At times, you might need to configure or change the Secure Sockets Layer (SSL), Transport
Layer Security (TLS), or Secure Shell (SSH) security level settings for a system either to resolve
an error or to further restrict the range of protocols that can be used.
To configure or change the security levels
on your system, use the chsecurity and lssecurity commands.
The chsecurity and
lssecurity command level settings (1, 2, 3, or 4) for the
-sslprotocol parameter are defined as shown in the following list:- 1 disallows SSL 3.0. (This setting is the system default.)
- 2 allows TLS 1.2 only.
- 3 TLS 1.2 cipher suites that are Additionally, 4 disallowst exclusive o 1.2.
- 4 additionally disallows RSA key exchange ciphers.
The
chsecurity and
lssecurity
command level settings (1 or 2) for the
-sshprotocol parameter are defined as
shown in the following list:
- 1 disallows RSA ciphers for SSH.
- 2 additionally disallows the diffie-hellman-group14-sha256 and diffie-hellman-group14-sha1 key
exchange methods.
To display your current system SSL, TLS, and SSH security settings, enter the
following command:
lssecurity
The results show the current setting, as shown
in the following example:
sslprotocol:1
sshprotocol:1
To change your SSL or TLS security settings, enter the following command:
chsecurity -sslprotocol security_level
where security_level is either 1, 2, 3, or 4.To change your SSH security settings, enter the following command:
chsecurity -sshprotocol security_level
where
security_level is either 1 or 2. The chsecurity command can be used to set the ciphers and protocols that are
allowed by secure interfaces so that vulnerability to attack can be reduced. However, changing this
security level might break the connection to external systems such as web browsers and anything that
is connected through CIM such as VMWare provisioning utilities or IBM Spectrum Control software.
Resolve security protocol issues on your system by using the following guidelines and the
chsecurity -sslprotocol and chsecurity -sshprotocol commands:- Connections can fail because of incompatible protocols. You can use the
-sslprotocol parameter to find problems with external systems by changing the SSL
interface versions. You can also use this parameter to change the security level back when
connections fail because of incompatible protocols that cannot be fixed currently.
- Remote access to the management GUI can be
lost if the security level is set above the minimum default level and the web browser is not set up
to use the same level. If you cannot increase the security level of the web browser, use the
chsecurity command to reduce the security level.
- User authorization management by using an LDAP server might fail if the security level is
set above the minimum default level and the LDAP server is not set up to use the same level. If
you cannot increase the security level of the LDAP server, you might need to use the
chsecurity command to reduce the security level.
- External management systems that connect through CIM, such as some VMWare provisioning
utilities and Tivoli Storage Manager, might fail to connect to the system in certain situations. For
example, such a failure might occur if the security level is set above the minimum default level and
the external system is not set up to use the same protocol levels. If you cannot increase the
security level of the external system, you might need to use the chsecurity command
to reduce the security level.