Algorithm Configuration

The following start options are used to configure the security algorithms:

Transition Algorithms (1. June 2017)

  • Signature:
    • Hashfunction:SHA256 / SHA512
    • Signature procedure: sha256RSA / sha512RSA
  • Encryption
    • Content-Encryption: AES-128 CBC or AES-192 CBC
  • Key-Encryption: RSAES-PKCS1-v1_5

Use these JAVA_OPTS:

  • -Dsigning_algorithm=SHA256WITHRSA or SHA512WITHRSA
  • -Dcontent_encryption_algorithm=AES128_CBC or AES192_CBC
  • -Dkey_encryption_algorithm=rsaEncryption

New Algorithms (1. Jan 2018)

  • Signature:
    • Hashfunction (Hash algorithm): SHA-256 or SHA-512
    • Signature procedure (Signature algorithm): RSASSA-PSS
  • Encryption:
    • Key encryption: RSAES-OAEP (with hash function SHA-256)
    • Content encryption: AES-128 CBC oder AES-192 CBC

Use these JAVA_OPTS:

  • -Dcontent_encryption_algorithm (Default: AES128_CBC)
  • -Dkey_encryption_algorithm (Default: id_RSAES_OAEP)
  • -Dsigning_algorithm (Default: SHA256withRSAandMGF1)

Specific Algorithms for specific Recipients

You can configure different algorithms for different recipients. Recipients are distinguished by their certificate-alias (usually ILN/Mail).

Instead of defining a single algorithm, use the following syntax:


In this example for recipients alias1/alias2 the algorithm Algo1 is used. For recipient with alias2 the algorithm Algo2 is used. For all other recipients Algo3 is used.


The property value (right side of equal sign) is a list of algorithm-alias assignments, separated by ;.

An assignment is a pair of algorithm and aliases, divided by :. The aliases are optional. An algorithm without aliases is used as fallback value. If no fallback is specified, the default values are used as fallback.

The aliases are a list of at least one alias, separated by ,. The list can be enclosed by [ ].

This syntax works for content_encryption_algorithm, key_encryption_algorithm, signing_algorithm.

Don’t be confused when configuring the signing algorithm: You configure the algorithm to be be used for signing of outbound messages, thus the signature by your system/sender. However the configuration is based on the partner/recipient.

View Me   Edit Me