Configuring security level options by using the CLI

At times, you might need to configure or change the Secure Sockets Layer (SSL), Transport Layer Security (TLS), or Secure Shell (SSH) security level settings for a system either to resolve an error or to further restrict the range of protocols that can be used.

To configure or change the security levels on your system, use the chsecurity and lssecurity commands.

The chsecurity and lssecurity command level settings (1, 2, 3, or 4) for the -sslprotocol parameter are defined as shown in the following list:
  • 1 disallows SSL 3.0. (This setting is the system default.)
  • 2 allows TLS 1.2 only.
  • 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 additionally disallows RSA key exchange ciphers.
The chsecurity and lssecurity command level settings (1 or 2) for the -sshprotocol parameter are defined as shown in the following list:
  • 1 disallows RSA ciphers for SSH.
  • 2 additionally disallows the diffie-hellman-group14-sha256 and diffie-hellman-group14-sha1 key exchange methods.
To display your current system SSL, TLS, and SSH security settings, enter the following command:
lssecurity
The results show the current setting, as shown in the following example:
sslprotocol:1
sshprotocol:1
To change your SSL or TLS security settings, enter the following command:
chsecurity -sslprotocol security_level
where security_level is either 1, 2, 3, or 4.
To change your SSH security settings, enter the following command:
chsecurity -sshprotocol security_level
where security_level is either 1 or 2.

The chsecurity command can be used to set the ciphers and protocols that are allowed by secure interfaces so that vulnerability to attack can be reduced. However, changing this security level might break the connection to external systems such as web browsers and anything that is connected through CIM such as VMWare provisioning utilities or IBM Spectrum Control software.

Resolve security protocol issues on your system by using the following guidelines and the chsecurity -sslprotocol and chsecurity -sshprotocol commands:
  • Connections can fail because of incompatible protocols. You can use the -sslprotocol parameter to find problems with external systems by changing the SSL interface versions. You can also use this parameter to change the security level back when connections fail because of incompatible protocols that cannot be fixed currently.
  • Remote access to the management GUI can be lost if the security level is set above the minimum default level and the web browser is not set up to use the same level. If you cannot increase the security level of the web browser, use the chsecurity command to reduce the security level.
  • User authorization management by using an LDAP server might fail if the security level is set above the minimum default level and the LDAP server is not set up to use the same level. If you cannot increase the security level of the LDAP server, you might need to use the chsecurity command to reduce the security level.
  • External management systems that connect through CIM, such as some VMWare provisioning utilities and Tivoli Storage Manager, might fail to connect to the system in certain situations. For example, such a failure might occur if the security level is set above the minimum default level and the external system is not set up to use the same protocol levels. If you cannot increase the security level of the external system, you might need to use the chsecurity command to reduce the security level.