Selecting Cipher Suites

The Cipher Suite Configuration dialog is used to specify which outbound TLS cipher suites you want to enable on the gateway for a specific target host.
gateway92
The Cipher Suite Configuration dialog is used to specify which outbound TLS cipher suites you want to enable on the 
Layer7 API Gateway
 for a specific target host.
Supported Cipher Suites
The following cipher suites are supported by the
Layer7 API Gateway
. These are the suites that are available when the Policy Manager is connected to a Gateway using the default configuration with the Software DB keystore. If your Gateway uses a different security configuration, not all suites will be functional.
Technical Note:
When the Gateway is configured to work with IBM MQ 8.0, if any "TLS_ECDHE_ECDSA" cipher suite is used (indicated by * below), the IBM MQ 8 server certificate must be encrypted using the ECDSA algorithm. If using the IBM Key Management to generate a certificate, use the SHA512withECDSA algorithm to generate the certificate.
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
*TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
*TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
*TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
To select cipher suites to use
:
  1. You can select which cipher suites to enable in any of the following areas:
    • Click [
      Cipher Suites
      ] on the Edit HTTP Options dialog. For more information, see "Add an HTTP Option" under  Manage HTTP Options.
    • Click [
      Cipher Suites
      ] on the [
      Connection
      ] tab of the HTTP(S) Routing Properties. For more information, see "Configuring the [Connection] Tab" under  Route via HTTP(S) Assertion.
    • Select the [
      SSL/TLS Settings
      ] tab of the  Listen Port Properties.
    • Click [
      Cipher Suites
      ] on the WebSocket Connection Properties dialog, in either the Inbound or Outbound tabs. For more information, see Manage WebSocket Connections.
    The Enabled Cipher Suites dialog is displayed, listing the suites recognized by the
    Layer7 API Gateway
    . Note that the cipher suites visible to  you depend on the security configuration of your Gateway. See "Supported Cipher Suites" at the beginning of this topic for a complete list.
  2. Specify the order of the cipher suites to use:
    • Select one or more lines and use [
      Move Up
      ] and [
      Move Dow
      n] to reorder the cipher suites.
    • Select [
      Uncheck All
      ] to quickly remove all selections so that you can specify the suite(s) you want to use.
    • Select [
      Use Default List
      ] to reset the list to the default set of cipher suites. The default suites are those that are least likely to cause compatibility issues with target servers.
  3. Click [
    OK
    ] when done.