chsecurity

Use the chsecurity command to change the Secure Sockets Layer (SSL), Secure Shell (SSH), or Transport Layer Security (TLS) security settings for a system.

Syntax

chsecurity { -sslprotocolsecurity_level | -sshprotocolsecurity_level }

Parameters

Remember: These parameters are mutually exclusive. You must specify -sslprotocol or -sshprotocol, not both.
-sslprotocolsecurity_level
(Required) Specifies the numeric value for the SSL security level setting, which can take any value from 1 to 4. A setting of 3 is the default value.
A security level setting of:
  • 1 disallows SSL 3.0.
  • 2 allows TLS 1.2 only.
  • 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 additionally disallows RSA key exchange ciphers.
-sshprotocolsecurity_level
(Required) Specifies the numeric value for the SSH security level setting, which can take a value of 1 or 2. A setting of 1 is the default value.
A security level setting of:
  • 1 allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1

Description

This command changes the SSL, SSH, or TLS security settings on a system.
Important: If you use SSL or TLS, changing the security could disrupt these services.
If this occurs:
  1. Wait 5 minutes and try again. (Wait for any services to restart.)
  2. Confirm that the SSL or TLS implementation is up to date and supports the specified level of security.
  3. If necessary, revert to an earlier version of SSL or TLS security.

An invocation example

chsecurity -sslprotocol 4

The resulting output: 

Changing the SSL security level could disable the GUI connection on old web browsers, 
and changing the SSH security level may logout existing SSH sessions. Are you sure you wish to continue? (y/yes to confirm)

An invocation example

chsecurity -sshprotocol 2

The resulting output: 

Changing the SSL security level could disable the GUI connection on old web browsers, 
and changing the SSH security level may logout existing SSH sessions. Are you sure you wish to continue? (y/yes to confirm)
Parent topic: Clustered system commands
Related information
addiscsistorageport
cfgportip
chbanner
chportib
chcluster (Discontinued)
chiogrp
chiscsistorageport
chnodecanister
chnodecanisterhw
chquorum
chsite
chsra
chsystem
chsystemcert
chsystemip
chthrottle
cleardumps
cpdumps
detectiscsistorageportcandidate
help
lsclustercandidate (Discontinued)
lscluster (Discontinued)
lsclusterip (Discontinued)
lsclusterstats (Discontinued)
lsdiscoverystatus
lsfabric
lsnvmefabric
lsfcportcandidate
lsiscsistorageport
lsiscsistorageportcandidate
lsiogrp
lshbaportcandidate (Deprecated)
lsiogrphost
lsiogrpcandidate
lsnodecanister
lsnodecanisterhw
lsnodecanisterstats
lsnodecanistervpd
lsnodedependentvdisks (Deprecated)
lsportusb
lsportip
lsportfc
lsportsas
lsquorum
lsroute
lstimezones
lssasportcandidate
lssecurity
lssite
lssra
lsthrottle
lssystem
lssystemcert
lssystemip
lssystemstats
lstargetportfc
mkquorumapp
mkthrottle
ping
rmiscsistorageport
rmnodecanister
rmportip
rmthrottle
setclustertime (Discontinued)
setsystemtime
setpwdreset
settimezone
showtimezone
startstats
stopcluster (Discontinued)
stopsystem