Security levels and supported security ciphers

You can use secure sockets (SSL) connections to improve intersystem communication.

Version

This information about security settings applies to the current release. Older code releases might support other ciphers that are no longer supported because of security vulnerabilities.

SSL certificates

The system generates a self-signed certificate to authenticate SSL connections. During the manufacturing process, each node generates an initial self-signed security certificate. A new certificate is generated when a new system is configured or when the user asks for the certificate to be regenerated.

A system generally consists of 2 to 8 nodes, all of which share the certificate in the system. When a new node is added to a system, a copy of the current certificate is provided for that node. If you remove a node from a system (or is replaced after hardware failure), the node that is removed might retain a copy of the certificate that is stored on the node boot drives.

You can generate a new certificate after you remove or replace hardware, which improves security (and removes the possibility of compromising the older certificate). The system uses a 2048-bit RSA key and SHA-256 hash when you generate certificates.

SSL connections and security levels

The system uses SSL connections to control access to the management GUI, the service assistant GUI, the key server, and CIMON. SSL connections use security ciphers to help control access.

You can use security ciphers that are supported by different levels of SSL. Each level supports ciphers that provide differing strengths of encryption. You can set the security level to level 4 to be compliant with the NIST 800-131a standard. You can set the security level to level 2 and use the hashing algorithm SHA-1 for message authentication.

You can set the security level to level 1, but some of the encryption algorithms that are available for use are not approved by either NIST 800-131a or FIPS 140-2. Security level 4 is the maximum level supported. SSL security level 1 is the lowest security level currently supported.

Security level 0 is no longer supported.

Note: SSL security level 3 is the level to use if the system that is connecting to the host system supports the TLS 1.2 SSL protocol. Ciphers that are supported by security levels 2 and 1 are not supported for level 3.

SSL levels and security ciphers supported at those levels

SSL security level 4 supports the TLS 1.2 SSL protocol. Protocols supported at level 4 displays what security levels are supported at security level 4.

Table 1. Protocols supported at level 4
SSL level	Is it supported?
TLS 1.2	Yes
TLS 1.1	No
TLS 1.0	No
SSL 3 and earlier	No

Java SSL ciphers supported at security level 4 displays Java SSL ciphers that are supported at security level 4.

Table 2. Java SSL ciphers supported at security level 4
Java SSL ciphers
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

OpenSSL ciphers supported at level 4 (chsecurity -sslprotocol 4) displays OpenSSL security ciphers that are supported by security level 4.

Table 3. OpenSSL ciphers supported at level 4 (`chsecurity -sslprotocol 4`)
Cipher	Kx	Au	Enc	Mac
ECDHE-ECDSA-AES256-GCM-SHA384	ECDH	ECDSA	AESGCM(256)	AEAD
DHE-DSS-AES256-GCM-SHA384	DH	DSS	AESGCM(256)	AEAD
ECDHE-ECDSA-AES128-GCM-SHA256	ECDH	ECDSA	AESGCM(128)	AEAD
DHE-DSS-AES128-GCM-SHA256	DH	DSS	AESGCM(128)	AEAD

SSL security level 3 supports the TLS 1.2 SSL protocol. Protocols supported at level 3 displays what security levels are supported at security level 3.

Table 4. Protocols supported at level 3
SSL level	Is it supported?
TLS 1.2	Yes
TLS 1.1	No
TLS 1.0	No
SSL 3 and earlier	No

Java SSL ciphers supported at security level 3 displays Java SSL ciphers that are supported at security level 3.

Table 5. Java SSL ciphers supported at security level 3
Java SSL ciphers
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

OpenSSL ciphers supported at level 3 (chsecurity -sslprotocol 3) displays OpenSSL security ciphers that are supported by security level 3.

Table 6. OpenSSL ciphers supported at level 3 (`chsecurity -sslprotocol 3`)
Cipher	Kx	Au	Enc	Mac
ECDHE-RSA-AES256-GCM-SHA384	ECDH	RSA	AESGCM(256)	AEAD
ECDHE-ECDSA-AES256-GCM-SHA384	ECDH	ECDSA	AESGCM(256)	AEAD
ECDHE-RSA-AES256-SHA384	ECDH	RSA	AES(256)	SHA384
ECDHE-ECDSA-AES256-SHA384	ECDH	ECDSA	AES(256)	SHA384
DHE-DSS-AES256-GCM-SHA384	DH	DSS	AESGCM(256)	AEAD
DHE-RSA-AES256-GCM-SHA384	DH	RSA	AESGCM(256)	AEAD
DHE-RSA-AES256-SHA256	DH	RSA	AES(256)	SHA256
ECDH-RSA-AES256-GCM-SHA384 E	ECDH/RSA	ECDH	AESGCM(256)	AEAD
ECDH-ECDSA-AES256-GCM-SHA384	ECDH/ECDSA	ECDH	AESGCM(256)	AEAD
ECDH-RSA-AES256-SHA384	ECDH/RSA	ECDH	AES(256)	SHA384
ECDH-ECDSA-AES256-SHA384	ECDH/ECDSA	ECDH	AES(256)	SHA384
AES256-GCM-SHA384	RSA	RSA	AESGCM(256)	AEAD
AES256-SHA256	RSA	RSA	AES(256)	SHA256
ECDHE-RSA-AES128-GCM-SHA256	ECDH	RSA	AESGCM(128)	AEAD
ECDHE-ECDSA-AES128-GCM-SHA256	ECDH	ECDSA	AESGCM(128)	AEAD
ECDHE-RSA-AES128-SHA256	ECDH	RSA	AES(128)	SHA256
ECDHE-ECDSA-AES128-SHA256	ECDH	ECDSA	AES(128)	SHA256
DHE-DSS-AES128-GCM-SHA256	DH	DSS	AESGCM(128)	AEAD
DHE-RSA-AES128-GCM-SHA256	DH	RSA	AESGCM(128)	AEAD
DHE-RSA-AES128-SHA256	DH	RSA	AES(128)	SHA256
DHE-DSS-AES128-SHA256	DH	DSS	AES(128)	SHA256
ECDH-RSA-AES128-GCM-SHA256	ECDH/RSA	ECDH	AESGCM(128)	AEAD
ECDH-ECDSA-AES128-GCM-SHA256	ECDH/ECDSA	ECDH	AESGCM(128)	AEAD
ECDH-RSA-AES128-SHA256	ECDH/RSA	ECDH	AES(128)	SHA256
ECDH-ECDSA-AES128-SHA256	ECDH/ECDSA	ECDH	AES(128)	SHA256
AES128-GCM-SHA256	RSA	RSA	AESGCM(128)	AEAD
AES128-SHA256	RSA	RSA	AES(128)	SHA256

SSL security level 2 also supports the TLS 1.2 SSL protocol. Protocols supported at level 2 displays what security levels are supported at security level 2.

Table 7. Protocols supported at level 2
SSL level	Is it supported?
TLS 1.2	Yes
TLS 1.1	No
TLS 1.0	No
SSL 3 and earlier	No

Java SSL ciphers supported at level 2 displays Java SSL ciphers that are supported at security level 2.

Table 8. Java SSL ciphers supported at level 2
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA

OpenSSL ciphers supported at level 2 (chsecurity -sslprotocol 2) displays OpenSSL security ciphers that are supported by security level 2.

Table 9. OpenSSL ciphers supported at level 2 (`chsecurity -sslprotocol 2`)
Cipher	Kx	Au	Enc	Mac
ECDHE-RSA-AES256-GCM-SHA384	ECDH	RSA	AESGCM(256)	AEAD
ECDHE-ECDSA-AES256-GCM-SHA384	ECDH	ECDSA	AESGCM(256)	AEAD
ECDHE-RSA-AES256-SHA384	ECDH	RSA	AES(256)	SHA384
ECDHE-ECDSA-AES256-SHA384	ECDH	ECDSA	AES(256)	SHA384
DHE-DSS-AES256-GCM-SHA384	DH	DSS	AESGCM(256)	AEAD
DHE-RSA-AES256-GCM-SHA384	DH	RSA	AESGCM(256)	AEAD
DHE-RSA-AES256-SHA256	DH	RSA	AES(256)	SHA256
ECDH-RSA-AES256-GCM-SHA384 E	ECDH/RSA	ECDH	AESGCM(256)	AEAD
ECDH-ECDSA-AES256-GCM-SHA384	ECDH/ECDSA	ECDH	AESGCM(256)	AEAD
ECDH-RSA-AES256-SHA384	ECDH/RSA	ECDH	AES(256)	SHA384
ECDH-ECDSA-AES256-SHA384	ECDH/ECDSA	ECDH	AES(256)	SHA384
AES256-GCM-SHA384	RSA	RSA	AESGCM(256)	AEAD
AES256-SHA256	RSA	RSA	AES(256)	SHA256
AES256-SHA	RSA	RSA	AES(256)	SHA1
ECDHE-RSA-AES128-GCM-SHA256	ECDH	RSA	AESGCM(128)	AEAD
ECDHE-ECDSA-AES128-GCM-SHA256	ECDH	ECDSA	AESGCM(128)	AEAD
ECDHE-RSA-AES128-SHA256	ECDH	RSA	AES(128)	SHA256
ECDHE-ECDSA-AES128-SHA256	ECDH	ECDSA	AES(128)	SHA256
DHE-DSS-AES128-GCM-SHA256	DH	DSS	AESGCM(128)	AEAD
DHE-RSA-AES128-GCM-SHA256	DH	RSA	AESGCM(128)	AEAD
DHE-RSA-AES128-SHA256	DH	RSA	AES(128)	SHA256
DHE-DSS-AES128-SHA256	DH	DSS	AES(128)	SHA256
ECDH-RSA-AES128-GCM-SHA256	ECDH/RSA	ECDH	AESGCM(128)	AEAD
ECDH-ECDSA-AES128-GCM-SHA256	ECDH/ECDSA	ECDH	AESGCM(128)	AEAD
ECDH-RSA-AES128-SHA256	ECDH/RSA	ECDH	AES(128)	SHA256
ECDH-ECDSA-AES128-SHA256	ECDH/ECDSA	ECDH	AES(128)	SHA256
AES128-GCM-SHA256	RSA	RSA	AESGCM(128)	AEAD
AES128-SHA256	RSA	RSA	AES(128)	SHA256
AES128-SHA	RSA	RSA	AES(128)	SHA1
DES-CBC3-SHA	RSA	RSA	3DES(168)	SHA1

Protocols supported at level 1 displays what security levels are supported at security level 1.

Table 10. Protocols supported at level 1
SSL level	Supported?
TLS 1.2	Yes
TLS 1.1	Yes
TLS 1.0	No
SSL 3 and earlier	No

Java SSL ciphers supported at level 1 shows Java SSL ciphers that are supported by security level 1.

Table 11. Java SSL ciphers supported at level 1
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

OpenSSL ciphers supported at level 1 (chsecurity -sslprotocol 1) displays OpenSSL security ciphers that are supported by security level 1.

Table 12. OpenSSL ciphers supported at level 1 (`chsecurity -sslprotocol 1`)
Cipher	Kx	Au	Enc	Mac
ECDHE-RSA-AES256-GCM-SHA384	ECDH	RSA	AESGCM(256)	AEAD
ECDHE-ECDSA-AES256-GCM-SHA384	ECDH	ECDSA	AESGCM(256)	AEAD
ECDHE-RSA-AES256-SHA384	ECDH	RSA	AES(256)	SHA384
ECDHE-ECDSA-AES256-SHA384	ECDH	ECDSA	AES(256)	SHA384
ECDHE-RSA-AES256-SHA	ECDH	RSA	AES(256)	SHA1
ECDHE-ECDSA-AES256-SHA	ECDH	ECDSA	AES(256)	SHA1
DHE-DSS-AES256-GCM-SHA384	DH	DSS	AESGCM(256)	AEAD
DHE-RSA-AES256-GCM-SHA384	DH	RSA	AESGCM(256)	AEAD
DHE-RSA-AES256-SHA256	DH	RSA	AES(256)	SHA256
DHE-DSS-AES256-SHA256	DH	DSS	AES(256)	SHA256
DHE-RSA-AES256-SHA	DH	RSA	AES(256)	SHA1
DHE-DSS-AES256-SHA	DH	DSS	AES(256)	SHA1
DHE-RSA-CAMELLIA256-SHA	DH	RSA	Camellia(256)	SHA1
DHE-DSS-CAMELLIA256-SHA	DH	DSS	Camellia(256)	SHA1
ECDH-RSA-AES256-GCM-SHA384 E	ECDH/RSA	ECDH	AESGCM(256)	AEAD
ECDH-ECDSA-AES256-GCM-SHA384	ECDH/ECDSA	ECDH	AESGCM(256)	AEAD
ECDH-RSA-AES256-SHA384	ECDH/RSA	ECDH	AES(256)	SHA384
ECDH-ECDSA-AES256-SHA384	ECDH/ECDSA	ECDH	AES(256)	SHA384
ECDH-RSA-AES256-SHA	ECDH/RSA	ECDH	AES(256)	SHA1
ECDH-ECDSA-AES256-SHA	ECDH/ECDSA	ECDH	AES(256)	SHA1
AES256-GCM-SHA384	RSA	RSA	AESGCM(256)	AEAD
AES256-SHA256	RSA	RSA	AES(256)	SHA256
AES256-SHA	RSA	RSA	AES(256)	SHA1
CAMELLIA256-SHA	RSA	RSA	Camellia(256)	SHA1
PSK-AES256-CBC-SHA	PSK	PSK	AES(256)	SHA1
ECDHE-RSA-AES128-GCM-SHA256	ECDH	RSA	AESGCM(128)	AEAD
ECDHE-ECDSA-AES128-GCM-SHA256	ECDH	ECDSA	AESGCM(128)	AEAD
ECDHE-RSA-AES128-SHA256	ECDH	RSA	AES(128)	SHA256
ECDHE-ECDSA-AES128-SHA256	ECDH	ECDSA	AES(128)	SHA256
ECDHE-RSA-AES128-SHA	ECDH	RSA	AES(128)	SHA1
ECDHE-ECDSA-AES128-SHA	ECDH	ECDSA	AES(128)	SHA1
DHE-DSS-AES128-GCM-SHA256	DH	DSS	AESGCM(128)	AEAD
DHE-RSA-AES128-GCM-SHA256	DH	RSA	AESGCM(128)	AEAD
DHE-RSA-AES128-SHA256	DH	RSA	AES(128)	SHA256
DHE-DSS-AES128-SHA256	DH	DSS	AES(128)	SHA256
DHE-RSA-AES128-SHA	DH	RSA	AES(128)	SHA1
DHE-DSS-AES128-SHA	DH	DSS	AES(128)	SHA1
ECDHE-RSA-DES-CBC3-SHA	ECDH	RSA	3DES(168)	SHA1
ECDHE-ECDSA-DES-CBC3-SHA	ECDH	ECDSA	3DES(168)	SHA1
DHE-RSA-SEED-SHA	DH	RSA	SEED(128)	SHA1
DHE-DSS-SEED-SHA	DH	DSS	SEED(128)	SHA1
DHE-RSA-CAMELLIA128-SHA	DH	RSA	Camellia(128)	SHA1
DHE-DSS-CAMELLIA128-SHA	DH	DSS	Camellia(128)	SHA1
EDH-RSA-DES-CBC3-SHA	DH	RSA	3DES(168)	SHA1
EDH-DSS-DES-CBC3-SHA	DH	DSS	3DES(168)	SHA1
ECDH-RSA-AES128-GCM-SHA256	ECDH/RSA	ECDH	AESGCM(128)	AEAD
ECDH-ECDSA-AES128-GCM-SHA256	ECDH/ECDSA	ECDH	AESGCM(128)	AEAD
ECDH-RSA-AES128-SHA256	ECDH/RSA	ECDH	AES(128)	SHA256
ECDH-ECDSA-AES128-SHA256	ECDH/ECDSA	ECDH	AES(128)	SHA256
ECDH-RSA-AES128-SHA	ECDH/RSA	ECDH	AES(128)	SHA1
ECDH-ECDSA-AES128-SHA	ECDH/ECDSA	ECDH	AES(128)	SHA1
ECDH-RSA-DES-CBC3-SHA	ECDH/RSA	ECDH	3DES(168)	SHA1
ECDH-ECDSA-DES-CBC3-SHA	ECDH/ECDSA	ECDH	3DES(168)	SHA1
AES128-GCM-SHA256	RSA	RSA	AESGCM(128)	AEAD
AES128-SHA	RSA	RSA	AES(128)	SHA1
SEED-SHA	RSA	RSA	SEED(128)	SHA1
CAMELLIA128-SHA	RSA	RSA	Camellia(128)	SHA1
DES-CBC3-SHA	RSA	RSA	AES(168)	SHA256
PSK-AES128-CBC-SHA	PSK	PSK	AES(128)	SHA1
PSK-3DES-EDE-CBC-SHA	PSK	PSK	3DES(168)	SHA1
KRB5-DES-CBC3-SHA	KRB5	KRB5	3DES(168)	SHA1

TCP and UDP ports

You can use firewall protections that restrict Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports. You can use external network communications to connect to these ports. TCP and UDP ports that are supported lists all supported ports and describes how they can be used.

Table 13. TCP and UDP ports that are supported
Service	Traffic direction	Protocol	Port	Service type
Email (SMTP) notification and inventory reports	Outbound	TCP	25	Optional
SNMP event notification	Outbound	UDP	162	Optional
Syslog event notification	Outbound	UDP	514	Optional
IPv4 DHCP (Node service address)	Outbound	UDP	68	Optional
IPv6 DHCP (Node service address)	Outbound	UDP	547	Optional
Network time server (NTP)	Outbound	UDP	123	Optional
SSH for command line interface (CLI) access	Inbound	TCP	22	Mandatory
HTTP to HTTPS redirect for GUI access	Inbound	TCP	80	Optional
HTTPS redirect for GUI access	Inbound	TCP	443	Mandatory
HTTP to HTTPS redirect for GUI access	Inbound	TCP	8080	Optional
HTTPS for GUI access	Inbound	TCP	8443	Mandatory
CIMOM (HTTPS)	Inbound	TCP	5989	Optional
CIMOM SLPD	Inbound	UDP	427	Optional
Remote user authentication service - HTTP	Outbound	TCP	16310	Optional
Remote user authentication service - HTTPS	Outbound	TCP	16311	Optional
Remote user authentication service - Lightweight Directory Access Protocol (LDAP)	Outbound	TCP	389	Optional
iSCSI	Inbound	TCP	3260	Optional
iSCSI iSNS	Outbound	TCP	3260	Optional
IP Partnership management IP communication	Inbound	TCP	3260	Optional
IP Partnership management IP communication	Outbound	TCP	3260	Optional
IP Partnership data path connections	Inbound	TCP	3265	Optional
IP Partnership data path connections	Outbound	TCP	3265	Optional

Note: The management GUI is accessed by using an SSH connection. For convenience, port 80 is left open but redirects all requests to use an SSH connection. The web server for the management GUI runs as a non-privileged process for more security, and requires these settings:

Port 80 to be redirected to port 8080
Port 443 to be redirected to port 8443

Security key algorithms

Supported host key (and public key) algorithms include ssh-rsa, ssh-dss, and ssh-ecdsa. These supported SSH ciphers algorithms can be used:

aes128-ctr
aes192-ctr
aes256-ctr
aes128-cbc

These supported message authentication codes can be used:

hmac-sha2-256
hmac-sha2-512
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1

At SSH security level 1, the following key exchange algorithms can be used:

curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
diffie-hellman-group-exchange-sha1

At SSH security level 2, the following key exchange algorithms can be used:

curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1

Interoperability

At SSL security level 4, Google Chrome Version 63.0.3239.132 and higher and Mozilla Firefox Version 52.7.2 and later are known to work with the management GUI. IBM SDK, Java Technology Edition, Version 8 update 1.8.0_161 and later is known to work with the IP quorum application.