Selecting Cipher Suites
The Cipher Suite Configuration dialog is used to specify which outbound TLS cipher suites you want to enable on the gateway for a specific target host.
gateway90
The Cipher Suite Configuration dialog is used to specify which outbound TLS cipher suites you want to enable on the
CA API Gateway
for a specific target host.Supported Cipher Suites
The following cipher suites are supported by the
CA API Gateway
. These are the suites that are available when the Policy Manager is connected to a Gateway using the default configuration with the Software DB keystore. If your Gateway uses a different security configuration, not all suites will be functional.SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384
To select cipher suites to use
:- Do one of the following:
- Click [Cipher Suites] on the Edit HTTP Options dialog. For more information, see "Add an HTTP Option" under Manage HTTP Options.
- Click [Cipher Suites] on the [Connection] tab of the HTTP(S) Routing Properties. For more information, see "Configuring the [Connection] Tab" under Route via HTTP(S) Assertion.
- Select the [SSL/TLS Settings] tab of the Listen Port Properties.In the Listen Port Properties, the cipher suites are selected directly in the [SSL/TLS Settings] tab; there is no separate Enable Cipher Suites.The Enabled Cipher Suites dialog is displayed, listing the suites recognized by theCA API Gateway. Note that the cipher suites visible to you depend on the security configuration of your Gateway. See "Supported Cipher Suites" at the beginning of this topic for a complete list.
- Specify the order of the cipher suites to use:
- Select one or more lines and use [Move Up] and [Move Down] to reorder the cipher suites.
- Select [Uncheck All] to quickly remove all selections so that you can specify the suite(s) you want to use.
- Select [Use Default List] to reset the list to the default set of cipher suites. The default suites are those that are least likely to cause compatibility issues with target servers.
- Click [OK] when done.