Changing security protocol levels

Security administrators can change the security protocol level for either SSL or SSH protocols. When you change the security level for either of these security protocols, you can control which encryption algorithms, ciphers, and version of the protocol are permitted on the system.

Depending on your security requirements for your organization or geography, you can change the level for both SSL and SSH protocols.

The system supports OpenSSL and Java SSL ciphers to provide strong encryption for secure connections using the SSL or TLS protocols. On new systems, the default SSL protocol level is 3, and the default SSH protocol level is 3; however, you can change the SSL/SSH protocol level at any time to resolve errors or further restrict the protocol versions and ciphers that can be used for encryption.

The following table describes each security level, minimum version of SSL or TLS allowed and the supported ciphers for each level:

Table 1. Supported SSL/TLS security levels
Security level	Description	Minimum security allowed	Supported Java SSL ciphers	Supported OpenSSL ciphers
1	Sets the system to disallow SSL version 3.0.	TLS 1.0	SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDH_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA ECDH-RSA-AES256-GCM-SHA384 E ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA PSK-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA DHE-RSA-SEED-SHA DHE-DSS-SEED-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA AES128-GCM-SHA256 AES128-SHA SEED-SHA CAMELLIA128-SHA DES-CBC3-SHA PSK-AES128-CBC-SHA PSK-3DES-EDE-CBC-SHA KRB5-DES-CBC3-SHA
2	Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1.	TLS 1.2	SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDH_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA	ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDH-RSA-AES256-GCM-SHA384 E ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA DES-CBC3-SHA
3	Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2.	TLS 1.2	SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256	ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDH-RSA-AES256-GCM-SHA384 E ECDH-ECDSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA384 ECDH-ECDSA-AES256-SHA384 AES256-GCM-SHA384 AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 ECDH-RSA-AES128-GCM-SHA256 ECDH-ECDSA-AES128-GCM-SHA256 ECDH-RSA-AES128-SHA256 ECDH-ECDSA-AES128-SHA256 AES128-GCM-SHA256 AES128-SHA256
4	Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1, and to allow cipher suites that are exclusive to TLS version 1.2. Sets the system to disallow RSA key exchange ciphers, RSA ciphers for SSH.	TLS 1.2	SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256	ECDHE-ECDSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256

The following table describes the SSH security levels supported by the system:

Table 2. Supported SSH security levels
Security level	Key Exchange	Cipher Suite	MAC Algorithm
1	curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1	aes256-ctr aes192-ctr aes128-ctr chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com aes256-cbc aes192-cbc aes128-cbc	hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1
2	curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1	aes256-ctr aes192-ctr aes128-ctr chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com	hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-sha1
3	curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group14-sha256	aes256-ctr aes192-ctr aes128-ctr chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-gcm@openssh.com	hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com

Using the management GUI

You can use the management GUI to update protocol levels for SSL and SSH connections:

SSL/TLS security protocol level

By default, the SSL protocol level is set as 3.By default, the SSL and SSH protocol levels are set as 3. To change the SSL security protocol levels, complete these steps:

In the management GUI, select Settings > Security > Security protocol levels.
You can update any of the following details:
SSL protocol level
Note: Changing the SSL protocol level causes the GUI to restart.
SSL ensures that the data is securely transferred. The range is 1 - 4, where 3 is default value. You can select the required SSL protocol level from the following options:
- 1 - Disallow SSL 3.0.
- 2 - Allow TLS 1.2 only.
- 3 - Disallow TLS 1.2 cipher suites not exclusive to 1.2.
- 4 - Disallow RSA and static key exchange ciphers.
Click Save.

SSH rules

To update the SSH rules settings, complete these steps:

In the management GUI, select Settings > Security > SSH Rules.
You can update any of the following details:
SSH login grace period (seconds)

Indicates the amount of time in seconds to log in before SSH times out. The range is 15 - 1800.

Maximum login attempts (SSH)

Indicates the total number of login attempts allowed per single SSH connection. The range is 1 - 10.

SSH protocol level
Select the SSH protocol level that is used for connections to the command line interface. Each level supports different algorithms for key exchange. The range is 1 - 3, where 3 is default value. Select the required SSH protocol level from the following options:
- 1 - Allow block ciphers.
- 2 - Disallow block ciphers.
- 3 - Disallow SHA1.
Click Save.

Using the command-line interface (CLI)

The chsecurity command allows you to set the ciphers and protocols that are allowed by secure interfaces to reduce the vulnerability to attack. However, changing the security level might break the connection to external systems such as web browsers and anything that is connected through CIM such as VMWare provisioning utilities or IBM® Spectrum Control software.

To display your current system SSL, TLS, and SSH security settings, enter the following command:

lssecurity

The results show the current setting as shown in the following example:

sslprotocol 3
sshprotocol 3
gui_timeout_mins 30
cli_timeout_mins 15
restapi_timeout_mins 60
min_password_length 8
password_special_chars 0
password_upper_case 0
password_lower_case 0
password_digits 0
check_password_history no
max_password_history 6
min_password_age_days 1
password_expiry_days 0
expiry_warning_days 14
superuser_locking disabled
max_failed_login_attempts 0
lockout_period_mins 10
superuser_multi_factor no
ssh_grace_time_seconds 60
ssh_max_tries 6
superuser_password_sshkey_required no
superuser_gui_disabled no
superuser_rest_disabled no

To change SSL/TLS settings, enter chsecurity -sslprotocol security_level, where security_level is 1, 2, 3, or 4.
Note: You might lose the connection to the management GUI when the security level is changed. If you lose the connection, use the CLI to decrease the security level to a lower setting.
To change SSH settings, enter chsecurity -sshprotocol security_level, where security_level is 1, 2, or 3.