Ciphers

The Ciphers page in GigaVUE-FM provides capability to configure Cipher, which allows configuration of the SSH and TLS ciphers used when GigaVUE-FM acts as a client or server. This aligns encryption settings with your organization’s security policies and supported certificates.

Note:  Cipher configuration is optional. Deployments can operate with default ciphers. The feature is included with the base GigaVUE-FM license; no additional license is required.

Configure SSH Parameters

To configure SSH parameters in the GigaVUE-FM:

  1. Go to > Settings > System > Cipher.

  2. On the SSH tab, locate the following sections:

    • SSH server (when GigaVUE-FM acts as an SSH server, for example from an administrator workstation to GigaVUE‑FM).

    • SSH client (when GigaVUE-FM initiates SSH connections to other systems).

  3. For SSH server / SSH client, review each configuration group (key exchange algorithms, host key algorithms, ciphers, and MACs):

    • In each list, select only the ciphers approved by the organization’s SSH policy.

    • Ensure that at least one supported option remains selected in every list.

  4. Select Apply on the SSH tab.

Confirm that SSH access to GigaVUE-FM remains available by opening a new SSH session.

Note:  Ensure maximum cipher compatibility with all systems that interact with GigaVUE‑FM. Connections fail if cipher settings are not compliant across systems.

Configure TLS Parameters

To configure TLS Parameters in the GigaVUE-FM:

  1. On the Ciphers page, select the TLS tab.

  2. In the TLS 1.2 section, review the list of available TLS 1.2 cipher suites presented in the UI.

  3. In the Groups or Allowed Groups section:

    • Review the list of supported groups applicable to TLS 1.2 and TLS 1.3.

    • Select only the groups permitted by the organization’s security policy.

    • Ensure that at least one group remains selected for each enabled TLS version that uses groups.

  4. Select only the cipher suites that are both:

    • Approved by the organization’s TLS policy.

    • Compatible with the certificate type configured on GigaVUE-FM (for example, RSA‑based or ECDSA‑based certificates).

    Note:  Ensure maximum cipher compatibility with all systems that interact with GigaVUE‑FM. Connections fail if cipher settings are not compliant across systems.

  5. In the TLS 1.3 section:

    • Review the Ciphers list for TLS 1.3 and select the allowed cipher suites.

    • Ensure that at least one cipher suite (and group, where applicable) remains selected when TLS 1.3 is enabled.

  6. If options are available to synchronize server and client TLS settings (for example, “apply to both server and client”), use those options when identical policies are required on both sides.

    • TLS 1.2 or TLS 1.3 can be disabled independently; for each enabled TLS version, at least one cipher must remain selected.

    • Maintain maximum compatibility by selecting a broad, approved set of ciphers.

    Note:  Selecting one or both of the following ciphers prevents FM from issuing certificates for cloud deployments. This will cause cloud deployments to fail.

    • TLS_ECDHE_ECDSA_WITH_AES_256_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_SHA256

  7. Select Apply on the TLS tab.

    Note:  This operation logs out all active users. The UI will take atleast 2 minutes to reload and become available again.

  8. Open a new browser session to the GigaVUE-FM UI and confirm that HTTPS access is successful using the updated cipher configuration.

  9. If GigaVUE-FM connects to external TLS endpoints (such as devices, LDAP, or third‑party authentication services), validate those connections to ensure that negotiation succeeds with the selected ciphers.

Note:  

  • In an FMHA deployment, the cipher change operation cannot be performed if any GigaVUE-FM node in the group is unreachable.
  • Before changing the cipher, either restore connectivity to all GigaVUE-FM nodes in the FMHA group or remove the unreachable node from the group.

Cipher Selection Behavior for Rsyslog

When you configure ciphers on the GigaVUE-FM Cipher page, Rsyslog may display or use additional ciphers beyond those you explicitly selected. This behavior is due to a limitation in Rsyslog, which applies cipher settings at the cipher group level rather than per individual cipher.

Behavior

  • Rsyslog configures the entire cipher group when you enable a cipher.

  • If a AES CBC cipher is enabled, it is enabled for both RSA and ECDSA key types, unless RSA is disabled.

  • As a result, you might see AES CBC based ciphers active for both RSA and ECDSA, even if you intended to use them for only one key type.

Note:  To prevent CBC ciphers from being applied where they are not required, clear either all RSA CBC ciphers or all CBC ciphers on the GigaVUE-FMCipher page, depending on your security policy and deployment requirements.

Recover from incorrect cipher configuration

If access to the GigaVUE-FM UI or SSH becomes unavailable after changing cipher settings, cipher configuration can be reset to defaults by using the CLI.

  1. Access the GigaVUE-FM console or an available SSH session with administrative privileges.

  2. At the command prompt, run:

    reset cipher-settings

  3. Wait until the command completes and a message indicates that GigaVUE-FM Cipher settings have been reset to default mode. This operation can take several minutes.
    For more details on commands refer to :

    GigaVUE-FM CLI Commands.

  4. Reconnect to the GigaVUE-FM UI in a browser and verify that access is restored.

    Note:  In an FMHA deployment, perform this procedure independently on each node in the FMHA group.

  5. Reconfigure SSH and TLS ciphers from the Ciphers page, ensuring alignment with the deployed certificates and organizational policies.

When cipher settings are reset and validated, the Cipher is restored to a safe default state and is ready for controlled re‑configuration.

Note:  

  • Only users with Super Admin access or an FM Security role can modify this configuration.
  • If you restore an FM backup taken on a release earlier than 6.12.02, or a backup that does not include cipher configurations, the FM cipher settings will be reset to their default values.
  • If you take a new backup on 6.12.02, the cipher configuration details are included in the backup and will be restored as-is when that backup is restored.