Ciphers
The Ciphers page in GigaVUE-FM provides capability to configure Cipher, which allows configuration of the SSH and TLS ciphers used when GigaVUE-FM acts as a client or server. This aligns encryption settings with your organization’s security policies and supported certificates.
Note: Cipher configuration is optional. Deployments can operate with default ciphers. The feature is included with the base GigaVUE-FM license; no additional license is required.
Configure SSH Parameters
To configure SSH parameters in the GigaVUE-FM:
- Go to
> Settings > System > Cipher. -
On the SSH tab, locate the following sections:
-
SSH server (when GigaVUE-FM acts as an SSH server, for example from an administrator workstation to GigaVUE‑FM).
-
SSH client (when GigaVUE-FM initiates SSH connections to other systems).
-
-
For SSH server / SSH client, review each configuration group (key exchange algorithms, host key algorithms, ciphers, and MACs):
-
In each list, select only the ciphers approved by the organization’s SSH policy.
-
Ensure that at least one supported option remains selected in every list.
-
-
Select Apply on the SSH tab.
Confirm that SSH access to GigaVUE-FM remains available by opening a new SSH session.
Note: Ensure maximum cipher compatibility with all systems that interact with GigaVUE-FM. Connections fail if cipher settings are not compliant across systems.
Configure TLS Parameters
To configure TLS Parameters in the GigaVUE-FM:
-
On the Ciphers page, select the TLS tab.
-
In the TLS 1.2 section, review the list of available TLS 1.2 cipher suites presented in the UI.
-
In the Groups or Allowed Groups section:
-
Review the list of supported groups applicable to TLS 1.2 and TLS 1.3.
-
Select only the groups permitted by the organization’s security policy.
-
Ensure that at least one group remains selected for each enabled TLS version that uses groups.
-
-
Select only the cipher suites that are both:
-
Approved by the organization’s TLS policy.
-
Compatible with the certificate type configured on GigaVUE-FM (for example, RSA‑based or ECDSA‑based certificates).
Note: Ensure maximum cipher compatibility with all systems that interact with GigaVUE-FM. Connections fail if cipher settings are not compliant across systems.
-
-
In the TLS 1.3 section:
-
Review the Ciphers list for TLS 1.3 and select the allowed cipher suites.
-
Ensure that at least one cipher suite (and group, where applicable) remains selected when TLS 1.3 is enabled.
-
-
If options are available to synchronize server and client TLS settings (for example, “apply to both server and client”), use those options when identical policies are required on both sides.
-
TLS 1.2 or TLS 1.3 can be disabled independently; for each enabled TLS version, at least one cipher must remain selected.
-
Maintain maximum compatibility by selecting a broad, approved set of ciphers.
Note: Multiple TLS cipher suites can be selected. Selecting only one or both of the following ciphers prevents GigaVUE-FM from issuing certificates for cloud deployments, causing the deployment to fail:
- TLS_ECDHE_ECDSA_WITH_AES_256_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_SHA256
-
-
Select Apply on the TLS tab.
Note: This operation logs out all active users. The UI will take atleast 2 minutes to reload and become available again.
-
Open a new browser session to the GigaVUE-FM UI and confirm that HTTPS access is successful using the updated cipher configuration.
-
If GigaVUE-FM connects to external TLS endpoints (such as devices, LDAP, or third‑party authentication services), validate those connections to ensure that negotiation succeeds with the selected ciphers.
Note:
- In an FMHA deployment, the cipher change operation cannot be performed if any GigaVUE-FM node in the group is unreachable.
- Before changing the cipher, either restore connectivity to all GigaVUE-FM nodes in the FMHA group or remove the unreachable node from the group.
Cipher Selection Behavior for Rsyslog
When you configure ciphers on the GigaVUE-FM Cipher page, Rsyslog may display or use additional ciphers beyond those you explicitly selected. This behavior is due to a limitation in Rsyslog, which applies cipher settings at the cipher group level rather than per individual cipher.
Behavior
-
Rsyslog configures the entire cipher group when you enable a cipher.
-
If a CBC cipher is enabled, it is enabled for both RSA and ECDSA key types, unless RSA is disabled.
-
As a result, you might see CBC-based ciphers active for both RSA and ECDSA, even if you intended to use them for only one key type.
Note: To prevent CBC ciphers from being applied where they are not required, clear either all RSA CBC ciphers or all CBC ciphers on the GigaVUE-FMCipher page, depending on your security policy and deployment requirements.
Recover from incorrect cipher configuration
If access to the GigaVUE-FM UI or SSH becomes unavailable after changing cipher settings, cipher configuration can be reset to defaults by using the CLI.
-
Access the GigaVUE-FM console or an available SSH session with administrative privileges.
-
At the command prompt, run:
reset cipher-settings
-
Wait until the command completes and a message indicates that GigaVUE-FM Cipher settings have been reset to default mode. This operation can take several minutes.
For more details on commands refer to :GigaVUE-FM CLI Commands.
-
Reconnect to the GigaVUE-FM UI in a browser and verify that access is restored.
Note: In an FMHA deployment, perform this procedure independently on each node in the FMHA group.
-
Reconfigure SSH and TLS ciphers from the Ciphers page, ensuring alignment with the deployed certificates and organizational policies.
When cipher settings are reset and validated, the Cipher is restored to a safe default state and is ready for controlled re‑configuration.
Note:
- Only users with Super Admin access or an FM Security role can modify this configuration.
- If you restore an FM backup taken on a release earlier than 6.12.02, or a backup that does not include cipher configurations, the FM cipher settings will be reset to their default values.
- If you take a new backup on 6.12.02, the cipher configuration details are included in the backup and will be restored as-is when that backup is restored.
-
The fmctl reset cipher-settings command resets the GigaVUE‑FM cipher configuration and also resets all cipher configuration of the devices (version 6.14 and above) managed by GigaVUE‑FM.



