At times, you might need to configure or change
the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security
level settings for a system either to resolve an error or to further
restrict the range of protocols that can be used.
To configure or change the security levels
on your system, use the chsecurity and lssecurity commands.
The
chsecurity and
lssecurity command level settings (1, 2,
or 3) for the
-sslprotocol parameter are defined as shown in the following list:
- 1 disallows SSL 3.0. (This setting is the system default.)
- 2 allows TLS 1.2 only.
- 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
To display your current system SSL or TLS security settings,
enter the following command:
lssecurity
The
results show the current setting, such as
sslprotocol:1.
To
change your SSL or TLS security settings, enter the following command:
chsecurity -sslprotocol security_level
where security_level is
either 1, 2, or 3. The chsecurity -sslprotocol security_level command can be
used to set the ciphers and protocols that are allowed by secure interfaces so that vulnerability to
attack can be reduced. However, changing this security level might break the connection to external
systems such as web browsers and anything that is connected through CIM such as VMWare provisioning
utilities or IBM Spectrum Control software.
To
resolve security protocol issues on your system, follow these guidelines.
- Use the -sslprotocol parameter to find problems
with external systems by changing the SSL interface versions. You
can also use this parameter to change the security level back when
connections fail because of incompatible protocols that cannot be
fixed currently.
- Remote access to the management GUI can
be lost if the security level is set above the minimum default level
and the web browser is not set up to use the same level. If you cannot
increase the security level of the web browser, use the chsecurity
-sslprotocol CLI to reduce the security level.
- User authorization management by using an LDAP
server might fail if the security level is set above the minimum default
level and the LDAP server is not set up to use the same level. If
you cannot increase the security level of the LDAP server, you might
need to use the chsecurity -sslprotocol CLI to reduce
the security level.
- External management systems that connect through
CIM, such as some VMWare provisioning utilities and Tivoli Storage
Manager, might fail to connect to the system in certain situations.
For example, such a failure might occur if the security level is set
above the minimum default level and the external system is not set
up to use the same protocol levels. If you cannot increase the
security level of the external system, you might need to use the chsecurity
-sslprotocol CLI to reduce the security level.