At times, you might need to configure or change the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), or Secure Shell (SSH) security level settings for a system either
to resolve an error or to further restrict the range of protocols that can be used.
To configure or change the security levels on your system, use the
chsecurity and lssecurity commands.
The
chsecurity and lssecurity command level settings (1, 2,
3, or 4) for the -sslprotocol parameter are defined as shown in the
following list:- 1 disallows SSL 3.0. (This setting is the system default.)
- 2 allows TLS 1.2 only.
- 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
- 4 additionally disallows RSA key exchange ciphers.
The
chsecurity and
lssecurity command level settings (1 or 2) for the
-sshprotocol parameter are defined as shown in the following list:
- 1 disallows RSA ciphers for SSH.
- 2 additionally disallows the diffie-hellman-group14-sha256 and diffie-hellman-group14-sha1
key exchange methods.
To display your current system SSL, TLS, and SSH security settings,
enter the following command:
lssecurity
The results show the current
setting, as shown in the following
example:
sslprotocol:1
sshprotocol:1
To change your SSL or TLS
security settings, enter the following command:
chsecurity -sslprotocol security_level
where security_level is either 1, 2, 3, or 4.
To change your SSH security settings, enter the following
command:
chsecurity -sshprotocol security_level
where
security_level is either 1 or 2.
The
chsecurity command can be used to set the ciphers and protocols that are
allowed by secure interfaces so that vulnerability to attack can be reduced. However, changing
this security level might break the connection to external systems such as web browsers and
anything that is connected through CIM such as VMWare provisioning utilities or IBM Spectrum Control software.
Resolve security protocol issues on your system by using the following
guidelines and the chsecurity -sslprotocol and chsecurity
-sshprotocol commands:- Connections can fail because of incompatible protocols. You can use the
-sslprotocol parameter to find problems with external systems by changing
the SSL interface versions. You can also use this parameter to change the security level back
when connections fail because of incompatible protocols that cannot be fixed currently.
- Remote access to the management GUI can
be lost if the security level is set above the minimum default level and the web browser is
not set up to use the same level. If you cannot increase the security level of the web
browser, use the chsecurity command to reduce the security level.
- User authorization management by using an LDAP server might fail if the security level is
set above the minimum default level and the LDAP server is not set up to use the same level.
If you cannot increase the security level of the LDAP server, you might need to use the
chsecurity command to reduce the security level.
- External management systems that connect through CIM, such as some VMWare provisioning
utilities and Tivoli Storage Manager, might fail to connect to the system in certain
situations. For example, such a failure might occur if the security level is set above the
minimum default level and the external system is not set up to use the same protocol levels.
If you cannot increase the security level of the external system, you might need to use the
chsecurity command to reduce the security level.