Changing the Cipher Suites

When you activate the SSL or the TLS protocol for a node, cipher suites are used to encrypt transmitted data. The same cipher suite must be defined at both ends of the transmission. Connect:Direct® Secure Plus searches the enabled cipher suite list and locates the first cipher suite that is common for communications at both the PNODE and the SNODE. It then uses this cipher suite to encrypt data. You defined cipher suites when you configured the local node record.

Note: If System SSL is in FIPS mode, only certain ciphers are valid. See the IBM® Connect:Direct for z/OS® Release Notes for a list of valid FIPS-mode ciphers.

To change the cipher suites enabled for a node and the priorities assigned to them:

  1. From the Secure+ Admin Tool Main Screen, type U next to the node to update.
  2. On the Create/Update Panel, select the Cipher Suites field and press Enter to display the Update Cipher Suites panel. 
      Option --->

       Cipher Filtering:Protocol         Cipher Sorting:Strongest

       Update the order field below to enable and order Cipher Suites

   O   All Available Cipher Suites          Enabled Cipher Suites
  ==   ==================================== ====================================
                                                                     More:     +
  1   TLS_AES_256_GCM_SHA384                TLS_AES_256_GCM_SHA384
  2   TLS_AES_128_GCM_SHA256                TLS_AES_128_GCM_SHA256
  3   TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384  TLS_ECDHE_ECDSA_W_AES_256_GCM_SHA384
  4   TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384  TLS_ECDHE_ECDSA_W_AES_256_CBC_SHA384
  5   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  6   TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256  TLS_ECDHE_ECDSA_W_AES_128_CBC_SHA256
  7   TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256  TLS_ECDHE_ECDSA_W_AES_128_GCM_SHA256
  8   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  9   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  10  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SH

    The list on the left side contains all available cipher suites. The active cipher suites are listed on the right side of the screen and are assigned a numerical order in the O column on the left side of the screen.

  3. Take one or more of the following actions as needed:
    • Type 1 by the cipher you want to enable and give the highest priority. Type 2 by the cipher suite you want to enable and place second in priority. Continue typing numbers next to the ciphers you want to enable (a maximum 10), in order of priority. The ciphers you enable appear in the order of priority in the Enabled Cipher-Suites list.
    • To deactivate a cipher suite, clear the number in the Order field and press Enter.
    • To change the order of a cipher suite, type new numbers in the Order fields of the cipher suites to reorder and press Enter.
  4. Press PF3 to save the new enabled cipher-suite list and return to the Secure+ Create/Update Panel.
  5. Save the parameter file using the procedure described in Saving Changes to Node Records Using the Save Active Option.