Cipher Suites

This section describes how to use cipher suites with a load balancer to determine the security, compatibility, and speed of HTTPS traffic.

• Creating a Load Balancer SSL Cipher Suite
• Viewing a Load Balancer Cipher Suite Details
• Editing a Load Balancer Cipher Suite Details
• Deleting a Load Balancer Cipher Suite

Creating a Load Balancer SSL Cipher Suite

A load balancer (LB) uses a cipher suite to secure Transport Layer Security (TLS) or Secure Socket Layer (SSL) network connections. The cipher suite defines a list of security algorithms that the load balancer uses to negotiate with peers exchanging information with the load balancer. The cipher suites used effect the security level, performance, and compatibility of data traffic.

Oracle has created a series of predefined cipher suites that you can use when you create an SSL configuration. If the predefined cipher suites don't meet requirements, you can create custom cipher suites.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Load Balancers.

2. Click the name of the Load Balancer for which you want to create the load balancer SSL cipher suite.

3. In the Load Balancer resource list, click Cipher Suites. The list of available cipher suites appears. If none are listed, you must create one.
4. To create a load balancer cipher suite, click Create Cipher Suite.
5. In the Load Balancer SSL Cipher Suite Form, give the LB SSL cipher suite a name. For example, my_ssl_cipher_suite.

   Note:

   The name of a user-defined cipher suite can't be the same as any of Oracle’s predefined or reserved SSL cipher suite names.

6. Place a check mark in the boxes of the cipher suite components to be part of the SSL cipher suite. For example, AES256-SHA256.

7. When you have selected all the components for the SSL cipher suite, click the Create Cipher Suite button in the dialog.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • LB OCID (oci lb load-balancer list --compartment-id compartment_OCID)

2. Run the backend server create command.

   Use the LB OCID, cipher-suite name, and ciphers to create the cipher suite for the LB in the specified compartment.

   Note:

   For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci lb ssl-cipher-suite create --ciphers ssl_ciphers_complex_type \ 
   --load-balancer-id load-balancer_OCID --name ssl_cipher_suite_name  

   Where:

   • ssl_ciphers_complex_type is a complex type listing of all of the SSL ciphers the load balancer must enable HTTPS or SSL connections. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax. Example: [“ECDHE-RSA-AES256-GCM-SHA384”,”ECDHE-ECDSA-AES256-GCM-SHA384”,”ECDHE-RSA-AES128-GCM-SHA256”].

   • load-balancer_OCID is the OCID of the load balancer associated with the backend set and servers.

   • ssl_cipher_suite_name is the friendly name of the SSL cipher suite. Example: my_ssl_cipher_suite.

   Example:

   $ oci lb ssl-cipher-suite create --ciphers [“ECDHE-RSA-AES256-GCM-SHA384”, \
   ”ECDHE-ECDSA-AES256-GCM-SHA384”,”ECDHE-RSA-AES128-GCM-SHA256”] \
   --load-balancer-id ocid1.loadbalancer....….….….uniqueID
   --name my_ssl_cipher_suite
    
   {
     "opc-work-request-id": "ocid1.workrequest.oc1.pca...….….….uniqueID"
   }

   Note:

   To see the cipher suite results, list all the cipher suites associated with the specified LB and verify that the cipher suite created is listed. Use the oci lb ssl-cipher-suite list command to view the SSL cipher suites configured. Use the oci lb ssl-cipher-suite get command to view the SSL cipher suite details.

   $ oci lb ssl-cipher-suite list -load-balancer-id ocid1.loadbalancer....….….….uniqueID
    
   {
   "ssl-cipher-suites": "My_ssl_cipher_suite",
     {} 
   {
    "system-tags": null,
    "time-created": "2022-08-11T07:20:20+00:00"
    }
   }

   $ oci lb ssl-cipher-suite get --load-balancer-id ocid1.loadbalancer....….….….uniqueID 
     --name "my_ssl_cipher_suite"
    
   {
     "data": {
       "ciphers": [
         "ECDHE-RSA-AES256-GCM-SHA384",
         "ECDHE-ECDSA-AES256-GCM-SHA384",
         "ECDHE-RSA-AES128-GCM-SHA256"
       ],
       "name": "My_ssl_cipher_suite"
     }

Viewing a Load Balancer Cipher Suite Details

You can view a list of the SSL cipher suites associated with an existing load balancer and view their details.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Load Balancers.

2. Click the name of the Load Balancer for which you want to list existing load balancer cipher suites.

3. Click Cipher Suites from the load balancer resource list. The list of cipher suites appears.

4. If the load balancer cipher suite exists, you can view its details in one of two ways:

   1. Click the name of the cipher suite to display the details.
   2. Click View Details under the three-dot box of the Action Menu.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • LB OCID (oci lb load-balancer list --compartment-id compartment_OCID)

2. Run the get command to find the details of the cipher suite you are interested in.

   Use the LB OCID and name of the cipher suite to get the details of the cipher suite.

   Note:

   For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci lb ssl-cipher-suite get --load-balancer-id load-balancer_OCID --name cipher-suite-name 

   Example:

   $ oci lb ssl-cipher-suite get --load-balancer-id ocid1.loadbalancer....….….….uniqueID 
     --name "my_ssl_cipher_suite"
    
   {
     "data": {
       "ciphers": [
         "ECDHE-RSA-AES256-GCM-SHA384",
         "ECDHE-ECDSA-AES256-GCM-SHA384",
         "ECDHE-RSA-AES128-GCM-SHA256"
       ],
       "name": "My_ssl_cipher_suite"
     }
   }

Editing a Load Balancer Cipher Suite Details

You can edit the SSL cipher suites associated with an existing load balancer to alter their details by adding or removing values.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Load Balancers.

2. Click the name of the Load Balancer for which you want to edit existing load balancer cipher suites.

3. Click Cipher Suites from the load balancer resource list. The list of cipher suites appears.

4. If the load balancer cipher suite exists, you can edit its details in one of two ways:

   1. Click the name of the cipher suite to display the details, then click Edit.
   2. Click Edit under the three-dot box of the Action Menu.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • LB OCID (oci lb load-balancer list --compartment-id compartment_OCID)

2. Run the update command to edit the details of the cipher suite you are interested in.

   Use the LB OCID and name of the cipher suite to edit the details of the cipher suite.

   Note:

   For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci lb ssl-cipher-suite update --load-balancer-id load-balancer_OCID 
      --name cipher-suite-name 

   Example:

   $ oci lb ssl-cipher-suite update --ciphers [“ECDHE-RSA-AES256-GCM-SHA384”, \
     ”ECDHE-ECDSA-AES256-GCM-SHA384”] --load-balancer-id \ 
     ocid1.loadbalancer....….….….uniqueID --name "my_ssl_cipher_suite"
   
   {
     "opc-work-request-id": "ocid1.workrequest.oc1.pca...….….….uniqueID"
   } 

   Note:

   To see the cipher suite update results, use the oci lb ssl-cipher-suite get command to view the SSL cipher suite details.

   $ oci lb ssl-cipher-suite get --load-balancer-id ocid1.loadbalancer....….….….uniqueID 
     --name "my_ssl_cipher_suite" 
    
   {
     "data": {
       "ciphers": [
         "ECDHE-RSA-AES256-GCM-SHA384",
         "ECDHE-ECDSA-AES256-GCM-SHA384"      "
       ],
       "name": "My_ssl_cipher_suite"
     }

Deleting a Load Balancer Cipher Suite

You can delete an SSL cipher suite associated with an existing load balancer.

Using the Compute Web UI

1. Open the Navigation Menu. Under Networking, click Load Balancers.

2. Click the name of the Load Balancer for which you want to delete existing load balancer cipher suites.

3. Click Cipher Suites from the load balancer resource list. The list of cipher suites appears.

4. If the load balancer cipher suite exists, you can delete it in one of two ways:

   1. Click the name of the cipher suite to display the details, then click Delete.
   2. Click Delete under the three-dot box of the Action Menu.

Using the OCI CLI

1. Gather the information you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • LB OCID (oci lb load-balancer list --compartment-id compartment_OCID)

2. Run the delete command for the cipher suite you are removing.

   Use the LB OCID and name of the cipher suite to remove the cipher suite.

   Note:

   For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci lb ssl-cipher-suite delete --load-balancer-id load-balancer_OCID 
      --name cipher-suite-name 

   Example:

   $ oci lb ssl-cipher-suite delete --load-balancer-id ocid1.loadbalancer....….….….uniqueID \ 
     --name "my_ssl_cipher_suite"
   
   Are you sure you want to delete this resource? [y/N]: y
   
   {
     "opc-work-request-id": "ocid1.workrequest.oc1.pca.....….….….uniqueID"
   } 

   Note:

   To see the cipher suite delete results, list all the cipher suites associated with the specified LB and verify that the cipher suite deleted is NOT listed.