Cipher suites for RSA key exchange

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-08-0x
Audience
anonymous
Part Number
MK-97HM85028-11

If the key exchange method does not use the cipher suites for RSA key exchange, you can disable those cipher suites. The following firmware and software versions are required:
  • Storage system firmware version: 88-07-02 or later
  • SVP software version: 88-07-02 or later
  • GUM firmware version: 88-07-02/00

Note that VSP E series does not support the function of disabling the cipher suites for RSA key exchange. Versions beginning with 93- are not supported.

CAUTION:
  • If any of the storage management software version, SVP software version, or GUM firmware version does not support the function of disabling the cipher suites for RSA key exchange, do not disable the cipher suites for RSA key exchange.
  • When you enable or disable the cipher suites for RSA key exchange, you need to specify the settings on both the SVP and GUM.
  • If either of the following two cipher suites is specified in Maintenance Utility, the cipher suites for RSA key exchange are automatically enabled on the GUM. If both the following two cipher suites are not specified, the cipher suites for RSA key exchange are automatically disabled on the GUM:
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA
  • When the cipher suites for RSA key exchange are disabled, you can use the following cipher suites:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    Note that, if there is a management client or any kind of server that does not support these cipher suites, the SVP cannot communicate with that management client or server.

  • When Windows Server 2008 R2 is used for the OS of the LDAP server, do not disable the cipher suites for RSA key exchange. If you disable the cipher suites for RSA key exchange, the SVP will not be able to communicate with the LDAP server.
  • If you use TLS1.2 to send audit logs or alert notifications to the syslog server, configure the setting so that the following cipher suites can be used on the syslog server:
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • If the SVP and the storage system cannot communicate with each other after you disable cipher suites, collect dump files and send them to the maintenance personnel. Then, enable the cipher suites.