Security levels determine the encryption protocols and cipher requirements that the identity router enforces when connecting to users and components in your RSA SecurID Access deployment. On the Platform > Certificates and Encryption > Encryption Settings page of the Cloud Administration Console, you can view requirements for incoming and outgoing connections, and modify the security level for incoming connections. The security level for outgoing connections cannot be modified.
To change security levels, see Configure Identity Router Security Levels.
The security level you select for incoming connections must support at least one cipher that is compatible with the load balancers and web browsers that connect to the identity router. For example, if a web browser used by your organization does not support any of the ciphers from the Medium level, but supports one of the additional ciphers available at the Low level, you can set the security level to Low to ensure compatibility with that browser. RSA recommends using the highest security level that supports the components you need to connect.
All security levels prohibit common Diffie-Hellman primes and HTTP compression. The Low and Medium levels support TLS 1.0, 1.1, and 1.2 encryption protocols, but High allows only TLS 1.2.
Note: The default security level is Medium. When you select a security level in the Cloud Administration Console, the new setting applies to all identity routers.
If you suspect that the connection to a user or load balancer is not working due to a cipher mismatch, check the affected browser or the /var/log/symplified/catch_all-443-error.log file for messages similar to the following:
- Cannot communicate securely with peer: no common encryption algorithm(s)
- Error code: ssl_error_no_cypher_overlap
- SSL Library Error: -12286 No common encryption algorithm(s) with client
The following tables describe the cipher requirements for incoming and outgoing connections at each security level.
Ciphers for Incoming Connections
Security Level | ||
---|---|---|
Low | Medium | High |
ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA RSA-AES256-SHA256 RSA-AES256-SHA | ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA | ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 |
Ciphers for Outgoing Connections (Not Configurable)
Security Level | ||
---|---|---|
Low | Medium | High |
ECDHE_ECDSA_AES_128_GCM_SHA ECDH_ECDSA_AES_128_GCM_SHA ECDHE_RSA_AES_256_SHA ECDH_RSA_AES_256_SHA ECDHE_RSA_AES_128_GCM_SHA ECDH_RSA_AES_128_GCM_SHA ECDHE_RSA_AES_128_SHA ECDH_RSA_AES_128_SHA RSA_AES_128_GCM_SHA RSA_AES_256_SHA RSA_AES_128_SHA RSA_AES_128_SHA256 RSA_AES_256_SHA256 | ECDHE_ECDSA_AES_128_GCM_SHA ECDH_ECDSA_AES_128_GCM_SHA ECDHE_RSA_AES_256_SHA ECDH_RSA_AES_256_SHA ECDHE_RSA_AES_128_GCM_SHA ECDH_RSA_AES_128_GCM_SHA ECDHE_RSA_AES_128_SHA ECDH_RSA_AES_128_SHA RSA_AES_128_GCM_SHA RSA_AES_256_SHA RSA_AES_128_SHA RSA_AES_128_SHA256 RSA_AES_256_SHA256 | ECDHE_ECDSA_AES_128_GCM_SHA ECDH_ECDSA_AES_128_GCM_SHA ECDHE_RSA_AES_256_SHA ECDH_RSA_AES_256_SHA ECDHE_RSA_AES_128_GCM_SHA ECDH_RSA_AES_128_GCM_SHA ECDHE_RSA_AES_128_SHA ECDH_RSA_AES_128_SHA RSA_AES_128_GCM_SHA RSA_AES_256_SHA RSA_AES_128_SHA RSA_AES_128_SHA256 RSA_AES_256_SHA256 |