CTL_SSL_CIPHER_LIST - UDM Manager configuration option

Description

The CTL_SSL_CIPHER_LIST option specifies the acceptable and preferred SSL/TLS cipher suites to use for the control session between UDM components, or it can be used to disable the SSL/TLS protocol.

The SSL/TLS protocol uses the cipher suites to specify which encryption and message authentication (or message digest) algorithms to use.

Usage

Method

Syntax

IBM i

UNIX

Windows

z/OS

Command Line, Short Form

n/a





Command Line, Long Form

-ctl_ssl_cipher_list list


(tick)

(tick)

(tick)

Environment Variable

UDMCTLSSLCIPHERLIST=list

(tick)

(tick)

(tick)


Configuration File Keyword

ctl_ssl_cipher_list list

(tick)

(tick)

(tick)

(tick)

STRUDM Parameter

CTLCPHRLST(cipherlist)

(tick)




Values

list is a comma-separated list of SSL/TLS cipher suites. The following table identifies the list of SSL/TLS cipher suites supported for this option.

The list is in default order, with the most preferred suite first and the least preferred suite last.
 

Cipher Suite Name

Description

AES256-GCM-SHA384

256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.

AES256-SHA

256-bit AES encryption with SHA-1 message digest.

AES128-GCM-SHA256

128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.

AES128-SHA

128-bit AES encryption with SHA-1 message digest.

RC4-SHA

128-bit RC4 encryption with SHA-1 message digest.

RC4-MD5

128-bit RC4 encryption with MD5 message digest.

DES-CBC3-SHA

128-bit Triple-DES encryption with SHA-1 message digest.

DES-CBC-SHA
                                     

128-bit DES encryption with SHA-1 message digest.
 

Note

As of Universal Agent 6.7.0.0, DES-CBC-SHA is supported only on HP-UX.
 
Additionally, any Agents on HP-UX that accept connections from, or attempt connections to, Agents on other platforms must be configured with at least one currently supported cipher suite besides DES-CBC-SHA. Therefore, those HP-UX Agents cannot be configured only with DES-CBC-SHA in their list of cipher suites.

NULL-SHA256

No encryption and SHA-2 256-bit message digest.

NULL-SHA

No encryption and SHA-1 message digest.

NULL-MD5

No encryption and MD5 message digest.

NULL-NULL

No encryption, no data authentication, SSL is not used; instead, Universal V2 Protocol (UNVv2) is used.

A single value of NULL-NULL instead of the list disables the SSL/TLS protocol. The legacy Universal Products (UNVv2) protocol without encryption and message authentication is used instead of SSL/TLS.

No data privacy or data integrity is provided with the UNVv2 network communications protocol.

NULL-NULL can be specified if the UDM Server ENCRYPT_CONTROL_SESSION configuration option value is no.