Security requirements

The system contains many components that use SSL/TLS, both as clients and servers. The requirement to use only strong SSL/TLS ciphers applies to both.

OpenSSL and Java SSL on IBM Spectrum Virtualize are configured to provide unlimited strength encryption. However, before release 7.6.0.0, IBM Spectrum VirtualizeJava SSL was in its default configuration, which supports only up to 128-bit encryption.

Table 1 defines the system settings for the different security levels. When you are configuring a new system, the default security level is 1.
Table 1. Supported SSL/TLS security levels.

Supported SSL/TLS security levels

Security level Description Minimum security allowed
1 Sets the system to disallow SSL version 3.0. TLS 1.0
2 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1. TLS 1.2
3 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. TLS 1.2
4 Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. Sets the system to disallow RSA key exchange ciphers, RSA ciphers for SSH. TLS 1.2
Changing the setting for the SSL/TLS levels necessitates restarting services that use the protocols (Tomcat, OpenPegasus, Curl, LDAP, Perl library) and causes existing sessions to be terminated. This action is desirable in that no session is left working on the old security level. It might take a few minutes for services to become usable again after you restart the services.
Note: Changing the system security level might cause the web interface, CIM clients, and other SSL/TLS clients to stop working. If any clients stop working, refer to the related tasks section for troubleshooting information.

To learn more about the SSL/TLS security levels and the list of ciphers that are supported by each security level, see Security levels and supported security ciphers.