System TLS system level settings

System TLS has many attributes that determine how secure sessions are negotiated.

Each attribute value is set in one of three ways:
  1. The application developer sets an explicit value for the attribute by using code.
  2. The application developer provides a user interface to allow the application administrator to indirectly set the attribute value.
  3. The application developer does not set a value for the attribute. System TLS uses the default value for the attribute.

Security compliance requirements change over the lifespan of a release. To remain compliant, system administrators need to override some attribute values. System TLS provides various system level settings to implement this level of control.

There are two types of system level control:
  • Completely disable the value for an attribute
    • The disabled value is ignored when it is used by any of the three methods of setting the attribute value
    • Application encounters a hard failure if no valid value remains enabled for the attribute
    • Application encounters a soft failure if peer requires the disabled value
  • Disable a default value for an attribute
    • Changes only applications that use System TLS defaults for setting this specific attribute
    • Application soft failure if peer requires the disabled value
The system level settings are controlled by using a combination of these interfaces:
  • TLS System Values
  • System Service Tools (SST) Advanced Analysis command TLSCONFIG as specified.

The following System TLS attributes can have their enabled values, default values, or both changed at the system level.