these changes:

• Click Save at the top of the console to persist your configuration
• Navigate to System administration > Nodes > [Your Node] and click Full Resynchronize to push changes to the node agent
• Restart your application server and node agent to ensure all settings take effect

Final Note #

Remember: Even if you only see SSL_ prefixed suites, they will still work with TLS protocols as long as you’ve set the QoP protocol to TLS. The prefix is just a naming convention from older SSL standards—most of these suites are fully TLS-compatible. Only use TLS_ prefixed suites if you have a specific requirement to do so.

内容的提问来源于stack exchange，提问作者Stranger