DATA_SSL_CIPHER_LIST - UDM Server configuration option

Owned by Stonebranch (Deactivated)
Last updated: Mar 07, 2023

Description

The DATA_SSL_CIPHER_LIST option specifies the acceptable and preferred SSL/TLS cipher suites to use for the data session on which file data is transferred between UDM primary and secondary servers.

The SSL/TLS protocol uses the cipher suites to specify which encryption and message authentication (or message digest) algorithms to use.

Usage

Method

Syntax

IBM i

UNIX

Windows

z/OS

Configuration File Keyword

data_ssl_cipher_list list

(tick)

(tick)

(tick)

(tick)

Values

list is a comma-separated list of SSL/TLS cipher suites. The cipher suites should be listed with the most preferred cipher suite first and the least preferred cipher suite last.

Cipher Suite Name

Description

AES256-GCM-SHA384

256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.

AES256-SHA

256-bit AES encryption with SHA-1 message digest.

AES128-GCM-SHA256

128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.

AES128-SHA

128-bit AES encryption with SHA-1 message digest.

ECDHE-RSA-AES256-GCM-SHA384Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, RSA authentication, 256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.
ECDHE-ECDSA-AES256-GCM-SHA384Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, ECDSA authentication, 256-bit AES encryption in Galois Counter Mode, SHA-2 384-bit message digest.
ECDHE-RSA-AES128-GCM-SHA256Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, RSA authentication, 128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.
ECDHE-ECDSA-AES128-GCM-SHA256Ephemeral Elliptic Curve Diffie-Hellman Key Exchange, ECDSA authentication, 128-bit AES encryption in Galois Counter Mode, SHA-2 256-bit message digest.

RC4-SHA

128-bit RC4 encryption with SHA-1 message digest.

RC4-MD5

128-bit RC4 encryption with MD5 message digest.

DES-CBC3-SHA

128-bit Triple-DES encryption with SHA-1 message digest.

DES-CBC-SHA
                                     

128-bit DES encryption with SHA-1 message digest.
 

Note

As of Universal Agent 6.7.0.0, DES-CBC-SHA is supported only on HP-UX.
 
Additionally, any Agents on HP-UX that accept connections from, or attempt connections to, Agents on other platforms must be configured with at least one currently supported cipher suite besides DES-CBC-SHA. Therefore, those HP-UX Agents cannot be configured only with DES-CBC-SHA in their list of cipher suites.

NULL-SHA256

No encryption and SHA-2 256-bit message digest.

NULL-SHA

No encryption and SHA-1 message digest.

NULL-MD5

No encryption and MD5 message digest.

NULL-NULL

No encryption, no data authentication, SSL/TLS is not used; instead, Universal V2 Protocol(UNVv2) is used.


Default is AES256-GCM-SHA384,AES256-SHA,AES128-GCM-SHA256,AES128-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,RC4-SHA,RC4-MD5,DES-CBC3-SHA,NULL-SHA,NULL-SHA256,NULL-MD5.

Note

In order to establish a transfer session without using SSL for the data session, the NULL-NULL cipher must be specified in the cipher list for any UDM Server involved in the session and in the encrypt option of the open command.