A weakness has been detected in Secure Sockets Layer (SSL)
2.0, SSL 3.0, and Transport Layer Security (TLS) 1.0 when used with
Cipher Block Chaining (CBC) encryption mode. This weakness is inherent
in the protocol, and has been exploited by a demonstrated attack referred
to as the Browser Exploit Against SSL/TLS (BEAST). In addition some
security scan tools flag these protocols as being vulnerable. If your
environment requires security against this exploit you can use TLS
1.2 in your IBM® Flex
System Manager environment.
About this task
In order to use TLS 1.2 you must enable it throughout your
environment, and use a web browser that supports it. Follow these
steps to enable TLS 1.2.
Procedure
- Install a web browser that is supported by the management software and
supports TLS 1.2. You can find a list of supported web
browsers Accessing the management software web interfaces.
- Configure the browser to enable TLS 1.2. For
instructions on how to do this, consult the help for your browser.
- Configure the Chassis Management Modules in
the chassis to use only TLS 1.2. Log into the CMM command
line interface and issue the command:
crypto -cs tls1.2 -T mm[p]
You
can re-enable use of the less restrictive legacy cryptographic settings
using the command: crypto -cs legacy -T mm[p]
- Configure the Integrated Management Modules
to use only TLS 1.2. Log into the IMM command line interface
and issue the command:
tls -min 1.2
You can re-enable
use of TLS 1.0 using the command:tls -min 1.0
- Configure the IBM Flex
System Manager to
use only TLS 1.2. Log into the management software command
line interface and issue the command:
smcli setCryptoMode -l tls1.2
You
can re-enable use of the less restrictive legacy cryptographic settings
using the command:smcli setCryptoMode -l legacy
You
can see the security policy currently in use using the command: smcli lsCryptoMode