Security Levels and Identity Router Connection Ciphers
a month ago

Security Levels and Identity Router Connection Ciphers

Security levels determine the encryption protocols and cipher requirements that the identity router enforces when connecting to users and components in your RSA deployment. On the Platform > Certificates and Encryption > Encryption Settings page of the Cloud Administration Console, you can view requirements for incoming and outgoing connections, and modify the security level for incoming and outgoing connections.

To change security levels, see Configure Identity Router Security Levels.

The security level you select for incoming connections must support at least one cipher that is compatible with the load balancers and web browsers that connect to the identity router. The security level you select for outgoing connections must support at least one cipher that is compatible with web servers, which connect to the identity router. For example, if a web browser used by your organization does not support any of the ciphers from the Medium level, but supports one of the additional ciphers available at the Low level, you can set the security level to Low to ensure compatibility with that browser. RSA recommends using the highest security level that supports the components you need to connect.

Note:  These settings are not applicable for Identity Sources, AM, and the Cloud Access Service as they cannot be configured.

All security levels prohibit common Diffie-Hellman primes and HTTP compression. The Low and Medium levels support TLS 1.0, 1.1, and 1.2 encryption protocols, but High allows only TLS 1.2.

Note:  The default security level is High. When you select a security level in the Cloud Administration Console, the new setting applies to all identity routers.

If you suspect that the connection to a user or load balancer is not working due to a cipher mismatch, check the affected browser or the /var/log/symplified/catch_all-443-error.log file for messages similar to the following:

  • Cannot communicate securely with peer: no common encryption algorithm(s)
  • Error code: ssl_error_no_cypher_overlap
  • SSL Library Error: -12286 No common encryption algorithm(s) with client

The following tables describe the cipher requirements for incoming and outgoing connections at each security level.

Ciphers for Incoming Connections

Security Level

Low

Medium

High

AES256-SHA

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-SHA

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-SHA256

DHE-RSA-AES128-SHA

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-SHA256

AES256-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-SHA

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-SHA256

DHE-RSA-AES128-SHA

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

For FedRAMP customers, RSA key exchange is considered insecure. Therefore, the following ciphers will not be supported:

AES256-SHA

AES256-SHA256

Ciphers for Outgoing Connections

Security Level

Medium

High

AES256-SHA

AES128-SHA256

AES128-SHA

ECDH-RSA-AES256-SHA

ECDH-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

AES256-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

For FedRAMP customers, RSA key exchange is considered insecure. Therefore, the following ciphers will not be supported:
AES128-SHA

AES128-SHA256

AES256-SHA

AES256-SHA256

Related Articles

Trending Articles

Don't see what you're looking for?