Security considerations

WebSphere Automation supports different mechanisms for securing your environment.

Protecting against HTTP Host header attacks

The mandatory request header that specifies the domain that the client wants to access can be altered as part of an exploitative attack. To enable HTTP Host header injection protection:
  1. Ensure that the HTTP Host header matches the value of URL_PREFIX from configmap product-configmap. (If necessary, specify the project name websphere-automation).
  2. In configmap product-configmap, add or edit the HOST_INJECTION_CHECK_ENABLED entry and set its value to true.

    To set the entry by using the Red Hat® OpenShift® console, select the product-configmap for the websphere-automation project. From the menu, select Edit configmap. On the YAML page, find or add the HOST_INJECTION_CHECK_ENABLED entry, and set the value to true.

  3. Restart the ibm-nginx-* pods.
    • If you are using the Red Hat OpenShift console, select the pods and use the delete pod action.
    • If you are using the CLI, use the oc delete <pod-name> -n websphere-automation command.

If you need to disable this protection for any reason, remove the HOST_INJECTION_CHECK_ENABLED entry, or set its value to false, and restart the Nginx pods.

Using the ResourceQuota resource

Setting limits to the resources that can be used by a Kubernetes namespace can prevent such security issues as Denial-of-Service (DOS) attacks. For more information about setting limits by using the ResourceQuota resource, see Kubernetes Hardening Guidance External link icon (published by the National Security Agency and the Cybersecurity and Infrastructure Security Agency) or Resource quotas External link icon in the Red Hat OpenShift documentation.

Network providers and network policies

WebSphere Automation does not install a network provider. WebSphere Automation supports the two network providers that are supported by Red Hat OpenShift Container Platform; you can use either of them. For more information, see OVN-Kubernetes network plug in External link icon and OpenShift-SVN network plug in External link icon in the Red Hat OpenShift Container Platform documentation.

WebSphere Automation provides the network policies that are required for secure communication. Do not make changes to the default network policies. Any changes you make to the network policies are restored to default by the WebSphere Automation operator.

More security hardening information

For advanced security hardening information, see Security considerations in the IBM Cloud Pak for AIOps documentation.

Listing of supported cipher suites

During a secure socket layer (SSL) handshake, the client and server negotiate which cipher suite to use to exchange data. A cipher suite is a set of algorithms that are used to provide authentication, encryption, and data integrity.

WebSphere Automation uses TLS v1.2 to encrypt and protect data ingressing the cluster network and within the cluster network, but does not specify the cipher suites that are used. Default cipher suites used for encryption are listed. The default cipher suites are not configurable.

The name of each cipher suite specifies the algorithms that it uses for authentication, encryption, and data integrity checking. For example, the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA uses RSA for authentication; AES 256-bit and CBC for encryption algorithms; and SHA-1 for the hash function for data integrity.

For manager containers

For manager containers, the supported client cipher suites are shown in the following list.

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C)
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B)
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F)
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA)
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E)
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B)
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067)
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040)
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E)
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032)
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D)
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031)
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026)
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A)
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025)
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039)
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033)
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032)
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005)
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F)
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004)
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E)
  • TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D)
  • TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C)
  • TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D)
  • TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C)
  • TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)
  • TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)

The supported server cipher is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)

The preferred cipher suite for communication is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)

For Liberty containers

The cipher suites that are used by the Liberty container REST service are listed here.

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9)
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8)
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013)
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014)
  • TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C)
  • TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D)
  • TLS_RSA_WITH_AES_128_CBC_SHA(0x002F)
  • TLS_RSA_WITH_AES_256_CBC_SHA(0x0035)
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(0xC012)
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA(0x000A)
  • TLS_AES_128_GCM_SHA256(0x1301)
  • TLS_AES_256_GCM_SHA384(0x1302)
  • TLS_CHACHA20_POLY1305_SHA256(0x1303)

The supported server cipher is TLS_AES_128_GCM_SHA256(0x1301).

The preferred cipher suite for communication is TLS_AES_128_GCM_SHA256(0x1301).

For ingress controllers

The supported client cipher suites that are used by the ingress controller services are listed here.

  • TLS_NULL_WITH_NULL_NULL
  • TLS_RSA_WITH_NULL_MD5
  • TLS_RSA_WITH_NULL_SHA
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_RSA_WITH_IDEA_CBC_SHA
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_DSS_WITH_DES_CBC_SHA
  • TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_RSA_WITH_DES_CBC_SHA
  • TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DHE_RSA_WITH_DES_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
  • TLS_DH_anon_WITH_RC4_128_MD5
  • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
  • TLS_DH_anon_WITH_DES_CBC_SHA
  • TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_KRB5_WITH_DES_CBC_SHA
  • TLS_KRB5_WITH_3DES_EDE_CBC_SHA
  • TLS_KRB5_WITH_RC4_128_SHA
  • TLS_KRB5_WITH_IDEA_CBC_SHA
  • TLS_KRB5_WITH_DES_CBC_MD5
  • TLS_KRB5_WITH_3DES_EDE_CBC_MD5
  • TLS_KRB5_WITH_RC4_128_MD5
  • TLS_KRB5_WITH_IDEA_CBC_MD5
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
  • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA
  • TLS_KRB5_EXPORT_WITH_RC4_40_SHA
  • TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
  • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_KRB5_EXPORT_WITH_RC4_40_MD5
  • TLS_PSK_WITH_NULL_SHA
  • TLS_DHE_PSK_WITH_NULL_SHA
  • TLS_RSA_PSK_WITH_NULL_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DH_anon_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DH_anon_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_NULL_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DH_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DH_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_128_CBC_SHA256
  • TLS_DH_anon_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
  • TLS_PSK_WITH_RC4_128_SHA
  • TLS_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_PSK_WITH_AES_128_CBC_SHA
  • TLS_PSK_WITH_AES_256_CBC_SHA
  • TLS_DHE_PSK_WITH_RC4_128_SHA
  • TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_PSK_WITH_AES_128_CBC_SHA
  • TLS_DHE_PSK_WITH_AES_256_CBC_SHA
  • TLS_RSA_PSK_WITH_RC4_128_SHA
  • TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_PSK_WITH_AES_128_CBC_SHA
  • TLS_RSA_PSK_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_SEED_CBC_SHA
  • TLS_DH_DSS_WITH_SEED_CBC_SHA
  • TLS_DH_RSA_WITH_SEED_CBC_SHA
  • TLS_DHE_DSS_WITH_SEED_CBC_SHA
  • TLS_DHE_RSA_WITH_SEED_CBC_SHA
  • TLS_DH_anon_WITH_SEED_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DH_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DH_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DH_anon_WITH_AES_128_GCM_SHA256
  • TLS_DH_anon_WITH_AES_256_GCM_SHA384
  • TLS_PSK_WITH_AES_128_GCM_SHA256
  • TLS_PSK_WITH_AES_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
  • TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
  • TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
  • TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
  • TLS_PSK_WITH_AES_128_CBC_SHA256
  • TLS_PSK_WITH_AES_256_CBC_SHA384
  • TLS_PSK_WITH_NULL_SHA256
  • TLS_PSK_WITH_NULL_SHA384
  • TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
  • TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
  • TLS_DHE_PSK_WITH_NULL_SHA256
  • TLS_DHE_PSK_WITH_NULL_SHA384
  • TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
  • TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
  • TLS_RSA_PSK_WITH_NULL_SHA256
  • TLS_RSA_PSK_WITH_NULL_SHA384
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
  • TLS_SM4_GCM_SM3
  • TLS_SM4_CCM_SM3
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_ECDH_ECDSA_WITH_NULL_SHA
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_NULL_SHA
  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_NULL_SHA
  • TLS_ECDH_RSA_WITH_RC4_128_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_NULL_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_anon_WITH_NULL_SHA
  • TLS_ECDH_anon_WITH_RC4_128_SHA
  • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  • TLS_ECDH_anon_WITH_AES_256_CBC_SHA
  • TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA
  • TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_SRP_SHA_WITH_AES_128_CBC_SHA
  • TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
  • TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
  • TLS_SRP_SHA_WITH_AES_256_CBC_SHA
  • TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
  • TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_PSK_WITH_RC4_128_SHA
  • TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_PSK_WITH_NULL_SHA
  • TLS_ECDHE_PSK_WITH_NULL_SHA256
  • TLS_ECDHE_PSK_WITH_NULL_SHA384
  • TLS_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256
  • TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384
  • TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_DH_anon_WITH_ARIA_128_CBC_SHA256
  • TLS_DH_anon_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
  • TLS_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384
  • TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256
  • TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384
  • TLS_DH_anon_WITH_ARIA_128_GCM_SHA256
  • TLS_DH_anon_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
  • TLS_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_PSK_WITH_ARIA_128_GCM_SHA256
  • TLS_PSK_WITH_ARIA_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
  • TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
  • TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
  • TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
  • TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
  • TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
  • TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  • TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
  • TLS_RSA_WITH_AES_128_CCM
  • TLS_RSA_WITH_AES_256_CCM
  • TLS_DHE_RSA_WITH_AES_128_CCM
  • TLS_DHE_RSA_WITH_AES_256_CCM
  • TLS_RSA_WITH_AES_128_CCM_8
  • TLS_RSA_WITH_AES_256_CCM_8
  • TLS_DHE_RSA_WITH_AES_128_CCM_8
  • TLS_DHE_RSA_WITH_AES_256_CCM_8
  • TLS_PSK_WITH_AES_128_CCM
  • TLS_PSK_WITH_AES_256_CCM
  • TLS_DHE_PSK_WITH_AES_128_CCM
  • TLS_DHE_PSK_WITH_AES_256_CCM
  • TLS_PSK_WITH_AES_128_CCM_8
  • TLS_PSK_WITH_AES_256_CCM_8
  • TLS_PSK_DHE_WITH_AES_128_CCM_8
  • TLS_PSK_DHE_WITH_AES_256_CCM_8
  • TLS_ECDHE_ECDSA_WITH_AES_128_CCM
  • TLS_ECDHE_ECDSA_WITH_AES_256_CCM
  • TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
  • TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
  • TLS_ECCPWD_WITH_AES_128_GCM_SHA256
  • TLS_ECCPWD_WITH_AES_256_GCM_SHA384
  • TLS_ECCPWD_WITH_AES_128_CCM_SHA256
  • TLS_ECCPWD_WITH_AES_256_CCM_SHA384
  • TLS_SHA256_SHA256
  • TLS_SHA384_SHA384
  • TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC
  • TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC
  • TLS_GOSTR341112_256_WITH_28147_CNT_IMIT
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256
  • TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256

The supported server cipher suites are listed here.

  • ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
  • ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
  • ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
  • DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
  • DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits

The preferred cipher suite for communication is ECDHE-RSA-AES128-GCM-SHA256.

For FIPS-enabled clusters

The supported server cipher suites for FIPS-enabled clusters are shown in the following list.

  • TLS 1.2 supported
    • 128 bits encryption - Rivest-Shamir-Adleman (RSA) based
      • ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
      • DHE-RSA-AES128-GCM-SHA256 DHE 2048 bit
    • 256 bits encryption - Rivest-Shamir-Adleman (RSA) based
      • ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
      • DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
  • TLS 1.3 supported
    • 128 bits encryption - Advanced Encryption Standard (AES) based
      • TLS_AES_128_GCM_SHA256 Curve P-256 DHE 256
    • 256 bits encryption - Advanced Encryption Standard (AES) based
      • TLS_AES_256_GCM_SHA384 Curve P-256 DHE 256