chsecurity

Use the chsecurity command to change the Secure Sockets Layer (SSL), Secure Shell (SSH), or Transport Layer Security (TLS) security settings for a system.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-chsecurity-- --+- -sslprotocol--security_level-+------------><
                  '- -sshprotocol--security_level-'   

Parameters

Remember: These parameters are mutually exclusive. You must specify -sslprotocol or -sshprotocol, not both.
-sslprotocol security_level
(Required) Specifies the numeric value for the SSL security level setting, which can take any value from 1 to 4. A setting of 3 is the default value.
A security level setting of:
  • 1 disallows SSL 3.0.
  • 2 allows TLS 1.2 only.
  • 3 additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 additionally disallows RSA key exchange ciphers.
-sshprotocol security_level
(Required) Specifies the numeric value for the SSH security level setting, which can take a value of 1 or 2. A setting of 1 is the default value.
A security level setting of:
  • 1 allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1

Description

This command changes the SSL, SSH, or TLS security settings on a system.
Important: If you use SSL or TLS, changing the security could disrupt these services.
If this occurs:
  1. Wait 5 minutes and try again. (Wait for any services to restart.)
  2. Confirm that the SSL or TLS implementation is up-to-date and supports the specified level of security.
  3. If necessary, revert to an earlier version of SSL or TLS security.

An invocation example

chsecurity -sslprotocol 4

The resulting output: 

Changing the SSL security level could disable the GUI connection on old web browsers, 
and changing the SSH security level may logout existing SSH sessions. Are you sure you want to continue? (y/yes to confirm)

An invocation example

chsecurity -sshprotocol 2

The resulting output: 

Changing the SSL security level could disable the GUI connection on old web browsers, 
and changing the SSH security level may logout existing SSH sessions. Are you sure you want to continue? (y/yes to confirm)
Parent topic: Clustered system commands
Related reference:
addnode
addiscsistorageport
cfgportip
chbanner
chcluster (Discontinued)
chiogrp
chiscsistorageport
chnode
chnodebootdrive
chquorum
chsite
chsra
chsystem
chsystemcert
chsystemip
chthrottle
cleardumps
cpdumps
detectiscsistorageportcandidate
help
lsclustercandidate (Discontinued)
lscluster (Discontinued)
lsclusterip (Discontinued)
lsclusterstats (Discontinued)
lsdiscoverystatus
lsfabric
lsfcportcandidate
lsiscsistorageport
lsiscsistorageportcandidate
lsiogrp
lshbaportcandidate (Deprecated)
lsiogrphost
lsiogrpcandidate
lsnode
lsnodecandidate
lsnodedependentvdisks (Deprecated)
lsnodevpd
lsportusb
lsportip
lsportfc
lsquorum
lsroute
lstimezones
lssecurity
lssite
lssra
lsthrottle
lssystem
lssystemcert
lssystemip
lssystemstats
lstargetportfc
mkquorumapp
mkthrottle
ping
rmiscsistorageport
rmnode
rmportip
rmthrottle
setclustertime (Discontinued)
setsystemtime
setpwdreset
settimezone
showtimezone
startstats
stopcluster (Discontinued)
stopsystem
swapnode