Configuring security level options using the CLI

At times, you might need to configure or change the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security level settings for a system either to resolve an error or to further restrict the range of protocols that can be used.

To configure or change the security levels on your system, use the chsecurity and lssecurity commands.

The chsecurity and lssecurity command level settings are defined as follows:
  • 1 disallows SSL 3.0. (This setting is the system default.)
  • 2 allows TLS 1.2 only
  • 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2
To display your current system SSL or TLS security settings, enter the following command:
lssecurity
The results show the current setting, such as sslprotocol:1.
To change your SSL or TLS security settings, enter the following command:
chsecurity -sslprotocol security_level
where security_level is either 1, 2, or 3.

The chsecurity -sslprotocol security_level command can be used to set the ciphers and protocols that are allowed by secure interfaces so that vulnerability to attack can be reduced. Changing this security level, however, might break the connection to external systems such as web browsers and anything that is connected through CIM such as VMWare provisioning utilities or Spectrum Control software.

To resolve security protocol issues on your system, follow these guidelines.
  • Use the -sslprotocol parameter to find problems with external systems by changing the SSL interface versions. You can also use this parameter to change the security level back when connections fail because of incompatible protocols that cannot be fixed currently.
  • Remote access to the management GUI can be lost if the security level is set above the minimum default level and the web browser is not set up to use the same level. If you cannot increase the security level of the web browser, use the chsecurity -sslprotocol CLI to reduce the security level.
  • User authorization management by using an LDAP server might fail if the security level is set above the minimum default level and the LDAP server is not set up to use the same level. If you cannot increase the security level of the LDAP server, you might need to use the chsecurity -sslprotocol CLI to reduce the security level.
  • External management systems that connect through CIM, such as some VMWare provisioning utilities and Tivoli Storage Manager, might fail to connect to the system in certain situations. For example, such a failure might occur if the security level is set above the minimum default level and the external system is not set up to use the same protocol levels. If you cannot increase the security level of the external system, you might need to use the chsecurity -sslprotocol CLI to reduce the security level.