Implementing NIST SP 800-131A compliance

If you must be compliant with NIST SP 800-131A, you can begin to work toward a fully compliant environment using Lenovo XClarity Administrator.

About this task

The National Institute of Standards and Technology Special Publication 800-131A (NIST SP 800-131A) specifies the way that secure communications should be handled. The standard strengthens algorithms and increases key lengths to improve security. The NIST SP 800-131A standard requires that users be configured for strict enforcement of the standard.

Note: The following Flex System components do not currently support NIST SP 800-131A. Communications between XClarity Administrator or the CMM and these components are not compliant:
  • Flex System EN4023 10 Gb Scalable Switch
  • Flex System EN6131 40 Gb Ethernet Switch
  • Flex System FC3171 8 Gb SAN Switch
  • Flex System FC5022 16 Gb SAN Scalable Switch
  • Flex System IB6131 Infiniband Switch
Note: When an SAML identity provider is used for authentication, XClarity Administrator uses SHA-1 to sign the signature in the metadata. Using the SHA-1 algorithm for digital signatures is not NIST SP 800-131A compliant.

Procedure

To implement NIST SP 800-131A compliance, complete the following steps.

  1. Ensure that your devices meet the following criteria:
    • Use Secure Sockets Layer (SSL) over the TLS v1.2 protocol.
    • Use SHA-256 or stronger hashing functions for digital signatures and SHA-1 or stronger hashing functions for other applications.
    • Use RSA-2048 or stronger, or use NIST approved Elliptic Curves that are 224 bits or stronger.
    • Use NIST-approved symmetric encryption with keys at least 128 bits in length.
    • Use NIST-approved random-number generators.
    • Where possible, support Diffie-Hellman or Elliptic Curve Diffie-Hellman key-exchange mechanisms.
  2. Configure the cryptographic settings on Lenovo XClarity Administrator. There are two settings that are related to NIST SP 800-131A compliance:
    • The SSL/TLS mode specifies the protocols that are to be used for secure communications. The XClarity Administrator supports a setting of TLS 1.2 Server and Client to restrict the cryptography protocol to TLS 1.2 on XClarity Administrator and all managed devices.
    • If secure communications are implemented, the cryptographic mode sets the encryption key lengths that are to be used.

      You can set the cryptographic mode as NIST SP 800-131A. However, you might not be able to deploy some operating systems through XClarity Administrator because some operating-system installers do not support the restricted settings. To support operating system deployment, you can choose to allow an exception for operating-system deployment.

    When you change any cryptographic settings, XClarity Administrator provisions the new settings to all managed devices and attempts to resolve any new certificates on those devices.

    Note: You must manually restart XClarity Administrator after cryptographic settings are changed for the changes to take effect and to restore any lost services (see Restarting XClarity Administrator ).

    For more information about these settings, see Configuring cryptography settings on the management server.

  3. Use a web browser that supports the TLS1.2 protocol and SHA-256 hashing functions, and enable those settings in your web browser.
    Note: If you use or plan to use custom or externally signed certificates, all certificates in the chain must be based on SHA-256 hashing functions.
  4. Use encrypted protocols for all communications. Do not enable unencrypted protocols, such as Telnet, FTP, and VNC for remote communications with XClarity Administrator managed devices.
Parent topic: Implementing a secure environment