Configuring cryptography settings

Cryptographic management is composed of communication modes and protocols that control the way that secure communications are handled between Lenovo XClarity Administrator and the managed systems.

About this task

The cryptographic mode determines how secure communications are handled between Lenovo XClarity Administrator and all managed systems. If secure communications are implemented, it sets the encryption-key lengths to be used.

Note: Regardless of the cryptography mode that you select, NIST-approved Digital Random Bit Generators are always used, and only 128-bit or longer keys are used for symmetric encryption.
When you change the cryptographic mode in the XClarity Administrator, the cryptographic mode for all CMMs and baseboard management controllers in the managed devices are changed to the same setting automatically. Consider the following implications of changing the cryptographic mode:
  • If you switch from compatibility mode to NIST SP 800-131A mode and the current certificate authority on the managed CMMs and baseboard management controllers use RSA-2048/SHA-1 (the default), an RSA-2048/SHA-256 certificate is regenerated on each managed chassis and server. This causes a mismatch between the newly generated server certificates on the CMMs and baseboard management controllers and the server certificate that is stored in the XClarity Administrator trust store. To resolve this issue, go to the Chassis page and Servers page, and click All Actions > Resolve Untrusted Certificate for each device (see Resolving an untrusted server certificate).
  • Not all Flex switches support NIST SP 800-131A mode. If a Flex switch does support NIST SP 800-131A mode, you might need to change the configuration for the switches through the Flex switch interface. For information about support for NIST SP 800-131A and about switching Flex switches between compatibility mode and NIST SP 800-131A mode, see the product documentation that is available for the Flex switches. For more information, see CMM Reset in the Flex Systems online documentation.

Procedure

To change the cryptography settings, complete the following steps.

  1. From the Lenovo XClarity Administrator menu bar, click Administration > Security.
  2. Choose one of the following the cryptographic modes to use for secure communications:
    • Compatibility. This mode is the default. It is compatible with older firmware versions, browsers, and other network clients that do not implement strict security standards that are required for compliance with NIST SP 800-131A.
    • NIST SP 800-131A. This mode is designed to comply with the NIST SP 800-131A standard. XClarity Administrator is designed to always use strong cryptography internally and, where available, to use strong cryptography network connections. However, in this mode, network connections using cryptography that is not approved by NIST SP 800-131A is not permitted, including rejection of Transport Layer Security (TLS) certificates that are signed with SHA-1 or weaker hash.

      If you select this mode:
      • You must also select TLSv1.2 for the minimum TLS client and server versions

      • Event notifications might not be successfully pushed to some mobile-device subscriptions (see Forwarding events to mobile devices). External services, such as Android and iOS, present certificates that are signed with SHA-1, which is an algorithm that does not conform to the stricter requirements of NIST SP 800-131A mode. As a result, any connections to these services might fail with a certificate exception or a handshake failure.

      For more information about NIST SP 800-131A compliance, see Implementing NIST SP 800-131A compliance.

  3. Choose the minimum TLS protocol version to use for client connections to other servers (such as the LDAP client). There are two options:
    • TLSv1. TLS v1.0 and later can be used.

    • TLSv1.2. TLS v1.2 and later can be used.

      This option enforces TLS v1.2 or later cryptography protocols on both XClarity Administrator and all managed endpoints. If you choose NIST SP 800-131A for the cryptographic mode, this option must be selected.

  4. Choose the minimum TLS protocol version to use for server connections (such as the web server). There are two options:
    • TLSv1. TLS v1.0 and later can be used.

    • TLSv1.2. TLS v1.2 and later can be used.

      This option enforces TLS 1.2 cryptography protocols on both XClarity Administrator and all managed endpoints. If you choose NIST SP 800-131A for the cryptographic mode, this option must be selected.

  5. Choose the minimum TLS protocol version to use for the Lenovo XClarity Administrator operating-system deployment and OS device-driver updates. There are two options:
    • TLSv1. TLS v1.0 and later can be used. You can deploy operating systems and update OS device drivers on servers through XClarity Administrator, even if the OS-image installer does not support the restricted settings that NIST SP 800-131A requires.

    • TLSv1.2. TLS v1.2 and later can be used.

      Only operating systems with an installation process that supports TLS 1.2 and strong cryptographic algorithms can be deployed and updated through XClarity Administrator.

  6. Choose the devices to which you want to apply changes.
    • Apply to management server only.

    • Apply to managed devices only

    • Apply to management server and managed devices

    When you apply the cryptographic-settings changes to managed devices, Lenovo XClarity Administrator provisions the new settings to all managed devices and attempts to resolve any new certificates on those devices.

  7. Click Apply.
  8. If you applied the cryptographic-settings changes to the management server, restart Lenovo XClarity Administrator (see Restarting Lenovo XClarity Administrator).

What to do next

If you receive an alert that the server certificate is not trusted for a managed device, see Resolving an untrusted server certificate.