Security levels and supported security ciphers

You can use secure sockets (SSL) connections to improve intersystem communication.

Version

This information about security settings applies to the current release only.

SSL certificates

The system generates a self-signed certificate to authenticate SSL connections. During the manufacturing process, each node generates an initial self-signed security certificate. A new certificate is generated when a new system is configured or when the user asks for the certificate to be regenerated.

A system generally consists of 2 to 8 nodes, all of which share the certificate in the system. When a new node is added to a system, a copy of the current certificate is provided for that node. If you remove a node from a system (or is replaced after hardware failure), the node that is removed might retain a copy of the certificate that is stored on the node boot drives.

You can generate a new certificate after you remove or replace hardware, which improves security (and removes the possibility of compromising the older certificate). The system uses a 2048-bit RSA key and SHA-256 hash when you generate certificates.

SSL connections and security levels

The system uses SSL connections to control access to the management GUI, the service assistant GUI, the key server, and CIMON. SSL connections use security ciphers to help control access.

You can use security ciphers that are supported by different levels of SSL. Each level supports ciphers that provide differing strengths of encryption. You can set the security level to level 4 to be compliant with the NIST 800-131a standard. You can set the security level to level 2 and use the hashing algorithm SHA-1 for message authentication.

You can set the security level to level 1, but some of the encryption algorithms that are available for use are not approved by either NIST 800-131a or FIPS 140-2. Security level 4 is the maximum level supported. SSL security level 1 is the lowest security level currently supported.

Security level 0 is no longer supported.

Note: SSL security level 3 is the level to use if the system that is connecting to the host system supports the TLS 1.2 SSL protocol. Ciphers that are supported by security levels 2 and 1 are not supported for level 3.

SSL levels and security ciphers supported at those levels

SSL security level 4 supports the TLS 1.2 SSL protocol. Protocols supported at level 4 displays what security levels are supported at security level 4.
Table 1. Protocols supported at level 4
SSL level Is it supported?
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 and earlier No
Java SSL ciphers supported at security level 4 displays Java SSL ciphers that are supported at security level 4.
Table 2. Java SSL ciphers supported at security level 4
Java SSL ciphers
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
OpenSSL ciphers supported at level 4 (chsecurity -sslprotocol 4) displays OpenSSL security ciphers that are supported by security level 4.
Table 3. OpenSSL ciphers supported at level 4 (chsecurity -sslprotocol 4)
Cipher Kx Au Enc Mac
ECDHE-ECDSA-AES256-GCM-SHA384 ECDH ECDSA AESGCM(256) AEAD
DHE-DSS-AES256-GCM-SHA384 DH DSS AESGCM(256) AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 ECDH ECDSA AESGCM(128) AEAD
DHE-DSS-AES128-GCM-SHA256 DH DSS AESGCM(128) AEAD
SSL security level 3 supports the TLS 1.2 SSL protocol. Protocols supported at level 3 displays what security levels are supported at security level 3.
Table 4. Protocols supported at level 3
SSL level Is it supported?
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 and earlier No
Java SSL ciphers supported at security level 3 displays Java SSL ciphers that are supported at security level 3.
Table 5. Java SSL ciphers supported at security level 3
Java SSL ciphers
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
OpenSSL ciphers supported at level 3 (chsecurity -sslprotocol 3) displays OpenSSL security ciphers that are supported by security level 3.
Table 6. OpenSSL ciphers supported at level 3 (chsecurity -sslprotocol 3)
Cipher Kx Au Enc Mac
ECDHE-RSA-AES256-GCM-SHA384 ECDH RSA AESGCM(256) AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 ECDH ECDSA AESGCM(256) AEAD
ECDHE-RSA-AES256-SHA384 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 ECDH ECDSA AES(256) SHA384
DHE-DSS-AES256-GCM-SHA384 DH DSS AESGCM(256) AEAD
DHE-RSA-AES256-GCM-SHA384 DH RSA AESGCM(256) AEAD
DHE-RSA-AES256-SHA256 DH RSA AES(256) SHA256
ECDH-RSA-AES256-GCM-SHA384 E ECDH/RSA ECDH AESGCM(256) AEAD
ECDH-ECDSA-AES256-GCM-SHA384 ECDH/ECDSA ECDH AESGCM(256) AEAD
ECDH-RSA-AES256-SHA384 ECDH/RSA ECDH AES(256) SHA384
ECDH-ECDSA-AES256-SHA384 ECDH/ECDSA ECDH AES(256) SHA384
AES256-GCM-SHA384 RSA RSA AESGCM(256) AEAD
AES256-SHA256 RSA RSA AES(256) SHA256
ECDHE-RSA-AES128-GCM-SHA256 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 ECDH ECDSA AESGCM(128) AEAD
ECDHE-RSA-AES128-SHA256 ECDH RSA AES(128) SHA256
ECDHE-ECDSA-AES128-SHA256 ECDH ECDSA AES(128) SHA256
DHE-DSS-AES128-GCM-SHA256 DH DSS AESGCM(128) AEAD
DHE-RSA-AES128-GCM-SHA256 DH RSA AESGCM(128) AEAD
DHE-RSA-AES128-SHA256 DH RSA AES(128) SHA256
DHE-DSS-AES128-SHA256 DH DSS AES(128) SHA256
ECDH-RSA-AES128-GCM-SHA256 ECDH/RSA ECDH AESGCM(128) AEAD
ECDH-ECDSA-AES128-GCM-SHA256 ECDH/ECDSA ECDH AESGCM(128) AEAD
ECDH-RSA-AES128-SHA256 ECDH/RSA ECDH AES(128) SHA256
ECDH-ECDSA-AES128-SHA256 ECDH/ECDSA ECDH AES(128) SHA256
AES128-GCM-SHA256 RSA RSA AESGCM(128) AEAD
AES128-SHA256 RSA RSA AES(128) SHA256
SSL security level 2 also supports the TLS 1.2 SSL protocol. Protocols supported at level 2 displays what security levels are supported at security level 2.
Table 7. Protocols supported at level 2
SSL level Is it supported?
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 and earlier No
Java SSL ciphers supported at level 2 displays Java SSL ciphers that are supported at security level 2.
Table 8. Java SSL ciphers supported at level 2
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
OpenSSL ciphers supported at level 2 (chsecurity -sslprotocol 2) displays OpenSSL security ciphers that are supported by security level 2.
Table 9. OpenSSL ciphers supported at level 2 (chsecurity -sslprotocol 2)
Cipher Kx Au Enc Mac
ECDHE-RSA-AES256-GCM-SHA384 ECDH RSA AESGCM(256) AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 ECDH ECDSA AESGCM(256) AEAD
ECDHE-RSA-AES256-SHA384 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 ECDH ECDSA AES(256) SHA384
DHE-DSS-AES256-GCM-SHA384 DH DSS AESGCM(256) AEAD
DHE-RSA-AES256-GCM-SHA384 DH RSA AESGCM(256) AEAD
DHE-RSA-AES256-SHA256 DH RSA AES(256) SHA256
ECDH-RSA-AES256-GCM-SHA384 E ECDH/RSA ECDH AESGCM(256) AEAD
ECDH-ECDSA-AES256-GCM-SHA384 ECDH/ECDSA ECDH AESGCM(256) AEAD
ECDH-RSA-AES256-SHA384 ECDH/RSA ECDH AES(256) SHA384
ECDH-ECDSA-AES256-SHA384 ECDH/ECDSA ECDH AES(256) SHA384
AES256-GCM-SHA384 RSA RSA AESGCM(256) AEAD
AES256-SHA256 RSA RSA AES(256) SHA256
AES256-SHA RSA RSA AES(256) SHA1
ECDHE-RSA-AES128-GCM-SHA256 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 ECDH ECDSA AESGCM(128) AEAD
ECDHE-RSA-AES128-SHA256 ECDH RSA AES(128) SHA256
ECDHE-ECDSA-AES128-SHA256 ECDH ECDSA AES(128) SHA256
DHE-DSS-AES128-GCM-SHA256 DH DSS AESGCM(128) AEAD
DHE-RSA-AES128-GCM-SHA256 DH RSA AESGCM(128) AEAD
DHE-RSA-AES128-SHA256 DH RSA AES(128) SHA256
DHE-DSS-AES128-SHA256 DH DSS AES(128) SHA256
ECDH-RSA-AES128-GCM-SHA256 ECDH/RSA ECDH AESGCM(128) AEAD
ECDH-ECDSA-AES128-GCM-SHA256 ECDH/ECDSA ECDH AESGCM(128) AEAD
ECDH-RSA-AES128-SHA256 ECDH/RSA ECDH AES(128) SHA256
ECDH-ECDSA-AES128-SHA256 ECDH/ECDSA ECDH AES(128) SHA256
AES128-GCM-SHA256 RSA RSA AESGCM(128) AEAD
AES128-SHA256 RSA RSA AES(128) SHA256
AES128-SHA RSA RSA AES(128) SHA1
DES-CBC3-SHA RSA RSA 3DES(168) SHA1
Protocols supported at level 1 displays what security levels are supported at security level 1.
Table 10. Protocols supported at level 1
SSL level Supported?
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 No
SSL 3 and earlier No
Java SSL ciphers supported at level 1 shows Java SSL ciphers that are supported by security level 1.
Table 11. Java SSL ciphers supported at level 1
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
OpenSSL ciphers supported at level 1 (chsecurity -sslprotocol 1) displays OpenSSL security ciphers that are supported by security level 1.
Table 12. OpenSSL ciphers supported at level 1 (chsecurity -sslprotocol 1)
Cipher Kx Au Enc Mac
ECDHE-RSA-AES256-GCM-SHA384 ECDH RSA AESGCM(256) AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 ECDH ECDSA AESGCM(256) AEAD
ECDHE-RSA-AES256-SHA384 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES256-SHA384 ECDH ECDSA AES(256) SHA384
ECDHE-RSA-AES256-SHA ECDH RSA AES(256) SHA1
ECDHE-ECDSA-AES256-SHA ECDH ECDSA AES(256) SHA1
DHE-DSS-AES256-GCM-SHA384 DH DSS AESGCM(256) AEAD
DHE-RSA-AES256-GCM-SHA384 DH RSA AESGCM(256) AEAD
DHE-RSA-AES256-SHA256 DH RSA AES(256) SHA256
DHE-DSS-AES256-SHA256 DH DSS AES(256) SHA256
DHE-RSA-AES256-SHA DH RSA AES(256) SHA1
DHE-DSS-AES256-SHA DH DSS AES(256) SHA1
DHE-RSA-CAMELLIA256-SHA DH RSA Camellia(256) SHA1
DHE-DSS-CAMELLIA256-SHA DH DSS Camellia(256) SHA1
ECDH-RSA-AES256-GCM-SHA384 E ECDH/RSA ECDH AESGCM(256) AEAD
ECDH-ECDSA-AES256-GCM-SHA384 ECDH/ECDSA ECDH AESGCM(256) AEAD
ECDH-RSA-AES256-SHA384 ECDH/RSA ECDH AES(256) SHA384
ECDH-ECDSA-AES256-SHA384 ECDH/ECDSA ECDH AES(256) SHA384
ECDH-RSA-AES256-SHA ECDH/RSA ECDH AES(256) SHA1
ECDH-ECDSA-AES256-SHA ECDH/ECDSA ECDH AES(256) SHA1
AES256-GCM-SHA384 RSA RSA AESGCM(256) AEAD
AES256-SHA256 RSA RSA AES(256) SHA256
AES256-SHA RSA RSA AES(256) SHA1
CAMELLIA256-SHA RSA RSA Camellia(256) SHA1
PSK-AES256-CBC-SHA PSK PSK AES(256) SHA1
ECDHE-RSA-AES128-GCM-SHA256 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 ECDH ECDSA AESGCM(128) AEAD
ECDHE-RSA-AES128-SHA256 ECDH RSA AES(128) SHA256
ECDHE-ECDSA-AES128-SHA256 ECDH ECDSA AES(128) SHA256
ECDHE-RSA-AES128-SHA ECDH RSA AES(128) SHA1
ECDHE-ECDSA-AES128-SHA ECDH ECDSA AES(128) SHA1
DHE-DSS-AES128-GCM-SHA256 DH DSS AESGCM(128) AEAD
DHE-RSA-AES128-GCM-SHA256 DH RSA AESGCM(128) AEAD
DHE-RSA-AES128-SHA256 DH RSA AES(128) SHA256
DHE-DSS-AES128-SHA256 DH DSS AES(128) SHA256
DHE-RSA-AES128-SHA DH RSA AES(128) SHA1
DHE-DSS-AES128-SHA DH DSS AES(128) SHA1
ECDHE-RSA-DES-CBC3-SHA ECDH RSA 3DES(168) SHA1
ECDHE-ECDSA-DES-CBC3-SHA ECDH ECDSA 3DES(168) SHA1
DHE-RSA-SEED-SHA DH RSA SEED(128) SHA1
DHE-DSS-SEED-SHA DH DSS SEED(128) SHA1
DHE-RSA-CAMELLIA128-SHA DH RSA Camellia(128) SHA1
DHE-DSS-CAMELLIA128-SHA DH DSS Camellia(128) SHA1
EDH-RSA-DES-CBC3-SHA DH RSA 3DES(168) SHA1
EDH-DSS-DES-CBC3-SHA DH DSS 3DES(168) SHA1
ECDH-RSA-AES128-GCM-SHA256 ECDH/RSA ECDH AESGCM(128) AEAD
ECDH-ECDSA-AES128-GCM-SHA256 ECDH/ECDSA ECDH AESGCM(128) AEAD
ECDH-RSA-AES128-SHA256 ECDH/RSA ECDH AES(128) SHA256
ECDH-ECDSA-AES128-SHA256 ECDH/ECDSA ECDH AES(128) SHA256
ECDH-RSA-AES128-SHA ECDH/RSA ECDH AES(128) SHA1
ECDH-ECDSA-AES128-SHA ECDH/ECDSA ECDH AES(128) SHA1
ECDH-RSA-DES-CBC3-SHA ECDH/RSA ECDH 3DES(168) SHA1
ECDH-ECDSA-DES-CBC3-SHA ECDH/ECDSA ECDH 3DES(168) SHA1
AES128-GCM-SHA256 RSA RSA AESGCM(128) AEAD
AES128-SHA RSA RSA AES(128) SHA1
SEED-SHA RSA RSA SEED(128) SHA1
CAMELLIA128-SHA RSA RSA Camellia(128) SHA1
DES-CBC3-SHA RSA RSA AES(168) SHA256
PSK-AES128-CBC-SHA PSK PSK AES(128) SHA1
PSK-3DES-EDE-CBC-SHA PSK PSK 3DES(168) SHA1
KRB5-DES-CBC3-SHA KRB5 KRB5 3DES(168) SHA1

TCP and UDP ports

You can use firewall protections that restrict Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports. You can use external network communications to connect to these ports. TCP and UDP ports that are supported lists all supported ports and describes how they can be used.
Table 13. TCP and UDP ports that are supported
Service Traffic direction Protocol Port Service type
Email (SMTP) notification and inventory reports Outbound TCP 25 Optional
SNMP event notification Outbound UDP 162 Optional
Syslog event notification Outbound UDP 514 Optional
IPv4 DHCP (Node service address) Outbound UDP 68 Optional
IPv6 DHCP (Node service address) Outbound UDP 547 Optional
Network time server (NTP) Outbound UDP 123 Optional
SSH for command line interface (CLI) access Inbound TCP 22 Mandatory
HTTP to HTTPS redirect for GUI access Inbound TCP 80 Optional
HTTPS redirect for GUI access Inbound TCP 443 Mandatory
HTTP to HTTPS redirect for GUI access Inbound TCP 8080 Optional
HTTPS for GUI access Inbound TCP 8443 Mandatory
CIMOM (HTTPS) Inbound TCP 5989 Optional
CIMOM SLPD Inbound UDP 427 Optional
Remote user authentication service - HTTP Outbound TCP 16310 Optional
Remote user authentication service - HTTPS Outbound TCP 16311 Optional
Remote user authentication service - Lightweight Directory Access Protocol (LDAP) Outbound TCP 389 Optional
iSCSI Inbound TCP 3260 Optional
iSCSI iSNS Outbound TCP 3260 Optional
IP Partnership management IP communication Inbound TCP 3260 Optional
IP Partnership management IP communication Outbound TCP 3260 Optional
IP Partnership data path connections Inbound TCP 3265 Optional
IP Partnership data path connections Outbound TCP 3265 Optional
Note: The management GUI is accessed by using an SSH connection. For convenience, port 80 is left open but redirects all requests to use an SSH connection. The web server for the management GUI runs as a non-privileged process for more security, and requires these settings:
  • Port 80 to be redirected to port 8080
  • Port 443 to be redirected to port 8443

Security key algorithms

Supported host key (and public key) algorithms include ssh-rsa, ssh-dss, and ssh-ecdsa. These supported SSH ciphers algorithms can be used:
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-cbc
These supported message authentication codes can be used:
  • hmac-sha2-256
  • hmac-sha2-512
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha1
At SSH security level 1, the following key exchange algorithms can be used:
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group-exchange-sha1
At SSH security level 2, the following key exchange algorithms can be used:
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1

Interoperability

At SSL security level 4, Google Chrome Version 63.0.3239.132 and higher and Mozilla Firefox Version 52.7.2 and later are known to work with the management GUI. IBM SDK, Java Technology Edition, Version 8 update 1.8.0_161 and later is known to work with the IP quorum application.