Changing security protocol levels
Security administrators can change the security protocol level for either SSL or SSH protocols. When you change the security level for either of these security protocols, you can control which encryption algorithms, ciphers, and version of the protocol are permitted on the system.
Depending on your security requirements for your organization or geography, you can change the level for both SSL and SSH protocols.
The system supports OpenSSL and Java SSL ciphers to provide strong encryption for secure connections using the SSL or TLS protocols. On new systems, the default SSL protocol level is 3, and the default SSH protocol level is 3; however, you can change the SSL/SSH protocol level at any time to resolve errors or further restrict the protocol versions and ciphers that can be used for encryption.
The following table describes each security level, minimum version of SSL or TLS allowed and the supported ciphers for each level:
Security level | Description | Minimum security allowed | Supported Java SSL ciphers | Supported OpenSSL ciphers |
---|---|---|---|---|
1 | Sets the system to disallow SSL version 3.0. | TLS 1.0 |
|
|
2 | Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1. | TLS 1.2 |
|
|
3 | Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. | TLS 1.2 |
|
|
4 | Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1, and to allow cipher suites that are exclusive to TLS version 1.2. Sets the system to disallow RSA key exchange ciphers, RSA ciphers for SSH. | TLS 1.2 |
|
|
The following table describes the SSH security levels supported by the system:
Security level | Key Exchange | Cipher Suite | MAC Algorithm |
---|---|---|---|
1 |
|
aes256-ctr aes192-ctr aes128-ctr chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-cbc aes192-cbc aes128-cbc |
hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1 |
2 |
|
aes256-ctr aes192-ctr aes128-ctr chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com |
hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1 |
3 |
|
aes256-ctr aes192-ctr aes128-ctr chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com |
hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com |
Using the management GUI
You can use the management GUI to update protocol levels for SSL and SSH connections:
- SSL/TLS security protocol level
-
By default, the SSL protocol level is set as 3.By default, the SSL and SSH protocol levels are set as 3. To change the SSL security protocol levels, complete these steps:
- In the management GUI, select .
- You can update any of the following details:
- SSL protocol level
- Note: Changing the SSL protocol level causes the GUI to restart.SSL ensures that the data is securely transferred. The range is 1 - 4, where 3 is default value. You can select the required SSL protocol level from the following options:
- 1 - Disallow SSL 3.0.
- 2 - Allow TLS 1.2 only.
- 3 - Disallow TLS 1.2 cipher suites not exclusive to 1.2.
- 4 - Disallow RSA and static key exchange ciphers.
- Click Save.
- SSH rules
-
To update the SSH rules settings, complete these steps:
- In the management GUI, select .
- You can update any of the following details:
- SSH login grace period (seconds)
- Indicates the amount of time in seconds to log in before SSH times out. The range is 15 - 1800.
- Maximum login attempts (SSH)
- Indicates the total number of login attempts allowed per single SSH connection. The range is 1 - 10.
- SSH protocol level
- Select the SSH protocol level that is used for connections to the command line interface. Each
level supports different algorithms for key exchange. The range is 1 - 3, where 3 is default value.
Select the required SSH protocol level from the following options:
- 1 - Allow block ciphers.
- 2 - Disallow block ciphers.
- 3 - Disallow SHA1.
- Click Save.
Using the command-line interface (CLI)
The chsecurity
command allows you to set the ciphers and protocols that are
allowed by secure interfaces to reduce the vulnerability to attack. However, changing the security
level might break the connection to external systems such as web browsers and anything that is
connected through CIM such as VMWare provisioning utilities or IBM® Spectrum Control software.