Contents
| 1 | Understanding SSH and TLS Protocol Management |
| 1.1 | Key SSH and TLS Protocol Management Concepts |
| 1.2 | Method of Selecting Algorithms or Cipher Suites |
2 | Basic SSH and TLS Protocol Management Operations |
1 Understanding SSH and TLS Protocol Management
1.1 Key SSH and TLS Protocol Management Concepts
The Secure Shell (SSH) is a protocol for secure remote logon and other secure network services over an insecure network. The SSH transport layer is a secure, low-level transport protocol. It provides strong encryption, cryptographic host authentication, and integrity protection.
The SSH protocol uses certain algorithms for authentication and encryption. This document describes how algorithms for ciphering, key exchange, and message authentication can be configured; refer to RFC 4253.
The Transport Layer Security (TLS) protocol provides communications security over the Internet. The protocol allows client-server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
The TLS security algorithms are expressed by cipher suites. A cipher suite defines a collection of key exchange, encryption, and authentication algorithms supported in TLS; refer to RFC 5246.
The Security Management managed area, SecM, can be found in the Managed Object Model (MOM). For general information about the MOM, Managed Object Classes (MOCs), cardinality, and related concepts, refer to Managed Object Model User Guide.
The operator can use the SecM MOCs to configure Transport Layer Security (TLS) and Secure Shell (SSH) authentication and encryption methods.
1.2 Method of Selecting Algorithms or Cipher Suites
At first deployment, the system initializes a set of default SSH algorithms and TLS cipher suites. The default algorithms are chosen by Ericsson design, based current security design rules. Algorithms and cipher suites can be added to, or removed from the default list.
The supported algorithms and cipher suites specifies the full set of selectable items. The supported lists are constructed from the underlying SSH and TLS software, and may contain additional algorithms or remove ones that were deemed obsolete at software upgrade. If an algorithm is removed, make sure that the removed algorithm is not used exclusively by any peer of the Managed Element (ME), otherwise the connections of that peer will fail.
In the SSH case, if the default algorithms are not adequate, then the names of the preferred algorithms need to be added to the attribute that list the selected algorithms. Non-preferred algorithms can be removed by updating the same list.
In the TLS case, cipher suites are added by choosing types or names of the preferred ones. The selected types or names must be specified in the cipher suites filter according to the syntax of the filter. The filter also allows removal of cipher suites types and names.
2 Basic SSH and TLS Protocol Management Operations
The following operations, described in Operating Instructions using the ECLI, can be performed by an administrator with the System Security Administrator role:
- View SSH Algorithms
Currently enabled SSH algorithms are accessible through attributes selectedCiphers, selectedKeyExchanges, and selectedMacs in the Ssh Managed Object (MO). For more details on how to perform this operation, refer to View SSH Algorithms.
- Change enabled SSH algorithms
The SSH algorithms enabled may need to be changed because of security requirements or compatibility with SSH peers. The SSH algorithms must be selected from the supported algorithm set, accessible through the Ssh MO attributes supportedCiphers, supportedKeyExchanges, and supportedMacs. The enabled SSH algorithms can be configured through attributes selectedCiphers, selectedKeyExchanges, and selectedMacs in the Ssh MO. For more details on how to perform this operation, refer to View SSH Algorithms and Configure SSH Algorithms.
- Show Supported and Enabled TLS Ciphers
Currently enabled TLS cipher suites in the system are accessible through the attribute enabledCiphers. The enabledCiphers attribute is the result of cipher filter applied on supportedCiphers. For more details on how to perform this operation, refer to Show Supported and Enabled TLS Ciphers.
- Change enabled TLS cipher suites
The enabled TLS cipher suites may need to be changed because of security requirements, or for compatibility with TLS peers. The TLS cipher suites must be selected from the supported cipher suite set accessible through the supportedCiphers attribute of the Tls MO. The enabled TLS cipher suites can be configured through the attribute cipherFilter. For more details on how to perform this operation, refer to Show Supported and Enabled TLS Ciphers and Configure TLS Ciphers.