Security requirements
Storwize® V3700 contains many components that use SSL/TLS, both as clients and servers. The requirement to use only strong SSL/TLS ciphers applies to both.
OpenSSL and Java™ SSL on IBM Spectrum Virtualize™ are configured to provide unlimited strength encryption. However, before release 7.6.0.0, IBM Spectrum Virtualize Java SSL was in its default configuration, which supports only up to 128-bit encryption.
Table 1 defines
the system settings for the different security levels. When you are
configuring a new Storwize V3700 system,
the default security level is 1.
Security level | Description | Minimum security allowed |
---|---|---|
1 | Sets the system to disallow SSL version 3.0. | TLS 1.0 |
2 | Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1. | TLS 1.2 |
3 | Sets the system to disallow SSL version 3.0, TLS version 1.0, and TLS version 1.1 and to allow cipher suites that are exclusive to TLS version 1.2. | TLS 1.2 |
Changing the setting for the SSL/TLS levels necessitates restarting
services that use the protocols (Tomcat, OpenPegasus, Curl, LDAP,
Perl library) and causes existing sessions to be terminated. This
action is desirable in that no session is left working on the old
security level. It might take a few minutes for services to become
usable again after you restart the services.
Note: Changing the system
security level might cause the web interface, CIM clients, and other
SSL/TLS clients to stop working. If any clients stop working, refer
to the related tasks section for troubleshooting information.
To learn more about the SSL/TLS security levels and the list of ciphers that are supported by each security level, see Security levels and supported security ciphers.