Our implementation of TLS will soon change

2021-04-08

Due to necessary maintenance of our services, a detail in how the BankID service implements TLS will soon change. The change in our service's TLS implementation is that the list of allowed client certificate types in our CertificateRequest-message is ordered differently. The change was implemented in the test environment on March 16 and will be implemented in the production environment on April 16 at the earliest. Previous testing has specifically revealed that clients running on WebSphere Application Server may need a configuration change to retain ability to connect to our service. Please refer to the information below. WebSphere Application Server has a feature to only regard the first allowed certificate type in the list and integrators may need to configure WebSphere to consider all the allowed certificate types, in order to retain ability to connect after we have updated our service. The parameter useAllSSLClientAuthKeytypes that needs to be correctly configured in Websphere to avoid the problem is documented by IBM here: [https://www.ibm.com/support/­knowledgecenter/­SSEQTP_8.5.5/­com.ibm.websphere.base.doc/­ae/­usec_seccustomprop.html­#useAllSSLClientAuthKeytypes](https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/usec_seccustomprop.html#useAllSSLClientAuthKeytypes). The issue needs to be solved on the client system that uses the BankID service, by configuring the Websphere server correctly. We therefore ask you to verify that you have the correct configuration if you are running Websphere, to avoid the problem.