System SSL/TLS system level settings
System SSL/TLS has many attributes that determine how secure sessions are negotiated.
Each attribute value is set in one of three ways:
- The application developer sets an explicit value for the attribute by using code.
- The application developer provides a user interface to allow the application administrator to indirectly set the attribute value.
- The application developer does not set a value for the attribute. System SSL/TLS uses the default value for the attribute.
Security compliance requirements change over the lifespan of a release. To remain compliant, system administrators need to override some attribute values. System SSL/TLS provides various system level settings to implement this level of control.
There are two types of system level control:
- Completely disable the value for an attribute
- The disabled value is ignored when it is used by any of the three methods of setting the attribute value
- Application encounters a hard failure if no valid value remains enabled for the attribute
- Application encounters a soft failure if peer requires the disabled value
- Disable a default value for an attribute
- Changes only applications that use System SSL/TLS defaults for setting this specific attribute
- Application soft failure if peer requires the disabled value
The system level settings are controlled by using a combination
of these interfaces:
- SSL/TLS System Values
- System Service Tools (SST) Advanced Analysis command SSLCONFIG as specified.
The following System SSL/TLS attributes can have their enabled values, default values, or both changed at the system level.