System SSL/TLS system level settings

System SSL/TLS has many attributes that determine how secure sessions are negotiated.

Each attribute value is set in one of three ways:
  1. The application developer sets an explicit value for the attribute by using code.
  2. The application developer provides a user interface to allow the application administrator to indirectly set the attribute value.
  3. The application developer does not set a value for the attribute. System SSL/TLS uses the default value for the attribute.

Security compliance requirements change over the lifespan of a release. To remain compliant, system administrators need to override some attribute values. System SSL/TLS provides various system level settings to implement this level of control.

There are two types of system level control:
  • Completely disable the value for an attribute
    • The disabled value is ignored when it is used by any of the three methods of setting the attribute value
    • Application encounters a hard failure if no valid value remains enabled for the attribute
    • Application encounters a soft failure if peer requires the disabled value
  • Disable a default value for an attribute
    • Changes only applications that use System SSL/TLS defaults for setting this specific attribute
    • Application soft failure if peer requires the disabled value
The system level settings are controlled by using a combination of these interfaces:
  • SSL/TLS System Values
  • System Service Tools (SST) Advanced Analysis command SSLCONFIG as specified.

The following System SSL/TLS attributes can have their enabled values, default values, or both changed at the system level.