Security Levels and Identity Router Connection Ciphers

Security levels determine the encryption protocols and cipher requirements that the identity router enforces when connecting to users and components in your SecurID deployment. On the Platform > Certificates and Encryption > Encryption Settings page of the Cloud Administration Console, you can view requirements for incoming and outgoing connections, and modify the security level for incoming and outgoing connections.

To change security levels, see Configure Identity Router Security Levels.

The security level you select for incoming connections must support at least one cipher that is compatible with the load balancers and web browsers that connect to the identity router. The security level you select for outgoing connections must support at least one cipher that is compatible with web servers, which connect to the identity router. For example, if a web browser used by your organization does not support any of the ciphers from the Medium level, but supports one of the additional ciphers available at the Low level, you can set the security level to Low to ensure compatibility with that browser. SecurID recommends using the highest security level that supports the components you need to connect.

Note: These settings are not applicable for Identity Sources, Authentication Manager, and Cloud Authentication Service as they cannot be configured.

All security levels prohibit common Diffie-Hellman primes and HTTP compression. The Low and Medium levels support TLS 1.0, 1.1, and 1.2 encryption protocols, but High allows only TLS 1.2.

Note: The default security level is High. When you select a security level in the Cloud Administration Console, the new setting applies to all identity routers.

If you suspect that the connection to a user or load balancer is not working due to a cipher mismatch, check the affected browser or the /var/log/symplified/catch_all-443-error.log file for messages similar to the following:

  • Cannot communicate securely with peer: no common encryption algorithm(s)
  • Error code: ssl_error_no_cypher_overlap
  • SSL Library Error: -12286 No common encryption algorithm(s) with client

The following tables describe the cipher requirements for incoming and outgoing connections at each security level.

Ciphers for Incoming Connections

Security Level

Low

Medium

 High

AES256-SHA

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES256-SHA256

DHE-RSA-AES256-SHA

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

DHE-RSA-AES128-GCM-SHA256

AES256-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES128-SHA

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES256-SHA256

DHE-RSA-AES128-SHA256

DHE-RSA-AES256-SHA

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA

DHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

Ciphers for Outgoing Connections

Security Level

Medium

 High

AES256-SHA

RSA-AES128-SHA256

RSA-AES128-SHA

RSA-AES128-GCM-SHA

ECDH-RSA-AES256-SHA

ECDH-RSA-AES128-SHA

ECDH-RSA-AES128-GCM-SHA

ECDH-ECDSA-AES128-GCM-SHA

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256

AES256-SHA256

ECDHE-RSA-AES256-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES128-GCM-SHA256