Skip to main content

Configuring Allowed Ciphers

This section describes topics related to cipher-suite selection:

  • Configuring allowed cipher suites for GUI connections.
  • Configuring allowed key-exchange (KEX) algorithms for agentless connections.

The allowed cipher suites for GUI connections are defined in the Nginx configuration file /etc/nginx/sites-available/sshmgr, under ssl_ciphers.

To review and modify the allowed cipher suites:

  1. Open the Nginx configuration file /etc/nginx/sites-available/sshmgr and locate ssl_ciphers.

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256...

  2. Modify the listed ciphers as desired. Note that the list of cipher suites is colon-separated. Once you are done, save your changes to the file.
    You may verify the configuration with:

    # nginx -t

    For valid configurations you should receive:

    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

  3. Restart the Nginx web server and the Key Manager front end service to apply the changes.

    # service nginx restart
    # supervisorctl restart frontend:

    Subsequent GUI connections shall be secured using one of the listed cipher suites.

You may modify the KEX algorithms used for agentless-connection key exchange. This may be necessary for improving security, or in situations where agentless connections fail due to no matching KEX methods.

To review and modify the allowed KEX algorithms, repeat the following on all Key Manager servers:

  1. On the Key Manager server as root, open the following file:

    /opt/sshmgr-runtime/etc/ssh_config

    In this file, add or modify the KexAlgorithms setting. For example:

    KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,\
    diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256

    Save your changes to the file. See the OpenSSH-client documentation for information about the supported algorithms. For a list of supported OpenSSH versions, see Compatible SSH Products.

  2. Restart any Key Manager services to apply your changes:

    # supervisorctl restart frontend:
    # supervisorctl restart backend: