Selecting Cipher Suites
The Cipher Suite Configuration dialog is used to specify which outbound TLS cipher suites you want to enable on the gateway for a specific target host.
gateway92
The Cipher Suite Configuration dialog is used to specify which outbound TLS cipher suites you want to enable on the
CA API Gateway
for a specific target host.Supported Cipher Suites
The following cipher suites are supported by the
CA API Gateway
. These are the suites that are available when the Policy Manager is connected to a Gateway using the default configuration with the Software DB keystore. If your Gateway uses a different security configuration, not all suites will be functional.Technical Note:
When the Gateway is configured to work with IBM MQ 8.0, if any "TLS_ECDHE_ECDSA" cipher suite is used (indicated by * below), the IBM MQ 8 server certificate must be encrypted using the ECDSA algorithm. If using the IBM Key Management to generate a certificate, use the SHA512withECDSA algorithm to generate the certificate.TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHA256TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA*TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA*TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256*TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256*TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA*TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384*TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHATLS_ECDH_RSA_WITH_AES_128_CBC_SHA256TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256TLS_ECDH_RSA_WITH_AES_256_CBC_SHATLS_ECDH_RSA_WITH_AES_256_CBC_SHA384TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_EMPTY_RENEGOTIATION_INFO_SCSV
To select cipher suites to use
:- You can select which cipher suites to enable in any of the following areas:
- Click [Cipher Suites] on the Edit HTTP Options dialog. For more information, see "Add an HTTP Option" under Manage HTTP Options.
- Click [Cipher Suites] on the [Connection] tab of the HTTP(S) Routing Properties. For more information, see "Configuring the [Connection] Tab" under Route via HTTP(S) Assertion.
- Select the [SSL/TLS Settings] tab of the Listen Port Properties.
- Click [Cipher Suites] on the WebSocket Connection Properties dialog, in either the Inbound or Outbound tabs. For more information, see Manage WebSocket Connections.
CA API Gateway. Note that the cipher suites visible to you depend on the security configuration of your Gateway. See "Supported Cipher Suites" at the beginning of this topic for a complete list. - Specify the order of the cipher suites to use:
- Select one or more lines and use [Move Up] and [Move Down] to reorder the cipher suites.
- Select [Uncheck All] to quickly remove all selections so that you can specify the suite(s) you want to use.
- Select [Use Default List] to reset the list to the default set of cipher suites. The default suites are those that are least likely to cause compatibility issues with target servers.
- Click [OK] when done.