Security Levels and Identity Router Connection Ciphers

Document created by RSA Information Design and Development on Nov 16, 2018
Version 1Show Document
  • View in full screen mode
  

Security levels determine the encryption protocols and cipher requirements that the identity router enforces when connecting to users and components in your RSA SecurID Access deployment. On the Platform > Certificates and Encryption > Encryption Settings page of the Cloud Administration Console, you can view requirements for incoming and outgoing connections, and modify the security level for incoming connections. The security level for outgoing connections cannot be modified.

To change security levels, see Configure Identity Router Security Levels.

The security level you select for incoming connections must support at least one cipher that is compatible with the load balancers and web browsers that connect to the identity router. For example, if a web browser used by your organization does not support any of the ciphers from the Medium level, but supports one of the additional ciphers available at the Low level, you can set the security level to Low to ensure compatibility with that browser. RSA recommends using the highest security level that supports the components you need to connect.

All security levels prohibit common Diffie-Hellman primes and HTTP compression. The Low and Medium levels support TLS 1.0, 1.1, and 1.2 encryption protocols, but High allows only TLS 1.2.

Note:  The default security level is Medium. When you select a security level in the Cloud Administration Console, the new setting applies to all identity routers.

If you suspect that the connection to a user or load balancer is not working due to a cipher mismatch, check the affected browser or the /var/log/symplified/catch_all-443-error.log file for messages similar to the following:

  • Cannot communicate securely with peer: no common encryption algorithm(s)
  • Error code: ssl_error_no_cypher_overlap
  • SSL Library Error: -12286 No common encryption algorithm(s) with client

The following tables describe the cipher requirements for incoming and outgoing connections at each security level.

 

Ciphers for Incoming Connections

                     
Security Level

Low

Medium

High

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-ECDSA-AES128-SHA

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

RSA-AES256-SHA256

RSA-AES256-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-ECDSA-AES128-SHA

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

Ciphers for Outgoing Connections (Not Configurable)

                     
Security Level
Low

Medium

High

ECDHE_ECDSA_AES_128_GCM_SHA

ECDH_ECDSA_AES_128_GCM_SHA

ECDHE_RSA_AES_256_SHA

ECDH_RSA_AES_256_SHA

ECDHE_RSA_AES_128_GCM_SHA

ECDH_RSA_AES_128_GCM_SHA

ECDHE_RSA_AES_128_SHA

ECDH_RSA_AES_128_SHA

RSA_AES_128_GCM_SHA

RSA_AES_256_SHA

RSA_AES_128_SHA

RSA_AES_128_SHA256

RSA_AES_256_SHA256

ECDHE_ECDSA_AES_128_GCM_SHA

ECDH_ECDSA_AES_128_GCM_SHA

ECDHE_RSA_AES_256_SHA

ECDH_RSA_AES_256_SHA

ECDHE_RSA_AES_128_GCM_SHA

ECDH_RSA_AES_128_GCM_SHA

ECDHE_RSA_AES_128_SHA

ECDH_RSA_AES_128_SHA

RSA_AES_128_GCM_SHA

RSA_AES_256_SHA

RSA_AES_128_SHA

RSA_AES_128_SHA256

RSA_AES_256_SHA256

ECDHE_ECDSA_AES_128_GCM_SHA

ECDH_ECDSA_AES_128_GCM_SHA

ECDHE_RSA_AES_256_SHA

ECDH_RSA_AES_256_SHA

ECDHE_RSA_AES_128_GCM_SHA

ECDH_RSA_AES_128_GCM_SHA

ECDHE_RSA_AES_128_SHA

ECDH_RSA_AES_128_SHA

RSA_AES_128_GCM_SHA

RSA_AES_256_SHA

RSA_AES_128_SHA

RSA_AES_128_SHA256

RSA_AES_256_SHA256

 

 

 

You are here
Table of Contents > Security Levels and Identity Router Connection Ciphers

Attachments

    Outcomes