Changing security protocol levels

Security administrators can change the security protocol level for either SSL or SSH protocols. When you change the security level for either of these security protocols, you can control which encryption algorithms, ciphers, and version of the protocol are permitted on the system.

Depending on your security requirements for your organization or geography, you can change the level for both SSL and SSH protocols.

The system supports OpenSSL and Java SSL ciphers to provide strong encryption for secure connections using the SSL or TLS protocols. On new systems, the default SSL protocol level is 3, and the default SSH protocol level is 3; however, you can change the SSL/SSH protocol level at any time to resolve errors or further restrict the protocol versions and ciphers that can be used for encryption.

The following table describes each security level, minimum version of SSL or TLS allowed and the supported ciphers for each level:

Table 1. Supported SSL/TLS security levels
Security level Description Minimum security allowed Supported Java SSL ciphers Supported OpenSSL ciphers
1 Sets the system to disallow SSL version 3.0. TLS 1.0
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_RSA_WITH_AES_256_CBC_SHA256
  • SSL_RSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
  • SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_RSA_WITH_AES_256_CBC_SHA
  • SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_RSA_WITH_AES_128_CBC_SHA256
  • SSL_RSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
  • SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_RSA_WITH_AES_128_CBC_SHA
  • SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA
  • SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • DHE-DSS-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • DHE-DSS-AES256-SHA256
  • DHE-RSA-AES256-SHA
  • DHE-DSS-AES256-SHA
  • DHE-RSA-CAMELLIA256-SHA
  • DHE-DSS-CAMELLIA256-SHA
  • ECDH-RSA-AES256-GCM-SHA384 E
  • ECDH-ECDSA-AES256-GCM-SHA384
  • ECDH-RSA-AES256-SHA384
  • ECDH-ECDSA-AES256-SHA384
  • ECDH-RSA-AES256-SHA
  • ECDH-ECDSA-AES256-SHA
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • CAMELLIA256-SHA
  • PSK-AES256-CBC-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES128-SHA
  • DHE-DSS-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-DSS-AES128-SHA256
  • DHE-RSA-AES128-SHA
  • DHE-DSS-AES128-SHA
  • ECDHE-RSA-DES-CBC3-SHA
  • ECDHE-ECDSA-DES-CBC3-SHA
  • DHE-RSA-SEED-SHA
  • DHE-DSS-SEED-SHA
  • DHE-RSA-CAMELLIA128-SHA
  • DHE-DSS-CAMELLIA128-SHA
  • EDH-RSA-DES-CBC3-SHA
  • EDH-DSS-DES-CBC3-SHA
  • ECDH-RSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-ECDSA-AES128-SHA256
  • ECDH-RSA-AES128-SHA
  • ECDH-ECDSA-AES128-SHA
  • ECDH-RSA-DES-CBC3-SHA
  • ECDH-ECDSA-DES-CBC3-SHA
  • AES128-GCM-SHA256
  • AES128-SHA
  • SEED-SHA
  • CAMELLIA128-SHA
  • DES-CBC3-SHA
  • PSK-AES128-CBC-SHA
  • PSK-3DES-EDE-CBC-SHA
  • KRB5-DES-CBC3-SHA
2 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1. TLS 1.2
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_RSA_WITH_AES_256_CBC_SHA256
  • SSL_RSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
  • SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_RSA_WITH_AES_256_CBC_SHA
  • SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_RSA_WITH_AES_128_CBC_SHA256
  • SSL_RSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
  • SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_RSA_WITH_AES_128_CBC_SHA
  • SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • DHE-DSS-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • ECDH-RSA-AES256-GCM-SHA384 E
  • ECDH-ECDSA-AES256-GCM-SHA384
  • ECDH-RSA-AES256-SHA384
  • ECDH-ECDSA-AES256-SHA384
  • AES256-GCM-SHA384
  • AES256-SHA256
  • AES256-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • DHE-DSS-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-DSS-AES128-SHA256
  • ECDH-RSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-ECDSA-AES128-SHA256
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • DES-CBC3-SHA
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • DHE-DSS-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-DSS-AES128-SHA256
  • ECDH-RSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-ECDSA-AES128-SHA256
  • AES128-GCM-SHA256
  • AES128-SHA256
  • AES128-SHA
  • DES-CBC3-SHA
3 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. TLS 1.2
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_RSA_WITH_AES_256_CBC_SHA256
  • SSL_RSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
  • SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_RSA_WITH_AES_256_CBC_SHA
  • SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_RSA_WITH_AES_256_CBC_SHA
  • SSL_DHE_DSS_WITH_AES_256_CBC_SHA
  • SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_RSA_WITH_AES_128_CBC_SHA256
  • SSL_RSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
  • SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
  • SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • DHE-DSS-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-SHA256
  • ECDH-RSA-AES256-GCM-SHA384 E
  • ECDH-ECDSA-AES256-GCM-SHA384
  • ECDH-RSA-AES256-SHA384
  • ECDH-ECDSA-AES256-SHA384
  • AES256-GCM-SHA384
  • AES256-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • DHE-DSS-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-DSS-AES128-SHA256
  • ECDH-RSA-AES128-GCM-SHA256
  • ECDH-ECDSA-AES128-GCM-SHA256
  • ECDH-RSA-AES128-SHA256
  • ECDH-ECDSA-AES128-SHA256
  • AES128-GCM-SHA256
  • AES128-SHA256
4 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1, and to allow cipher suites that are exclusive to TLS version 1.2. Sets the system to disallow RSA key exchange ciphers, RSA ciphers for SSH. TLS 1.2
  • SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • DHE-DSS-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • DHE-DSS-AES128-GCM-SHA256

The following table describes the SSH security levels supported by the system:

Table 2. Supported SSH security levels
Security level Key Exchange Cipher Suite MAC Algorithm
1
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group-exchange-sha1

aes256-ctr

aes192-ctr

aes128-ctr

chacha20-poly1305@openssh.com

aes256-gcm@openssh.com

aes128-gcm@openssh.com

aes256-cbc

aes192-cbc

aes128-cbc

hmac-sha2-256

hmac-sha2-512

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-sha1

2
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1

aes256-ctr

aes192-ctr

aes128-ctr

chacha20-poly1305@openssh.com

aes256-gcm@openssh.com

aes128-gcm@openssh.com

hmac-sha2-256

hmac-sha2-512

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

hmac-sha1

3
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256

aes256-ctr

aes192-ctr

aes128-ctr

chacha20-poly1305@openssh.com

aes256-gcm@openssh.com

aes128-gcm@openssh.com

hmac-sha2-256

hmac-sha2-512

hmac-sha2-256-etm@openssh.com

hmac-sha2-512-etm@openssh.com

Using the management GUI

You can use the management GUI to update protocol levels for SSL and SSH connections:

SSL/TLS security protocol level
By default, the SSL protocol level is set as 3.By default, the SSL and SSH protocol levels are set as 3. To change the SSL security protocol levels, complete these steps:
  1. In the management GUI, select Settings > Security > Security protocol levels.
  2. You can update any of the following details:
    SSL protocol level
    Note: Changing the SSL protocol level causes the GUI to restart.
    SSL ensures that the data is securely transferred. The range is 1 - 4, where 3 is default value. You can select the required SSL protocol level from the following options:
    • 1 - Disallow SSL 3.0.
    • 2 - Allow TLS 1.2 only.
    • 3 - Disallow TLS 1.2 cipher suites not exclusive to 1.2.
    • 4 - Disallow RSA and static key exchange ciphers.
  3. Click Save.
SSH rules
To update the SSH rules settings, complete these steps:
  1. In the management GUI, select Settings > Security > SSH Rules.
  2. You can update any of the following details:
    SSH login grace period (seconds)
    Indicates the amount of time in seconds to log in before SSH times out. The range is 15 - 1800.
    Maximum login attempts (SSH)
    Indicates the total number of login attempts allowed per single SSH connection. The range is 1 - 10.
    SSH protocol level
    Select the SSH protocol level that is used for connections to the command line interface. Each level supports different algorithms for key exchange. The range is 1 - 3, where 3 is default value. Select the required SSH protocol level from the following options:
    • 1 - Allow block ciphers.
    • 2 - Disallow block ciphers.
    • 3 - Disallow SHA1.
  3. Click Save.

Using the command-line interface (CLI)

The chsecurity command allows you to set the ciphers and protocols that are allowed by secure interfaces to reduce the vulnerability to attack. However, changing the security level might break the connection to external systems such as web browsers and anything that is connected through CIM such as VMWare provisioning utilities or IBM® Spectrum Control software.

  1. To display your current system SSL, TLS, and SSH security settings, enter the following command:
    lssecurity
    The results show the current setting as shown in the following example:
    sslprotocol 3
    sshprotocol 3
    gui_timeout_mins 30
    cli_timeout_mins 15
    restapi_timeout_mins 60
    min_password_length 8
    password_special_chars 0
    password_upper_case 0
    password_lower_case 0
    password_digits 0
    check_password_history no
    max_password_history 6
    min_password_age_days 1
    password_expiry_days 0
    expiry_warning_days 14
    superuser_locking disabled
    max_failed_login_attempts 0
    lockout_period_mins 10
    superuser_multi_factor no
    ssh_grace_time_seconds 60
    ssh_max_tries 6
    superuser_password_sshkey_required no
    superuser_gui_disabled no
    superuser_rest_disabled no
  2. To change SSL/TLS settings, enter chsecurity -sslprotocol security_level, where security_level is 1, 2, 3, or 4.
    Note: You might lose the connection to the management GUI when the security level is changed. If you lose the connection, use the CLI to decrease the security level to a lower setting.
  3. To change SSH settings, enter chsecurity -sshprotocol security_level, where security_level is 1, 2, or 3.