Security system values: Secure Sockets Layer cipher specification list

The Secure Sockets Layer cipher specification list system value is also known as QSSLCSL. You can use this system value to define the System SSL cipher specification list.

Quick reference
Location From System i® Navigator, expand your system > Configuration and Service > System Values > Security > System SSL.
Special authority Input/output (I/O) system configuration (*IOSYSCFG), all object (*ALLOBJ), and security administrator (*SECADM).
Default value

*RSA_AES_128_CBC_SHA
*RSA_RC4_128_SHA
*RSA_RC4_128_MD5
*RSA_AES_256_CBC_SHA
*RSA_3DES_EDE_CBC_SHA
*RSA_DES_CBC_SHA
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_NULL_SHA
*RSA_NULL_MD5

Changes take effect Immediately for all subsequent System SSL sessions.
Lockable Yes.
Lockable system value
(See Lock function of security-related system values for details.)

What can I do with this system value?

If you specify the Use user-defined (*USRDFN) option for the Secure Sockets Layer cipher control (QSSLCSLCTL) system value, you can define the Secure Sockets Layer cipher specification list (QSSLCSL) system value. If the QSSLCSLCTL system value is system defined, the QSSLCSL system value is read-only.

The System SSL property page lists all the SSL protocol values supported by System SSL. System SSL uses the sequence of the values in the QSSLCSL system value to order the default cipher specification list. The default cipher specification list entries are system defined and can change with different releases. If a default cipher suite is removed from the QSSLCSL system value, the cipher suite is removed from the default list. The default cipher suite is added back to the default cipher specification list when it is added back into the QSSLCSL system value. The System SSL property page lists all the SSL protocol values supported by System SSL. System SSL uses the sequence of the values in the QSSLCSL system value to order the default cipher specification list. The default cipher specification list entries are system defined and can change with different releases. If a default cipher suite is removed from the QSSLCSL system value, the cipher suite is removed from the default list. The default cipher suite is added back to the default cipher specification list when it is added back into the QSSLCSL system value. Start of changeThe default cipher specification list values, but not order, can also be changed by using System Service Tools (SST) Advanced Analysis command SSLCONFIG.End of change You cannot add other cipher suites to the default list beyond the set that the system defines Start of changeas eligibleEnd of change for the release.

You cannot add a cipher suite to the QSSLCSL system value if the required SSL protocol value for the cipher suite is not set for the Secure Sockets Layer protocols (QSSLPCL) system value.

This system value can have the following values:

*RSA_AES_128_CBC_SHA
Use the RSA encoding algorithms for the Advanced Encryption Standard (AES) cipher with cipher block chaining (CBC) and 128 bit keys. Use Secure Hash Algorithm (SHA) for generating message authentication codes (MAC).
Start of change*RSA_AES_128_CBC_SHA256End of change
Start of changeUse the RSA encoding algorithms for the AES cipher with CBC and 128 bit keys. Use Secure Hash Algorithm 256 (SHA256) for generating MAC.End of change
Start of change*RSA_AES_256_CBC_SHA256End of change
Start of changeUse the RSA encoding algorithms for the AES cipher with CBC and 256 bit keys. Use SHA256 for generating MAC.End of change
Start of change*RSA_NULL_SHA256End of change
Start of changeUse the RSA encoding algorithms but do not use any cipher. Use SHA256 for generating MAC.End of change
*RSA_RC4_128_SHA
Use the RSA encoding algorithms for Rivest Cipher 4 (RC4) and 128 bit keys. Use SHA for generating MAC.
*RSA_RC4_128_MD5
Use the RSA encoding algorithms for the RC4 cipher and 128 bit keys. Use message digest algorithm 5 (MD5) for generating MAC.
*RSA_AES_256_CBC_SHA
Use the RSA encoding algorithms for the AES cipher with CBC and 256 bit keys. Use SHA for generating MAC.
*RSA_3DES_EDE_CBC_SHA
Use the RSA encoding algorithms for the Triple Data Encryption Standard (3DES) cipher with the encrypt/decrypt/encrypt (EDE) and CBC modes and 168 bit keys. Use SHA for generating MAC.
*RSA_DES_CBC_SHA
Use the RSA encoding algorithms for the Data Encryption Standard (DES) cipher with the CBC mode and 56 bit keys. Use SHA for generating MAC.
*RSA_EXPORT_RC2_CBC_40_MD5
Use the RSA encoding algorithms for Rivest Cipher 2 (RC2) with the CBC mode and 40 bit keys. Use MD5 for generating MAC.
*RSA_EXPORT_RC4_40_MD5
Use the RSA encoding algorithms for the RC4 cipher and 40 bit keys. Use MD5 for generating MAC.
*RSA_NULL_SHA
Use the RSA encoding algorithms but do not use any cipher. Use SHA for generating MAC.
*RSA_NULL_MD5
Use the RSA encoding algorithms but do not use any cipher. Use MD5 for generating MAC.
*RSA_RC2_CBC_128_MD5
Use the RSA encoding algorithms for the RC2 cipher with the CBC mode and 128 bit keys. Use MD5 for generating MAC.
*RSA_3DES_EDE_CBC_MD5
Use the RSA encoding algorithms for the 3DES cipher with the EDE and CBC modes and 168 bit keys. Use MD5 for generating MAC.
*RSA_DES_CBC_MD5
Use the RSA encoding algorithms for the DES cipher with the CBC mode and 56 bit keys. Use MD5 for generating MAC.
Note: This system value is not supported on systems running IBM® i V5R4, or earlier.